Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files encrypted without name change and with no obvious ransom


  • Please log in to reply
4 replies to this topic

#1 faqinel

faqinel

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 28 February 2017 - 03:28 PM

Hi All,

 

I've just received a PC with PDF's, JPG's, DOC's, etc. that appear to be encrypted or selectively corrupted !?  The files retain their original filenames and there does not appear to be any obvious ransom requests on the desktop or anywhere else.  System Restore points have been deleted.  Malwarebytes found historical traces of Cerber:

 

Ransom.Cerber, C:\$RECYCLE.BIN\S-1-5-21-212733414-1275940938-2650312604-1000\$RP9DZ8I.EXE, Delete-on-Reboot, [10], [375089],1.0.1384
Ransom.Cerber, C:\$RECYCLE.BIN\S-1-5-21-212733414-1275940938-2650312604-1000\$RMYZ79N.EXE, Delete-on-Reboot, [10], [375089],1.0.1384
Ransom.Cerber, C:\$RECYCLE.BIN\S-1-5-21-212733414-1275940938-2650312604-1000\$RXJKR6I.EXE, Delete-on-Reboot, [10], [375089],1.0.1384
Ransom.Cerber, C:\$RECYCLE.BIN\S-1-5-21-212733414-1275940938-2650312604-1000\$RQ70NYQ.EXE, Delete-on-Reboot, [10], [375089],1.0.1384
 
The PC runs an up to date copy of Bullguard Internet Security
 
id-ransomware reference is: SHA1: f02b00a360ebfc79a8099dca119902ef8a1e3195
 
I would appreciate any help you can give to identify the type of Ransomware.
 
Regards,
 
Faqinel
 
1st time post so sorry if I've missed anything.

Edited by faqinel, 28 February 2017 - 03:29 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 AM

Posted 28 February 2017 - 03:47 PM

Did you find any ransom notes and if so, what is the actual name of the note?

There are several ransomware infections that do not append an obvious extension to the end of encrypted filenames or add a known file pattern which helps to identify it. Some ransomware variants (i.e. DMA Locker, TeslaCrypt, CrypMic) will add a unique hex pattern identifier in the header of every encrypted file so the ransomware can identify the file as one it encrypted.

CryptoWall, CrypMic, DMA Locker, Microsoft Decryptor (CryptXXX), PClock, Spora, Cryptofag, TeslaCrypt v4.0, CryptoHost, MotoxLocker, KawaiiLocker, Hermes, LoveServer and Power Worm do not append an obvious extension to the end of encrypted filenames.

Based on infection rates and statistics, the two most common ransomware variants that do not change the extension or use a filemarker are PClock and Spora.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 faqinel

faqinel
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 01 March 2017 - 04:12 AM

No I couldn't see anything.  I guess I should be looking for the obvious text or html files?  At this point I am thinking that the AV interrupted before it could finish as there are some picture files left unaffected.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 AM

Posted 01 March 2017 - 07:44 AM

These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder (C:\ProgramData, C:\Documents and Settings\All Users\Application Data) for an image the malware typically uses for the background note or a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data has been encrypted.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:38 PM

Posted 02 March 2017 - 04:32 PM

Since the cerber file is in the recycling bin, I would guess it was that, but it didn't finish. It's not decryptable, unfortunately.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users