Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lock2017 Ransomware Support Topic (README.TXT)


  • Please log in to reply
2 replies to this topic

#1 85kcarlson

85kcarlson

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 03 March 2017 - 11:53 PM

Hello,
 
My father just lost over 20 years of data due to ransonware. The attacker came in through my compromised logmein account. id ransonware said to post to these forums. Any help would be appreciated. Here is the ransom note, and links:
 
Reference SHA1: 5cd5f2fbf920becaaabfcd0e875ddb762f973b2e
 
NOT YOUR LANGUAGE? USE https://translate.google.com  What happened to your files ? All of your files   protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: https://en.wikipedia.org/wiki/RSA_(cryptosystem)  How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server.   What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.  For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours.  For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee.   Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private SoftWare with a low price!
 
Please contact me by e-mail: 
lock2017@unseen.is or lock2017@protonmail.com 
 
UserID: id-3487664631
 
Links:
Ranson Letter - https://drive.google.com/open?id=0BwRFAWnB8cwtZVpqNHRPYVA5SGc
sample File - https://drive.google.com/open?id=0BwRFAWnB8cwtSG1seThzN3QwVlU
 
Please let me know if there is anything else that's useful.
 
Thanks.

BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:12 AM

Posted 04 March 2017 - 10:23 AM

We've seen a few submissions of that ransom note come through our alerts. Interesting to know it came from a compromised LogMeIn account. Can you find in the logs what file was transferred, and possibly try to recover it? We will need the malware in order to analyze.

 

I have made a rule and called this "Lock2017" for now, and ID Ransomware will now direct victims to this topic.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 85kcarlson

85kcarlson
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 07 March 2017 - 10:49 PM

There were several instances, here is the timeline of logins, and here are links to the events over the last month. I've look through quite a bit, and have found the login events where they've logged in, deleted previous restores, and run defrag :( I wasn't able to find the application though.

 

Session Start Session End  Duration User IP Address 03/02/2017 01:32:20 03/02/2017 01:34:08 0h:1m:48s 62.212.72.204 03/02/2017 01:15:29 03/02/2017 01:24:09 0h:8m:40s 62.212.72.204 03/02/2017 01:08:26 03/02/2017 01:15:35 0h:7m:9s 62.212.72.204 03/02/2017 01:05:01 03/02/2017 01:08:32 0h:3m:31s 62.212.72.204 02/21/2017 03:04:15 02/21/2017 03:20:35 0h:16m:20s 78.110.166.54 02/12/2017 06:30:19 02/12/2017 07:18:54 0h:48m:35s 78.110.166.55 02/12/2017 05:27:06 02/12/2017 05:34:35 0h:7m:29s 78.110.166.55 02/08/2017 04:49:33 02/08/2017 04:52:30 0h:2m:57s 185.103.110.195 02/04/2017 02:52:43 02/04/2017 02:53:21 0h:0m:38s 216.169.110.206

 

 

https://drive.google.com/open?id=0BwRFAWnB8cwtdmhuMU1ScXpMSW8

https://drive.google.com/open?id=0BwRFAWnB8cwtdEF5THhicUxqejg

https://drive.google.com/open?id=0BwRFAWnB8cwtN0hrX3JvVHM3Z0k

https://drive.google.com/open?id=0BwRFAWnB8cwtX1NQdkNLXzlCb1U






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users