Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zXz Ransomware (RanRan) Support & Help Topic (.zXz)


  • Please log in to reply
10 replies to this topic

#1 ManMu

ManMu

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 24 January 2017 - 09:15 AM

Our domain has been attacked by a randsomware which has encryted all word, pdf and txt files in the server and in all localhosts connected to the server. 

 

The ransomware encrypted the files and added a .zXz extension to the end of each file has been encryted.

Which means that the file name before the attack was "filename.txt" and after the attack it becomes "filename.txt.zXz". that to tell us this file has been encrypted.

 

 

 

After renaming the file to its extension "filename.txt", the text shown as:

 

¯6π§Çq˝ä¨0¸˙ƒiöÁ˜X“÷Î-≈`ëª∞üπëÁRfìÉF{ÊàÏ¡œÏ%yecÿ⁄XâTäêÒ¬hb}gO|K¡/=Ù∏?ÿ`jåªæ∂9dOÅ Æ\Q´œÙ
ßàw(“Txë{‚§!*è›C…„÷‚:˝AK©
48ü]˜êëL∫À®$dê∞ã¿sK]æĮÇ9k_®—È1ŸÖ_H‹.kGúI∞ÏòÎ {üjÈõ>∞
fÃùœÉx‹7J”€`„êZd€æÏ£oÿ÷xÊ—x(˛•;÷Q°˙ÀO‚F”pÖ5¢¶≈≥Ω®qöq‡òIõW∆ïÔ–~ôñQ‡øı-iÌ•)/q|‹‚líπ9!⁄*X[0ô>¬:bæI•Œ}Æk®3Wmß´1π›Îí`-±®ï7Õ”y‰yg#´UÁ5¬Å1vY)1ÄyFT‰z•û+L•–≈õn^*Ì;ƒõ#Æ◊–xÖ‘Eƒ.≈MÈo^‚Z’à˜˛1‘éoa9TÔÜâMJ?ÎQêg2‰´M;2;±iï»ÆÔ6ı<4lO«^‰»#¿Ô≤÷™∂c√ÓOû ÚÌ·Î1é®àÓ≠=›≤GZü{´j¶’ÉøIñ®â]Õá“ë%⁄ïŸYë”U…€¯>ÖJ!§∫≈˝L◊Dv¥ º[ûmÆˇÔPÄËRô¶–’∑›Ö]ƒ5nj-âV[˛]ÈΩ»≈lyãÁaÕ˜£™ò܇>ª:r+P»ÎœdÄbõT£⁄¬çÛyñˆ∏“ìg°¬ÆúÍS@óÍ˝≠π©ÈR<hrΩ8“Ö∆WPv‡m¡V
≠‡[Õä˜P´¸®W√{°…o≈7≥>œ[˛¶û∏Ipì∏¿xG©£_“åÕák? t‹πÇb≠AÊÕújŒ%®e †xfMü¢ç Âù“†Œ5J‘
F
YYCȘuûCO∂?cÕQø®|⁄£K¶.¬øH°ö}äÍMt˘N≥Ä/ÇÀóÂ8ÍkS饱ÍWy!∑ìaêT}pÕu/±xΩ{,ï∏[Ó I˙@2÷‘
∏ßG æç∏År°∆s˚ñ,g”∆ÅˇAo®C2®æL|*Ì˝n÷ã≈•Á8(]
b∑E˛ ߇Ub(z˝ÕÀıUë“©å±π#ÖR˛°≥yÌ˝ÒìRxA£‡ú4—ÎÇs¯èí¬ŸÒê—ämó¡ SwÓØÀƒK‰⁄$çXFüϧùkÿZ‹s@û8h.Ó`Ï3
E
ˇj‡å?Éo¬+®AO@´CáøÊπJÿôG∆∆Oa*˛ï£ÌboXXN˝0P[áLÒy˘!Ú60œxâóo‹”?
E¶TòîÜGÎ9å0«&©cµq9⁄å±Í\s˙Ùn?ç‘L3Eˆµª» g∫√˚‹’ı˝=øVÉd“≈èZNNÂèÀ3“ÏcLI¡Áz;ˇöÀòø0†œ']'fÇ·;Pͯcq9cpÇa¢ºå{Z¬xìµóOhp3F“≤É6ù%

g‡_#ABF(ì¶∆Ÿ{ÃA‡.fH&ªj@OÂÀôøSêT>)mõï!˘'#µZ∂äÛ|cŃ$ˇ–{#óÃZùä<hAÓŸãF«ÚqÒ±„9∑ˇÙM∂•>MóÍDByõî=Òi6Kyv.NŒ¢ıWö»À¸Íë∆BwFF\uÛfósŒr]”^´º¸Üß‚ÿu˙${_◊È¥D¶&’£V.ˆiÏY#£.Å“ø≤ 

 

 

 

 

The plaintext from the packup file shown as:

 

========================
BUILD OUTPUT DESCRIPTION
========================
 
When you build an Java application project that has a main class, the IDE
automatically copies all of the JAR
files on the projects classpath to your projects dist/lib folder. The IDE
also adds each of the JAR files to the Class-Path element in the application
JAR files manifest file (MANIFEST.MF).
 
