Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't identify ransomware, files encrypted to .zzz extensions, and a backup file


  • Please log in to reply
8 replies to this topic

#1 GJevolve

GJevolve

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 14 February 2017 - 09:10 AM

Hello,

 

I'm going a little loopy trying to identify the ransomware infected on a server, so any help here would be appreciated.  The files have been converted to .z .zz and .zzz files.  These are located in a folder named "3590F75ABA9E485486C100C1A9D4FF06ZZZZZZZZ.Z....ZZ". With many folders with names like, "Z......Z.....Z.Z" and "Z...Z...ZZZZZZZZ".  The file names in the folders all have a similar naming structure.

 

There is also a backup file (41GB in size) on the drive that I'm 99% sure wasn't there before.  Unfortunately the shadow copies are no longer available to confirm and due to the misguided owner of said server, backups are not an option.  The infection was caused by a hole in the RDP security which has now been fixed.

 

There was a text file left in the drive and on the desktop named KEY BACKUP.txt, which I've included in my attached files.

 

Tried running the cryptosearch program on the files and it can find them when looking for Teslacrypt V3 and 4 files.  So I tried using the ESET decryption tool for these but it was unable to locate files encrypted by Teslacrypt.

 

Running through the ID ransomware site I get the message:

 

Unable to determine ransomware.

Please make sure you are uploading a ransom note and encrypted sample file from the same infection.

This can happen if this is a new ransomware, or one that cannot be currently identified automatically.

You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.

Please reference this case SHA1: b6cdd2a0567ea571abe80c6485a769b4102c51b9

 

Link to files:

https://drive.google.com/open?id=0B45R19B4FKtBX01oRU9heWNQcWs

 

Many thanks for any help offered.  Let me know if you need anymore information from me



BC AdBot (Login to Remove)

 


#2 blankiq

blankiq

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 14 February 2017 - 09:35 AM

Do you have the sample file that was run? If the server keeps logs then is it possible to find and recover it if it has been deleted?



#3 blankiq

blankiq

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 14 February 2017 - 09:37 AM

Looking at the file in a hex editor shows that it's completely empty and filled with 0's

If it is tesla then check out - http://download.bleepingcomputer.com/BloodDolly/TeslaDecoder.zip


Edited by blankiq, 14 February 2017 - 09:39 AM.


#4 blankiq

blankiq

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 14 February 2017 - 09:45 AM

Please look at: https://www.bleepingcomputer.com/forums/t/494759/decrypt-protectdirtydecrypt-ransomware-support-and-help-topic/page-9

Seems to be a very similar ransomware



#5 mWave

mWave

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 14 February 2017 - 09:51 AM

If you can get us the original sample which caused the infection then we can analyse it and this can help us into identifying what ransomware variant it is; sometimes it may not be obvious based on the actual encrypted file itself, since other variants can copy the extension names from other variants (e.g. *.encrypted) but actually work differently.



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:15 AM

Posted 14 February 2017 - 09:52 AM

It's not TeslaCrypt. TeslaCrypt would have appended ".zzz" to each file (e.g. picture.jpg.zzz), and would also have a noticeable hex pattern that ID Ransomware would have picked up on.

 

I recall a report of a ransomware like this before as well, but don't recall where that topic is. The files for that victim were also all 0 bytes. I can only assume the actual data is zipped up in that "backup" you mentioned, probably password-protected.

 

We would need a sample of the malware that caused the damage in order to analyze what it does and whether it can be decrypted.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 GJevolve

GJevolve
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 14 February 2017 - 11:37 AM

Hi all,

 

Thanks for the messages.  Not sure exactly what the source file is.  But I had a look in the compromised users account, and found what looks to be a toolkit in the downloads folder, which I have uploaded to google drive:

 

https://drive.google.com/open?id=0B45R19B4FKtBYkVOTWlfLW01WVk

 

Had a look through the AV reports and can see that Symantec removed WS.Malware.2, which has now been removed.  Is this what you were after?

 

Thanks.



#8 blankiq

blankiq

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 14 February 2017 - 12:45 PM

csf.exe is a self extracting 7zip archive. It probably contains the ransomware. However, it is password protected :/ I'll see if I can crack it



#9 blankiq

blankiq

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 14 February 2017 - 01:08 PM

If you get access to the server again can you please run recuva or something to try and recover the decrypted sample of the ransomware. It's much faster than trying thousands of passwords on a 7zip file






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users