Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Ransomware


  • Please log in to reply
5 replies to this topic

#1 plino

plino

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:13 AM

Posted 22 February 2017 - 07:31 AM

Hi all

 

A friend had her PC and external HDD encrypted a long time ago by some Ransomware.

She didn't take note of the ransom message but gave me an encrypted file.

After running it through ID Ransomware today I got the message

 

Unable to determine ransomware.
Please make sure you are uploading a ransom note and encrypted sample file from the same infection.
This can happen if this is a new ransomware, or one that cannot be currently identified automatically.
You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.
Please reference this case SHA1: 1635d15b83c79f2988cdf0c888a068d8e791059a

 

The encrypted file is XLSX file

 

Any ideas?

 

Thanks!



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:13 PM

Posted 22 February 2017 - 07:43 AM

There is no filemarker or anything recognizable in the file. The entire file is definitely encrypted based on the entropy, but there is no way to identify by what without a ransom note or the malware itself.

I also see you submitted the exact same file last April. I can't recall what was the most popular ransomware at that time that didn't use an extension of filemarker. Possibly PClock. None that do so would be decryptable.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 plino

plino
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:13 AM

Posted 22 February 2017 - 09:06 AM

I also see you submitted the exact same file last April. I can't recall what was the most popular ransomware at that time that didn't use an extension of filemarker. Possibly PClock. None that do so would be decryptable.

 

Thank you for the fast investigation. Indeed I had previously tested with the same file but didn't submit the hash. Those are bad news... Thank you anyway!



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,087 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:13 PM

Posted 22 February 2017 - 09:54 AM

In cases where there is no free decryption fix tool and victims are not willing to pay the ransom, the only other alternative is to backup/save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 plino

plino
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:13 AM

Posted 22 February 2017 - 11:22 AM

In cases where there is no free decryption fix tool and victims are not willing to pay the ransom, the only other alternative is to backup/save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time.

 

Thank you for your message. I hope some solution is found in the future... Many unique files were lost (mainly because the backup drive was connected at the time of infection)

Thanks!



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,087 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:13 PM

Posted 22 February 2017 - 01:31 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users