Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Genasom!rfn - sysgop.exe Ransomware and need help in decrypting


  • This topic is locked This topic is locked
2 replies to this topic

#1 M3gatron

M3gatron

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 05 January 2017 - 10:44 AM

Hi Team, 

 

I'm all depressed at the moment with what happened recently that more than half of my Media files - mainly the Family Pictures and Videos that are really precious are Encrypted by one of the Ransomware and to make it worse it consists of lot of Pictures of my Friends and Family that are no more :'( 

 

I'm just in a shock and really helpless on this because its encrypted and I have no ways of decrypting these.

 

Below are some of the entries that were deleted by Windows Defender on my Windows 10 machine..

 

 

It shows the Variant as : Ransom: Win32/Genasom!rfn

 

------------------------------

 

Category: Trojan
 
Description: This program is dangerous and executes commands from an attacker.
 
Recommended action: Remove this software immediately.
 
Items: 
file:C:\Users\Mkr\AppData\Roaming\Microsoft\Crypto\sysgop.exe
 
process:pid:1928,ProcessStart:131271392080904286
 
regkey:HKCU@S-1-5-21-2497925226-1754004110-2264437715-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\2a45734a
runkey:HKCU@S-1-5-21-2497925226-1754004110-2264437715-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\2a45734a
 
 
------------------------------------------------------------------------------------------------------------------------------------
 
The following error occurred: Error code 0x80070070. There is not enough space on the disk. 
 
Category: Trojan
 
Description: This program is dangerous and executes commands from an attacker.
 
Recommended action: Remove this software immediately.
 
Items: 
file:C:\Users\Mkr\AppData\Local\Temp\lochs.dll
 
Get more information about this item online.
 
------------------------------------------------------------------------------------------------------------------------------------
 
The following error occurred: Error code 0x80070070. There is not enough space on the disk. 
 
Category: Trojan
 
Description: This program is dangerous and executes commands from an attacker.
 
Recommended action: Remove this software immediately.
 
Items: 
file:C:\Users\Mkr\AppData\Local\Temp\gnomes.dll
file:C:\Users\Mkr\AppData\Local\Temp\Services.dll
 
 
------------------------------------------------------------------------------------------------------------------------------------
 
 
I do not have any Ransom Notes left behind or probably all those were removed by the Antimalware. I just have tons of files sitting on my machine that are inaccessible now  :( 

Please let me know what all information I should share in order to get help on this :(
 
Any help would be greatly appreciated. 
 
Thanks a lot in Advance :)


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:23 AM

Posted 05 January 2017 - 11:10 AM

If there are no extensions added to the encrypted files, you are most likely dealing with PClock based on the executable's name. It commonly runs as sysgop.exe. Microsoft's signature names are very misleading.

 

If it is PClock, there is no way to decrypt your data I'm afraid. You can try ShadowExplorer and Recuva, maybe you get a slight bit lucky, but otherwise restoring from backups is your only option.

 

See the article for more information.

 

https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:23 AM

Posted 05 January 2017 - 02:06 PM

The newest PClock2 variant has been reported to drop files in the %AppData%\Microsoft\\Crypto\RSA folder to include:
sysgop.exe
en_files.txt
en_gfiles.txt
wp.jp

The ransom note instructs victims to contact the cyber-criminals at "sysgop01@india.com", or "sysgop02@india.com" to get payment instructions.

There are ongoing discussions in these topic where you can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.When or if a solution is found, that information will be provided in the above support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users