Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nhtnwcuf Ransomware Support Topic - !_RECOVERY_HELP_!.txt


  • Please log in to reply
16 replies to this topic

#1 someguy27

someguy27

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 03 March 2017 - 09:12 AM

We have analysed the malware. Unfortunately, not only is it not decryptable, but it does nothing but completely destroy your files.

 

DO NOT PAY THE RANSOM. They cannot decrypt your files because no encryption is actually done!

 

The malware literally just overwrites files with garbage bytes. Nothing can be done to recover the data, not even the criminals can do anything. It is a complete scam.

 

Restoring from backups is your only hope. 

 

 

 

Hello all,

 

I have new kind of ransomware decryption infection.

 

Yesterday (02.03.2017) I dont know how but it decrypt all files in few second (including database files - idk how but it crashes database and decrypt files)

 

example file name (there is two extensions *.mkf and *.ije ): master.mdf.mkf  and files will be namefile.ije, for zip files *.nwy

 

Instructions for recovery file name: !_RECOVERY_HELP_!.txt

 

Is there any chance to identify it?

 

Description:

 

 

 

INTRODUCTION

=================================================================================================

Data encryption involves converting and transforming data into scrambled, unreadable, cipher-text

using non-readable mathematical calculations and algorithms. Restoring requires a corresponding

decryption algorithm in form of software and the decryption key.


Data encryption is the process of transforming information by using some algorithm to make it

unreadable to anyone except those possessing a key. In addition to the private key you'll need the

decryption software with which you can decrypt your files and return everything to the same level

as it was in the first place. Any attempts to try restore you files with the third-party tools

will be fatal for your encrypted content.

---------------------------------------------
I almost understood but what do I have to do?
---------------------------------------------

The first thing you should do is to read the instructions to the end. Your files have been

encrypted. The instructions, along with encrypted files are not viruses, they are you helpers.

Unfortunately, antivirus companies are not and will not be able to restore your files. Moreover,

they make things worse by removing instructions to restore encrypted content.

Antivirus companies will not be able to help decrypt your encrypted data, unless the correct

software and unique decryption key is used. Fortunately, our team is ready to help to provide

both, "Decryptor" and "Unique decryption key" based on yours unique "Ref#_8114126f16c8".


Keep in mind that the worse has already happened and the further life of your files directly

depends on determination and speed of your actions. Therefore, we advice not to delay and follow

"!_RECOVERY_HELP_!" instructions.

-------------------------------------------------------------------------------------------------

After purchasing a software package with the unique decryption key you'll be able to:

* Decrypt all your files

* Work with your documents

* View your photos and other media content

* Continue habitual and comfortable work at your computer

-------------------------------------------------------------------------------------------------

If you are aware of the whole importance and criticality of the situation, then we suggest to go

directly to the below "!_RECOVERY_HELP_!" instructions where you will be given final

simple steps, as well as guarantees to restore your files.

=================================================================================================


"!_RECOVERY_HELP_!"

-------------------------------------------------------------------------------------------------

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Follow 3 Steps in Exact Order <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

=================================================================================================

1. In case if you don't already have, Register/Create a BitCoin Wallet.

2. Send 1.00 BTC ( One Bitcoin ) to the following BitCoin Address:

----------------------------------
1B2RRVwBP1K3yibZcA3p1qd2YN9BkVafm3
----------------------------------

3. Send confirmation to the following E-mail address:

-------------------------
helptodecrypt@list.ru
-------------------------

* Mail Subject - "Ref#_8114126f16c8"
---------------

* Mail Content - "4 lines of text"
---------------

Line 1: "Ref#_8114126f16c8" - Your Reference Number - Must match with "Mail Subject"

Line 2: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - Sender/Sent from - Your BitCoin Address

Line 3: "1B2RRVwBP1K3yibZcA3p1qd2YN9BkVafm3" - Receiver/Sent to - Our BitCoin Address

Line 4: "1.00 BTC" - 1 Bitcoin - Service Charge

=================================================================================================

* After verification process ( Confirmed, as Paid by our 3rd party provider ) is completed,

decription software and unique key will be E-mailed to you without delays.

=================================================================================================


Edited by xXToffeeXx, 07 March 2017 - 04:11 PM.


BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:48 AM

Posted 03 March 2017 - 09:26 AM

We've had quite a few submissions of that ransom note the last week, haven't had time to find more info. Do you know how you got infected? We will need a sample.of the malware to analyze.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 someguy27

someguy27
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 03 March 2017 - 09:33 AM

Srsly i dont know how I get this, it happend on server. To this server there is opened RDP on standard port. ( I know its not very effective but there was strong password for Administrator account and only two person have access to it.  So it means they hacked our server? Server have Windows Server 2008 R2 with all updates installed. 

 

Where do i need to search samples of malware for you?



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:48 AM

Posted 03 March 2017 - 11:48 AM

Remote Desktop Protocol (RDP) is a very common brute force attack vector for servers especially by those involved with the development and spread of ransomware.

 

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

These are some common folder variable locations malicious executables and .dlls hide:

  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\

Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomare.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Krehoa

Krehoa

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 07 March 2017 - 10:34 AM

Well... it seens that I had the same problem as the fellow OP.

 

They just got in and scrambled everything.

 

Did anyone had the same happening to?

 

I really wanna now how'd it unfold.



#6 andrewsroberto

andrewsroberto

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 07 March 2017 - 03:12 PM

Hello!

I have the same problem!

 

here is the link of the virus I uploaded:

 

https://uploadfiles.io/96be7

 

 

And here one file original and one file encrypted.

https://ufile.io/eba83

 

 

 

Look the link:

https://blockchain.info/pt/address/1B2RRVwBP1K3yibZcA3p1qd2YN9BkVafm3

2 people already pay for rescue.

 

 



#7 someguy27

someguy27
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 07 March 2017 - 03:44 PM

Hello!

I have the same problem!

 

here is the link of the virus I uploaded:

 

https://uploadfiles.io/96be7

 

 

And here one file original and one file encrypted.

https://ufile.io/eba83

 

 

 

Look the link:

https://blockchain.info/pt/address/1B2RRVwBP1K3yibZcA3p1qd2YN9BkVafm3

2 people already pay for rescue.

 

 

 

Great job andrewsroberto !

 

We didn't manage to find virus.. Maybe guys from bleepingcomputer will find solution for decryptor! We really hope so!



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:48 AM

Posted 07 March 2017 - 03:51 PM

Hello!

I have the same problem!

 

here is the link of the virus I uploaded:

 

https://uploadfiles.io/96be7

 

 

And here one file original and one file encrypted.

https://ufile.io/eba83

 

 

 

Look the link:

https://blockchain.info/pt/address/1B2RRVwBP1K3yibZcA3p1qd2YN9BkVafm3

2 people already pay for rescue.

 

 

 

Thanks, currently analyzing it. Seems to be the encrypter, but might be missing other components.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:48 AM

Posted 07 March 2017 - 04:03 PM

Ok, we have analyzed the malware. Unfortunately, not only is it not decryptable, but it does nothing but completely destroy your files.

 

DO NOT PAY THE RANSOM. They cannot decrypt your files, because no encryption is actually done!

 

The malware literally just overwrites files with garbage bytes. Nothing can be done to recover the data, not even the criminals can do anything. It is a complete scam.

 

Restoring from backups is your only hope. :(


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 andrewsroberto

andrewsroberto

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 07 March 2017 - 04:09 PM

thanx for the help!



#11 someguy27

someguy27
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 07 March 2017 - 04:10 PM

Thank you for your time and explanation... Need to be better secured next time!



#12 Amigo-A

Amigo-A

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:48 PM

Posted 08 March 2017 - 02:50 AM

Nhtnwcuf Ransomware?

Where did this name come from?


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#13 andrewsroberto

andrewsroberto

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 08 March 2017 - 08:07 AM

Nhtnwcuf Ransomware?

Where did this name come from?

 

Is the name of the .exe virus I found running on my server.

Eset call this virus by  MSIL.FILECODER.EY.

 

http://www.virusradar.com/en/MSIL_Filecoder.EY/description



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:48 AM

Posted 08 March 2017 - 08:24 AM

Each security vendor uses their own naming conventions to identify various types of malware. Win32/Filecoder is a crypto malware infection detected by ESET....there are many different variants for which they add a modifier or additional information after the name (i.e. CR, E, Q, DG, ED, EY, NDS, NFY, etc) that further describes what type of ransomware it is.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:48 AM

Posted 08 March 2017 - 08:34 AM

I named this one off of the namespace used in the malware code. There's literally nothing else unique to name it by, so a crappy name for a crappy ransomware.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users