To run the project from the command line, go to the dist folder and
type the following:
 
java -jar "Hospital_Management_System.jar" 
 
To distribute this project, zip up the dist folder (including the lib folder)
and distribute the ZIP file.
 
Notes:
 
* If two JAR files on the project classpath have the same name, only the first
JAR file is copied to the lib folder.
* Only JAR files are copied to the lib folder.
If the classpath contains other types of files or folders, these files (folders)
are not copied.
* If a library on the projects classpath also has a Class-Path element
specified in the manifest,the content of the Class-Path element has to be on
the projects runtime path.
* To set a main class in a standard Java project, right-click the project node
in the Projects window and choose Properties. Then click Run and enter the
class name in the Main Class field. Alternatively, you can manually type the

 

class name in the manifest Main-Class element.
 
 
please can anyone help me to find the decryption method and the key encryption

I searched the ID Ransomware site and was given a case SHA1: 1ce72adb58e416c74914c4f24c0f4a85f12cb531


Edited by quietman7, 26 January 2017 - 10:03 AM.


BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 AM

Posted 24 January 2017 - 09:44 AM

We need more information. I see a few submissions to ID Ransomware with that extension, all from Saudi Arabia within the last 24 hours.

 

Can you zip up a few encrypted files and the ransom note, and submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

We will also need a sample of the malware to analyze. Do you know how you were hit? RDP attack, malicious email attachment, downloaded file, etc.?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 ManMu

ManMu
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 24 January 2017 - 12:32 PM

We need more information. I see a few submissions to ID Ransomware with that extension, all from Saudi Arabia within the last 24 hours.

 

Can you zip up a few encrypted files and the ransom note, and submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

We will also need a sample of the malware to analyze. Do you know how you were hit? RDP attack, malicious email attachment, downloaded file, etc.?

 

 

I have uploaded the enrypted files, 

the malware name founded by a windows server tools and is called win32/wagcrypt.A

thanks in advance


Edited by ManMu, 24 January 2017 - 03:26 PM.


#4 ManMu

ManMu
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 25 January 2017 - 09:24 AM

Case Reference SHA1: 7fae509eb1bbbcf21fc7c86419706d491eca44d4



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 AM

Posted 25 January 2017 - 09:29 AM

I've added a rule to ID Ransomware to point victims to this topic.

 

Do you have the executable that was quarantined, or any log with a hash of it?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:59 AM

Posted 26 January 2017 - 07:20 AM

Have you given this infection a name so I can edit topic title for support?
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 AM

Posted 26 January 2017 - 09:13 AM

For now, I've just called it "zXz".


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:59 AM

Posted 26 January 2017 - 10:03 AM

That works for me.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 ManMu

ManMu
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 20 February 2017 - 05:25 AM

For now, I've just called it "zXz".

 

 

That works for me.

 

 

 

New files .exe related to the ransomware were submitted to the site. 

I found a load key registry in the registery were seted up from HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

and the load data was from C:\Services.exe (was created during the attack date and time January 24, 2017 4:04AM

Found another .exe file created within the same time named "classicshellsetup_4_1_0.exe"January 24, 2017 4:15AM

and another files named VictemKey_OtherFile_0 .. 30 ..50 ... "with no extensions"



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 AM

Posted 20 February 2017 - 09:53 AM

Thanks, running them now to see if they are what encrypted files.

 

From looking at the before/after files you submitted, I suspect this one does not use a secure encryption. It looks like it might be an XOR stream, but I can only theorize so much until confirming the malware. Definitely not encrypted by a block cipher like AES, so that's good.

 

Ok, the files you uploaded are actually encrypted or corrupted. Both exes are not executable at all.


Edited by Demonslay335, 20 February 2017 - 10:03 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 AM

Posted 08 March 2017 - 12:24 PM

Palo Alto posted some information on this ransomware, they actually dubbed it "RanRan". ID Ransomware will now call it that. It seems it was a targeted attack, but they are possibly able to decrypt it.

 

http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attacks-middle-eastern-government-organizations-political-purposes/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users