Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unidentified Ransomware *.lock


  • Please log in to reply
51 replies to this topic

#1 FredHou

FredHou

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 08 February 2017 - 02:42 PM

Hi All,

 

Good day,

 

I had upload a file to ID Ransomware,  

 

Following is my case reference code on it.

 

Original File : Please reference this case SHA1: ec157dddf80289f3487542c10714713f9323896a

Encrypted Sample File: Please reference this case SHA1: 602b8ad5fcf37f2eb0621691fc5ea22f17018a2d

 

Very much appreciated if there is anyone could help, I have 1000 manufacture program locked by Ransomware.

 

The TXT file said:

 

Your ID: BMRS-TS#0B092BFB6148AAE38F4CF1F1F505931D
Also check for .key.lock files in the C:\ProgramData directory and send them to support.
Translation at the expense of Bitcoin address
1HyasSC2VifTZo7YkUNn33udnWXw3Ffq7T
Buy Bitcoin here https://localbitcoins.com or
https://www.buybitcoinworldwide.com/find-exchange/ or
https://www.coinbase.com or
https://www.xmlgold.eu  or
any other exchanger
or
write to Google how to buy Bitcoin in your country?
after payment you will receive a program that automatically decrypts all your files
mail support frogobigens@india.com
NO money = NO decryption

 

 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:08 PM

Posted 08 February 2017 - 02:49 PM

You uploaded a ransom note and it was identified as Xorist and Globe. There has been a few actors recently deploying multiple ransomware kits with the same email address. Based on the BTC address, it seems more like it could be Xorist.

 

We need a larger file before/after encryption to determine if it was Xorist or Globe properly. You'll need to get a file pair larger than 65KB.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 FredHou

FredHou
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 08 February 2017 - 02:54 PM

Thanks for your prompt reply, below are larger files,

 

Original:  SHA1: bfccad2b50b992f4afa48a7a40789a1739ca0080

Encrypted Sample File: SHA1: 414e403df3351afc841650496475c95aebc87305

 

I hope it could help.



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:08 PM

Posted 08 February 2017 - 03:01 PM

The files are not the same size, so I don't believe it is Xorist or Globe as far as I can tell.

 

Any chance you have the malware or know how you got infected? We may need the malware itself to accurately identify at this point.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:08 AM

Posted 08 February 2017 - 03:06 PM

Hi there,

 

Do you have an encrypted .png.lock file?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 FredHou

FredHou
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 08 February 2017 - 03:17 PM

I found other files as below,

 

Original: SHA1: db5ce2775a436577252f7db23c434de3da7ea89f

Encrypted: SHA1: cbe77fd06549baa34010e776c720f53698cbb461

 

And I am not sure the meaning of  encrypted .png.lock file?
I will try my best to find it.



#7 FredHou

FredHou
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 08 February 2017 - 03:28 PM

The files are not the same size, so I don't believe it is Xorist or Globe as far as I can tell.

 

Any chance you have the malware or know how you got infected? We may need the malware itself to accurately identify at this po

 

Hi there,

 

Do you have an encrypted .png.lock file?

 

xXToffeeXx~

 

I upload some files suffered by ransomware, and because of they are manufacturing program running on the machine, therefore they are not big.

 

You can easy to use notepad to open the original one, the content is simple.

 

https://www.sendspace.com/filegroup/yIWupzoc8OEH6Oe%2BvVSqHOIxVU3hqG4wNl53InoPLqr6mMQGqPWTB%2BrSjhzUuKDZ6f%2BcduKGFS0G6laB2PEpIwNLlQXgscEHQgPRZSwMVNDUjCh0c2Qrs0Hy8k2eltiE

 

Thanks.



#8 FredHou

FredHou
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 08 February 2017 - 03:39 PM

Just found bigger .bmp file as below,

 

Both original and encrypted are included.

 

https://www.sendspace.com/filegroup/NMwyZdavLAGwKgWHOEOOLQ



#9 Guest_AES-NI_*

Guest_AES-NI_*

  • Guests
  • OFFLINE
  •  

Posted 08 February 2017 - 04:45 PM

Hello, its AES-NI.

https://www.bleepingcomputer.com/forums/t/635140/aes256-ransomware-aes256-read-this-importanttxt-support-help-topic/


Edited by AES-NI, 08 February 2017 - 05:06 PM.


#10 Guest_AES-NI_*

Guest_AES-NI_*

  • Guests
  • OFFLINE
  •  

Posted 08 February 2017 - 04:49 PM

Send key from ProgramData directory

"BMRS-TS#0B092BFB6148AAE38F4CF1F1F505931D-333333333.key.lock"

 

I can make free decrypt u files, if u want.

 

If you will try to use third-party decryption tools I ask you not to damage your files; copy them and test them on another computer.


Edited by AES-NI, 08 February 2017 - 05:03 PM.


#11 Guest_AES-NI_*

Guest_AES-NI_*

  • Guests
  • OFFLINE
  •  

Posted 08 February 2017 - 04:53 PM

The files are not the same size, so I don't believe it is Xorist or Globe as far as I can tell.

 

Any chance you have the malware or know how you got infected? We may need the malware itself to accurately identify at this point.

Demonslay335, its AES-NI, NOT XORIST OR Globe

 

update detect rules in ID-Ransom
by text in read me:
{

    Your ID: PC_NAME#ID

    Also check for .key.lock files in the C:\ProgramData directory and send them to support.

}

 

in aes-ni software its static text (without id number)


Edited by AES-NI, 08 February 2017 - 05:10 PM.


#12 FredHou

FredHou
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 08 February 2017 - 10:09 PM

Send key from ProgramData directory

"BMRS-TS#0B092BFB6148AAE38F4CF1F1F505931D-333333333.key.lock"

 

I can make free decrypt u files, if u want.

 

If you will try to use third-party decryption tools I ask you not to damage your files; copy them and test them on another computer.

 

Hi,

 

Appreciate your great help, I don't really good at computer science, could you please let me know where should I find the specific file which you mentioned.

 

Unfortunately, the computer was restored by ghost.

 

I did back up the file which all from D: which all suffered by Ransomware, is there still any way to get my files back?

 

Thanks again.



#13 Guest_AES-NI_*

Guest_AES-NI_*

  • Guests
  • OFFLINE
  •  

Posted 09 February 2017 - 05:36 AM

i dont understand u already restore files?

to restore files i need key file from ProgramData directory.


Edited by AES-NI, 09 February 2017 - 05:43 AM.


#14 FredHou

FredHou
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 09 February 2017 - 07:07 AM

i dont understand u already restore files?

to restore files i need key file from ProgramData directory.

Sorry, made you confused.

 

I mean the whole windows system was restored. I believe the Key data which you asked was already gone.

 

It made me nervous after hearing that you will need the key file to unlock my files.......

 

My machine using the WinXP system, is there still Program Data folder existed?

 

is there any other way to solve this and get my encrypted file resolved?

 

Appreciated.


Edited by FredHou, 09 February 2017 - 07:13 AM.


#15 Guest_AES-NI_*

Guest_AES-NI_*

  • Guests
  • OFFLINE
  •  

Posted 09 February 2017 - 07:53 AM

no, private key save to ProgramData  directory.

if u delete priv key file, files restore imposseble.. :axe:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users