Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HakunaMatata Ransomeware Help & Support Topic - Recovers files yako.html


  • Please log in to reply
65 replies to this topic

#1 Alex2k17

Alex2k17

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 14 January 2017 - 04:19 PM

Hi guys,
 
our Server got attacked - successfully.
The attack was on 13.01.2017 at about 8:50 pm.
 
The ransomware encrypted almost any files on the server and added ".HakunaMatata" to them.
It also put a html file called "Recovers files yako.html" in every folder.
 
I saw an ecrypted log file of the eset antivirus uninstallation at the same time stamp.
It also killed our Acronis backup software.
 
Is there a way to encrypt my files?
If someone is interested in some encrypted files, i'll put them on a server or maybe dropbox.
 
 
Thanks a lot and kind regards from Germany!

BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:16 PM

Posted 14 January 2017 - 05:46 PM

We've seen a few submissions to ID Ransomware of this. We need a sample of the malware itself in order to analyze whether it is decryptable. Do you know if your server was attacked through RDP, an email attachment, or did someone download something on it recently?

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Alex2k17

Alex2k17
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 14 January 2017 - 06:07 PM

https://ufile.io/595dc

 

https://ufile.io/d060d

 

 

I can not say anything about the way they got into the system.

Maybe RDP or eMail-Attachment.


Edited by Alex2k17, 14 January 2017 - 06:16 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 14 January 2017 - 06:26 PM

IT folks should close RDP if they don't use it. RDP brute force based attacks are on the rise especially by those involved with the development and spread of ransomware.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:16 PM

Posted 14 January 2017 - 06:59 PM

I'm assuming it came through RDP if they uninstalled your antivirus and killed the backups - sorry, was on mobile before and didn't read that part.

 

I've create a rule on ID Ransomware to point victims to this topic. There's nothing further we can do without a sample of the malware to analyze. The encrypted files seem like they are most likely encrypted by AES or a similar encryption scheme based on the entropy and the filesize being divisible by 16.


Edited by Demonslay335, 14 January 2017 - 07:08 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Alex2k17

Alex2k17
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 15 January 2017 - 04:57 PM

We payed the bill of 2 BitCoins and got the software to decrypt the files. It's working!

 

I can offer the program but you still need your specific private key.

I can also offer a few of my encrypted files, the public key and the software to decrypt.

Maybe someone can "hack" the ransomware.

 

The Software runs offline.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 15 January 2017 - 05:29 PM

Typically with ransomware, each victim's decrypter provided by the malware developer is unique to them with their own private RSA decryption key, password or personal ID which cannot be used with someone else's encrypted files. Sharing a decryption key, password or personal ID provided by the cyber-criminals with another victim who paid the ransom will not work since the keys are different for each individual case. There is no guarantee that the decrypter provided by the cyber-criminals will work properly and in some cases using the incorrect decryptor may damage or corrupt the files.

However, if you received a working decrypter, you can zip and submit it here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic along with a few encrypted files and anything else the malware writers provide.

Even though the decrypter will not work for other victims, our crypto malware experts may be able to get some information by analyzing it further.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:16 PM

Posted 15 January 2017 - 05:29 PM

Sorry you had to pay, good to hear they delivered.

If you can share the decrypter, that may help us atleast get more information on the encryption scheme used. You may PM me the executable, a few encrypted files, and any keys or anything they gave you.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 wobble_wobble

wobble_wobble

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 16 January 2017 - 11:27 AM

We support a customer that has just gotten this. 

I don't have full info as of yet, but it looks like it powered down a server that will no longer restart.

 

Any updated info would be great.



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:16 PM

Posted 16 January 2017 - 12:20 PM

We just obtained a sample and it is being analyzed now. It has connections with NMoreira according to Fabian Wosar.

 

Just confirmed it is not decryptable, it is based on the secure version of NMoreira.


Edited by Demonslay335, 16 January 2017 - 12:28 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 wobble_wobble

wobble_wobble

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 16 January 2017 - 12:40 PM

Thanks for the info.



#12 Alex2k17

Alex2k17
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 16 January 2017 - 02:45 PM

Here is the download.

I put everything in.

 

Link: https://we.tl/yNOgXmXFNL

Password: pass

 

Be careful with that. My anti virus engine told me that there is a "Win32/Filecoder.XRatLocker Trojan" in the "Recovers files yako.html" file.

The other files in the package seems to be clean.

 

The "hacker" used a brute force attack against rdp and told me to use vpn for rdp access and strong passwords.

The decryption is almost done and looks "successful" at the moment.


Edited by Alex2k17, 16 January 2017 - 03:47 PM.


#13 Alex2k17

Alex2k17
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 16 January 2017 - 02:47 PM

.


Edited by Alex2k17, 16 January 2017 - 03:45 PM.


#14 Alex2k17

Alex2k17
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 16 January 2017 - 02:52 PM

.


Edited by Alex2k17, 16 January 2017 - 03:45 PM.


#15 TMT76

TMT76

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 18 January 2017 - 01:37 AM

Hi There.

We also had an attack on January 13th at about 2pm.

We noticed, that some of our programs were out of function (at about 4pm).

The attack came from an open RDP session!

Because we really needed the files, we decided to pay the 1 bitcoin and got the decryptor... but the tool sucks !

Files > 2GB - especially DB-files - were irreparably destroyed, also system-files from C:.

We really don't know if it happens on the encryption or the decryption.

 

Time between first contact to the blackmailer and getting the f*** tool was okay, but unnecessary.

 

@Alex2k17 - good to hear that it worked for you, but whis should be a WARNING for everyone else !






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users