Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ransomware encrypt my files without extension


  • Please log in to reply
8 replies to this topic

#1 luinhon

luinhon

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 01 February 2017 - 06:24 AM

Hi

My PC had infected by ransomware.

that encrypt my files and file names.

id-ransomware check that is globe3, but, encrypted file's name doesn't have extensions.

 

encrypted version and decrypted version of my file sample is below.

 

https://www.dropbox.com/sh/a75s6l98vbqjzwa/AADxZSxoXSPeWdnwifb3s4GDa?dl=0

 

encrypted files is important for me.

 

please, I need your help.

 

any method or advise, plz.



BC AdBot (Login to Remove)

 


#2 EthanJoshua

EthanJoshua

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 01 February 2017 - 06:50 AM

To all,

 

use a VPN to get secure from ransomware attacks. here you can get all the details about his usavpn.com/blog/protect-yourself-from-locky-ransomware-with-a-vpn

 

Thanks



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:29 PM

Posted 01 February 2017 - 06:51 AM


More information is needed to determine specifically what infection you are dealing with since there are several ransomware infections which do not append an obvious extension to the end of encrypted filenames or add a known file pattern which helps to identify it. Therefore, ID Ransomware cannot always properly identify it without a ransom note. The best way to identify the different ransomwares that do not append an extension is the ransom note (including it's name), the malware file itself or at least information related to the email address used by the cyber-criminals.

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 luinhon

luinhon
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 01 February 2017 - 09:04 AM

More information is needed to determine specifically what infection you are dealing with since there are several ransomware infections which do not append an obvious extension to the end of encrypted filenames or add a known file pattern which helps to identify it. Therefore, ID Ransomware cannot always properly identify it without a ransom note. The best way to identify the different ransomwares that do not append an extension is the ransom note (including it's name), the malware file itself or at least information related to the email address used by the cyber-criminals.

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

In shared folder of above link(https://www.dropbox.com/sh/a75s6l98vbqjzwa/AADxZSxoXSPeWdnwifb3s4GDa?dl=0) , a ransom note is uploaded.

 

and i submit two suspected executables to the link. 



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:29 PM

Posted 01 February 2017 - 10:50 AM

Have you tried the Globe3 or Globe2 decrypter with those files? The ransom note is definitely Globe, and everything else matches as well - the filename pattern (minus extension), and the fact only the first 64KB are encrypted. Other submissions with that email address have also had no extension, we believe that's just how that malware author configured his version. The file pair you posted are a good before/after. If none of the Globe decrypters from Emsisoft work with them, we'll need a sample of the malware itself to analyze for any changes.

 

*Edit

I used the Globe3 decrypter and it took awhile, but I think around 20% it found the key, and I've been able to decrypt some of the files you uploaded.

 

2017-02-01_1026.png

 

2017-02-01_1028.png


Edited by Demonslay335, 01 February 2017 - 11:23 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 luinhon

luinhon
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 02 February 2017 - 12:12 AM

Have you tried the Globe3 or Globe2 decrypter with those files? The ransom note is definitely Globe, and everything else matches as well - the filename pattern (minus extension), and the fact only the first 64KB are encrypted. Other submissions with that email address have also had no extension, we believe that's just how that malware author configured his version. The file pair you posted are a good before/after. If none of the Globe decrypters from Emsisoft work with them, we'll need a sample of the malware itself to analyze for any changes.

 

*Edit

I used the Globe3 decrypter and it took awhile, but I think around 20% it found the key, and I've been able to decrypt some of the files you uploaded.

 

2017-02-01_1026.png

 

2017-02-01_1028.png

can i get the program?

 

i have tried. but, my try is failed. 



#7 luinhon

luinhon
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 02 February 2017 - 12:41 AM

I am trying to decrypt files, and I see some files decrypted. 

 

but, the process is suddenly stopped, then the decrypter file changed with extension .vap.

 

what can I do for this problem?



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:29 PM

Posted 02 February 2017 - 08:11 AM

Is this a server? If so, please make sure RDP is secure, otherwise, other people can infect you again.

 

Please upload some of the .vap file too as well.

 

xXToffeeXx~


Edited by xXToffeeXx, 02 February 2017 - 08:11 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 ScaryMary

ScaryMary

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 05 February 2017 - 05:33 AM

Today I have had three customers (here in Australia) all hit with ransomeware that encrypts without an extension.

I think it looks a lot like the "DMALocker 4.0". They are all running Microsoft servers that have been hit, one Windows Server 2008 (SBS2011), two Windows Server 2012R2.

 

Personally I am suspecting it is an IIS or RDS vulnerability that has been cracked rather than the usual email/web download delivery vector. One of the attacks was on a web server that does not get used for desktop type functions and nobody has interactively logged into it since before Christmas.

 

In all cases the attack started at about 2AM Eastern Australian time today, 5th February 2017. Nobody was actively using the systems at that time. Of course there may be a delay mechanism in the attack. It may be that the attackers wanted the encryption to start when nobody was watching for maximum impact. 

 

One client has had systems restored from backup. Another, we shut the servers down and will restore data tomorrow. A third we are restoring overnight. In all cases we had a good backup that was stored on a network device that requires specific credentials to access and only the backup system is programmed with these credentials.

 

Rebooting the servers seems to have stopped any further encryption, but I am still paranoid as AV (Webroot) did not pick up anything at all.

 

One client was using GoodSync to replicate data to another office and it has a nice feature that halts the sync until user intervention when mass file changes occurs. That may have saved the client from redoing the work they did the evening before.


Edited by ScaryMary, 05 February 2017 - 05:59 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users