Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware Infection (did not rename files just encrypted them)


  • Please log in to reply
39 replies to this topic

#1 a2zbrandon

a2zbrandon

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 23 January 2017 - 03:42 PM

Found svchosd.exe under C:/ProgramData

Files related to infection/encripted png file for inspection(infected svchosd.exe included so be careful)

 

https://www.sendspace.com/file/avzv8j

 

 

Windows SBS 2011 Essentials is the OS

 

I hope this covers everything needed to help me de-crypt my office's stuff 

 

 

Almost no steps have been taken as I have not been able to determine the ransomware used.


Edited by a2zbrandon, 23 January 2017 - 03:45 PM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:44 PM

Posted 23 January 2017 - 03:46 PM

It looks like your files were encrypted by a variant of something derived from DMALocker. I haven't seen that filemarker before, so it may be a new fork of it.

 

Do you have the malware? We will need it to analyze. The zip file you posted does not include any executables, and half the files are empty.

 

Please submit any malicious files here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Can you also provide a few pairs of files that you also have a clean copy of? I believe this is an imitator using a weaker encryption, but need to see the before/after to confirm.


Edited by Demonslay335, 23 January 2017 - 03:51 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 a2zbrandon

a2zbrandon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 23 January 2017 - 04:09 PM

Try this 1 sorry, I placed in shared folder 2 inspect on different machine and the antivirus deleted it lol. Removed malicious link - xXToffeeXx~

 

It didn't rename my files so any ideas on how to files the before and afters encryption?


Edited by xXToffeeXx, 23 January 2017 - 04:26 PM.


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:44 PM

Posted 23 January 2017 - 04:11 PM

Something from backup, or if you have Sample Pictures that were encrypted, I can compare them with defaults from another computer of the same OS.

 

*Edit: Nevermind, having the malware itself is even better. Sample has been secured.

 

The Logo.bmp file you submitted really looks like it was XOR'd, but this malware definitely did not use XOR when I executed it.


Edited by Demonslay335, 23 January 2017 - 04:28 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 a2zbrandon

a2zbrandon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 23 January 2017 - 04:28 PM

I am using Cryptosearch to locate encrypted files to find the types it encrypts for starters. Once I know that ill find something  we can use for comparison. The sample pictures have all been removed.


Edited by a2zbrandon, 23 January 2017 - 04:29 PM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:44 PM

Posted 23 January 2017 - 04:29 PM

I am using Cryptosearch to locate encrypted files to find the types it encrypts for starters. Once I know that ill find something you we can use for comparison.

 

If you are using CryptoSearch, hit "Refresh Network", and select "X Locker 5.0". I just added that rule, and it should be able to find the encrypted files for you using the hex pattern.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 a2zbrandon

a2zbrandon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 23 January 2017 - 05:07 PM

I have it running now, I am trying to figure out if it got my sql server files or not. Quickbooks seems to be fine so if that wasn't damaged I can take those and just wipe the rest or atleast I hope so.

 

 

What are the odds of me decrypting my files in your opinion?


Edited by a2zbrandon, 23 January 2017 - 05:34 PM.


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:44 PM

Posted 23 January 2017 - 05:52 PM

I would archive the files just in case (using CryptoSearch :)), but I'm not fully sure yet. If it is based on an older version of DMALocker, it could be decryptable under certain circumstances, but we haven't fully analyzed the malware yet. I just did quick static analysis and confirmed it is based on DMALocker to some extent.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 a2zbrandon

a2zbrandon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 23 January 2017 - 11:05 PM

Cryptosearch keeps turning up nothing



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:44 PM

Posted 23 January 2017 - 11:48 PM

Try the "Byte Pattern" option with this:

214C6F636B656421232323

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 a2zbrandon

a2zbrandon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 24 January 2017 - 02:26 AM

Thanks that worked.



#12 MrWonton42

MrWonton42

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 24 January 2017 - 11:36 AM

This sounds exactly like the DMA Locker variant that I just handled. Do you have an ID you could provide us? It looks like a string of numbers with semi-colons between them. 



#13 a2zbrandon

a2zbrandon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 24 January 2017 - 12:22 PM

12:30:17:29:34:62:06:12 is the ID



#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:44 PM

Posted 24 January 2017 - 01:30 PM

It definitely is derived from DMALocker, but the byte pattern is different.

 

This is the ASCII for the byte pattern I posted, it is prepended to every file that is encrypted by this ransomware.

!Locked!###

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 MrWonton42

MrWonton42

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 24 January 2017 - 01:43 PM

I have seen a variant of DMA that has the byte pattern of "Locked" instead of the usual "DMALocker" header on the file. There is a bloke out of Poland who has done some work on this variant in the past and has a bit of a write up on their blog. IIRC the link to the blog is on their github site. 

 

https://github.com/hasherezade






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users