Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I can't identity which Rasnonware is


  • This topic is locked This topic is locked
12 replies to this topic

#1 esteduca

esteduca

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 06 January 2017 - 11:47 AM

Hello everybody,

I am here because all my files has been encrypted. Unfortunatey I have no idea which type of Ransonware i got because I realised something was wrong before the end of the full process (I guess), and I managed to stop the batch file that was opening the program during the startup of Windows 10, so no screens or files dropped on my desktop found.

The batchfile is in a folder called: 39aaa1b inside the Local folder of user/davide/appdata where davide is my name.

I ran Malawarebytes who has (hopefully) removed the menace, but I have now many if not all files locked.

I tryed both Cryptosheriff and ID Ransomware but they both couldn't identify the crypting method, so I am stucked.

Please let me know how can I proceed.

Thanks!

 

edit: there is a file called syspoz in the startup files (now disabled). If it helps..

 

Best Regards

esteduca (Davide, from Italy).


Edited by esteduca, 06 January 2017 - 11:49 AM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:36 PM

Posted 06 January 2017 - 11:50 AM

If ID Ransomware could not identify it, I need the SHA1 it gave you for me to manually check your files. You also need to upload a ransom note and encrypted file to get the most accurate results.

 

If no extension was added to your files, it may be hard to identify, but based on the latest threats out there, it might be PClock (ID Ransomware would pickup on filename patterns or hex patterns in the encrypted file for most others).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 esteduca

esteduca
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 06 January 2017 - 11:52 AM

Hello,

Thanks.

 

SHA1: ed288ba4f99b3b1d8a820f840e7f732c369b0044



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:36 PM

Posted 06 January 2017 - 11:55 AM

I'm not seeing anything noticeable in the file either. No hex pattern or anything. It could still be PClock, but no way to confirm without a ransom note, email address from it, or the malware itself. If you have the malware or a log of it, we might be able to use that.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 esteduca

esteduca
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 06 January 2017 - 12:00 PM

Thanks,

No ransom note found, and no malaware. I deleted the file that was launched by the batch (.bat) file..

Today I found somebody creating a clone of my gmail account from this email: angelobrian48@gmail.com.. I m not sure if has something to do..


Edited by esteduca, 06 January 2017 - 12:01 PM.


#6 esteduca

esteduca
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 06 January 2017 - 06:30 PM

Hello again. In the malawarebytes log I found this file: C:\Users\Davide\AppData\Roaming\MICROSOFT\Crypto\SYSPOZ.EXE

 

Can it be cryptolocker or similar? Thanks.


Edited by esteduca, 06 January 2017 - 06:30 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:36 PM

Posted 06 January 2017 - 06:36 PM

The newest PClock2 variant has been reported to drop files in the %AppData%\Microsoft\\Crypto\RSA folder to include:
sysgop.exe

syspoz.exe is probably another malicious file related to the infection.

Submit it to one of the online services that analyzes suspicious files.You can also submit it here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 esteduca

esteduca
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 06 January 2017 - 06:54 PM

Thanks. I guess PClock2 can be the ramsonware. Unfortunately the decrypter from emsisoft says that my pc has not been infected. Any other method to decrypt the files?

Thanks.

 

The file syspoz does not exists anymore since I renamed to avoid being started and later malawarebytes removed it. I am sorry I am not an expert.


Edited by esteduca, 06 January 2017 - 07:03 PM.


#9 wombat89

wombat89

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 07 January 2017 - 05:47 AM

Hi everybody!
 
I have exactly the same problem. My wallpaper looks exactly like this one now: http://stackoverflow.com/questions/41511293/cryptolocker-trojan-files-encrypted

All my files are encrypted!

Any help would be appreciated. If any files are needed, let me know.

 

Best regards



#10 wombat89

wombat89

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 07 January 2017 - 06:03 AM

Okay now I run the ID Ransonsoftware with the ranson note and the result was:

 

 This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

 

Is there really nothing I can do at the moment?



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:36 PM

Posted 07 January 2017 - 08:30 AM

ID Ransonsomware should have provided a name for the ransomware and a link to the appropriate support topic for you to read or post further comments, questions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 wombat89

wombat89

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 07 January 2017 - 09:12 AM

Yes, it directs me via this link: https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/

 

I just hoped that maybe in the last 2 month some new decrypter was developed. But it seems like thats not the case



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:36 PM

Posted 07 January 2017 - 09:15 AM


Unfortunately, newer PClock variants are not decryptable and there is no longer any way to provide decryption without paying the ransom. The Emsisoft Decrypter created for earlier PClock variants will not work. Fabian explains why in Post #987.

There is ongoing discussion in this topic where you can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.When or if a solution is found, that information will be provided in the above support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users