Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potato (.potato) Ransomware Help & Support - README.png


  • Please log in to reply
3 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:17 PM

Posted 25 January 2017 - 03:36 PM

A new ransomware may be going around calling itself "Potato". This ransomware adds the extension ".potato" to files; e.g. "picture.jpg.potato". The ransom note left is called "README.png" or "README.html".

 

readme.png

Victims are asked to go to the website http://tzakpakp6v5vwqqh.onion/, where they are told to contact the malware author at potatoransom@sigaint.org.

 

pasted-image-at-2017_01_25-02_29-pm.png

 

 

We are still looking for a sample of the malware. It is suspected the malware author is using the DarkComet RAT to remote into victim's machines and execute the ransomware, as this was found alongside password extraction tools on a victim's machine.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 Michael-Armor

Michael-Armor

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 25 January 2017 - 07:15 PM

A client of ours had the same happen to them last night.

 

Steps that look like were done:

 

Hacker remotely logs into victims computer

 

Hacker downloads "potato.exe" from remote source

 

Hacker runs executable, it extracts all the files that contains the .html and .jpg that are the ransom note, along with the cryptovirus exe and batch files and tor client

 

Runs batch script that loops and encrypts files

 

Contacts server using tor

 

Ends up encrypting its own batch files, and leaves

 

I tried infecting a virtual machine but the .exe is an encrypted archive so you have to have a password, and without brute forcing I couldn't get anywhere, and the batch files get encrypted in the end so I wasn't able to replicate it.

 

Cause of infection is unknown this far.


Edited by Michael-Armor, 25 January 2017 - 07:17 PM.


#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:17 PM

Posted 25 January 2017 - 07:50 PM

Thanks for sharing. Any chance you could share the malware? You may upload it here:http://www.bleepingcomputer.com/submit-malware.php?channel=168

Also, by chance are you in the US? So far only two unique IPs from the US have uploaded .potato files to ID Ransomware.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Michael-Armor

Michael-Armor

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 25 January 2017 - 08:05 PM

I hadn't submitted one, I did so now.

 

I can upload the main files/executables as well as the key provided or anything like that.

 

It doesn't wipe out shadow copies so you are able to recover files through them if you have them enabled.

 

I however have to clear this infection out here because it is a business' computer that they need functional.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users