Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptofag Support & Help Topic (HACKED.OPENME, KEY2017.KEEPME)


  • Please log in to reply
14 replies to this topic

#1 test0r

test0r

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:28 PM

Posted 17 January 2017 - 05:08 AM

Today my friend got infected with a new ransomware we can call "CRYPTOFAG"
 
Came from email attachment and leaves this 2 files, note and key, (uploaded to idr):
-HACKED.OPENME
-KEY2017.KEEPME
 
It doesn't change file extensions and filenames and the code looks very similar to Mobef/LOKMANN ransomware
 
FYI

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,917 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:28 PM

Posted 17 January 2017 - 05:42 AM

CryptoWall, CrypMic, DMA Locker, Microsoft Decryptor (CryptXXX), PClock, Spora, TeslaCrypt v4.0, CryptoHost, MotoxLocker, KawaiiLocker, LoveServer and Power Worm do not append an obvious extension to the end of encrypted filenames like many other ransomware infections. Instead some of them (i.e. DMA Locker, TeslaCrypt, CrypMic) will add a unique hex pattern identifier in the header of every encrypted file so the ransomware can identify the file as one it encrypted. The best way to identify the different ransomwares that do not append an extension is the ransom note (including it's name), the malware file itself or at least information related to the email address used by the cyber-criminals.

Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 lucabalzarin

lucabalzarin

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 25 January 2017 - 05:49 PM

i have the same ransomware CRYPTOFAG, and the file is crypted in the same way of "test0r".

How can i indentify the ransomware type?

I submitted the files in your link.

i'm waiting for your update.

Thanks



#4 lucabalzarin

lucabalzarin

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 26 January 2017 - 03:22 AM

Any news?



#5 test0r

test0r
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:28 PM

Posted 26 January 2017 - 03:45 AM

no news, a lot of people here are getting it, via Windows Server RDP bruteforce attack



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,917 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:28 PM

Posted 26 January 2017 - 05:44 AM


The best way to identify the different ransomwares is the ransom note (including it's name), the malware file itself, any obvious extensions appended to the encrypted files, samples of those encrypted files and information related to the email address used by the cyber-criminals.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

You can also submit samples of encrypted files, ransom notes, email/website address you see in the ransom demand to No More Ransom for assistance with identification and possible decrypting solutions. This is a global service backed by Kaspersky and other security partners. If you are provided any information it would be helpful to post it here for Demonslay335 to review.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 blissest

blissest

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 07 February 2017 - 08:19 AM

I have a Windows 2008 server infected by Cryptofag, i didn't found any usefull guide to remove this crypto or to check if it is still alive in the system.

Can you help me?

 

 



#8 blissest

blissest

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 07 February 2017 - 08:26 AM

Hi, 

i have a windows 2008 server infected by cryptofag.

I didn't found any usefull removal guide or a system checker to estabilsh if the system is still infected or not.

 

Thanks



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,917 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:28 PM

Posted 09 February 2017 - 09:05 AM

Hi, 
i have a windows 2008 server infected by cryptofag.
I didn't found any usefull removal guide or a system checker to estabilsh if the system is still infected or not.
 
Thanks

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus. Disinfection will not help with decryption of any files affected by the ransomware.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes 3.0, HitmanPro and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:28 PM

Posted 11 February 2017 - 07:22 AM

This is a variant of Mobef, it is not decryptable.

 

If your server has been hit, please change your RDP password to something more secure or disable it if you do not use it.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:28 AM

Posted 15 February 2017 - 04:04 AM

If someone kept the following information about Cryptofag:
- a ransom note (txt, html, jpg, bmp etc.);
- screenshots of its windows, lock screen, of wallpaper;
- technical details, any other data;
- results of detect VirusTotal.com or Hybrid-Analysis.com
 
Please send me a personal message. Any time of the day. Thanks! 
 
Note: I do not want executable malware files, if you can, upload them on VirusTotal.com or Hybrid-Analysis.com and give me only link.

Edited by Amigo-A, 15 February 2017 - 04:06 AM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#12 agx

agx

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 03 March 2017 - 11:14 AM

ID:595570
PC:XXX
USER:XXXX
=======
hello this is C-R-Y-P-T-O-F-A-G speaking.
 
you are HACKED. your files are LOCKED.
i have the KEY to unlock them.
 
EMAIL me to get the key:
 
cryptofag @@@ protonmail.ch
 
 
 
 
 
P.S. if you don't get a reply, check your SPAM/junk folder first.
if there's nothing there, then try emailing me FROM another email address.
if still NO answer, use this backup emails: cryptofag @@@: inbox.lv, india.com, pobox.sk, mail.md
 
also, do NOT delete and keep this encryption log:C:\Windows\595570.log

Edited by agx, 03 March 2017 - 11:21 AM.


#13 agx

agx

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 03 March 2017 - 11:21 AM

there is another file : KEY2017.KEEPME

 

95AE39144A7B40D4BBDE3A2E289CCAF785E42437969BFCA2738E7BD96EC77B6DF57055BFA51DC65F0596AED345DA0D5342E78856F88F8695D60D67911E15E7F8C7BBA9485FE2A79400EC10D50D3AE0FB4D3C05D336D23D6923761E67D498A686FCDFD95F90C05FEFDDCC435861E4883B2036B93B2627E39B4F995EB4121D1C1ECE6472DFDEE5606876E989670D2B00DA1743F37CCC6CD9CCA2E859ADA40ED182DA9098115E3835456A57976D6B30A4E7A7BB37490ACA94C8B1E5DAB30FB244B4E7F34D312CA1ADB54916AA1E1A536B7384E77C95F3ADF833B198CEF3D8EF4F0904FBEEFC83A9A805D0CFC7645B83C12289AFF2F12B02E42318094F54519EAA18877CF8281BF0A58CC5E59C122F8FFBAD508A871821B6C9733A1B53B3CA5D08CDFB23DCA01B7DD8498B69C312272B88AF4444BA16E77FBF9060F1EE996BD3448D22523307B625853A1B18D16A99E99D55B003AB41C32835A12154CA2CF2B165AEF0FC9FFE25EB729E1E017F6A5BA5FB2DFB368178AFD5A62FAFFD79F1067E12767F31DF2DA83638D3971ACB8CC2F28CB1BEDC318D5D504FB0570D3813DB7BB729157BAD2EA8B9F022AC2945875807F13C63F715A641F15DB60226DF3F98C43FC16A88001BD019B68D84B31EE85A2043313DE538F284907B6B199B8E9255D3AFF3E861CE857443D1EE3407CF34480DAE5D47EA964553623A315980AF6CEEE036D4



#14 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:28 AM

Posted 03 March 2017 - 03:28 PM

agx

Thank! 

I already have some pieces. I added only your KEY2017.KEEPME 

Another would be find the malware and send him in Hybrid Analysis


Edited by Amigo-A, 04 March 2017 - 07:51 AM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#15 agx

agx

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 07 March 2017 - 11:30 AM

The malware deletes itself..






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users