Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware: All the files(.doc, .pdf, .jpg) are encrypted


  • Please log in to reply
6 replies to this topic

#1 yinmingwei

yinmingwei

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 07 March 2017 - 09:26 PM

A computer of my friend got infected, ID ransomware unable to identify the encryption
Please reference this case SHA1: fe924e6aa6a7eba43b4c64cd99921c7a5f94fe63[/size]
All the files (.doc, .pdf, .jpg) have been encrypted. The exe file Amazon Assistant is running.  I can not receive a ransom note until now.
 
Cry for your help. Thanks a lot.

Edited by quietman7, 08 March 2017 - 07:27 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:10 AM

Posted 08 March 2017 - 07:31 AM

Are there any obvious file extensions appended to or with your encrypted data files (i.e. several random hexadecimal characters, words or email addresses)? If so, what is the extension and is it the same for each encrypted file or is it different?

Did you find any ransom notes and if so, what is the actual name of the note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder (C:\ProgramData, C:\Documents and Settings\All Users\Application Data) for an image the malware typically uses for the background note or a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data has been encrypted.

Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

The best way to identify the different ransomwares is the ransom note (including it's name), the malware file itself, any obvious extensions appended to the encrypted files, samples of the encrypted files and information related to any email addresses used by the cyber-criminals to request payment.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 yinmingwei

yinmingwei
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 12 March 2017 - 11:04 AM

Thanks a lot for your help. As you told me, I am try to looking for the ransom notes again and again.However, I can not to find it. All my files can not be opened. Could you give me your email address? How can I to upload my files? To solve this trouble, I'd like to pay for it.

Cry for your reply. I am believe that you can help me. 

 

Best regards,

Mingwei Yin

Email:ymw2722578@163.com


Edited by yinmingwei, 12 March 2017 - 11:05 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:10 AM

Posted 12 March 2017 - 04:02 PM


Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 yinmingwei

yinmingwei
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 14 March 2017 - 02:54 AM

I appreciate that you can help me and keep in touch with me.  I have submitted some files in the website that you provide. Their extensions are normal, but they are all encrypted. I haven’t still found other useful messages. I hope these files will be helpful  with your analyzing and investigating. Thanks again. If you have any question, please send an email to me anytime. My email address is ymw2722578@163.com. I am looking for your reply.



#6 yinmingwei

yinmingwei
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 15 March 2017 - 03:02 AM

I recieved a strange email today. Probably,  I think it comes from the hacker. The screenshots are shown as follows.

Meanwhile, I have submitted the ransom email in the website that you provide.



#7 yinmingwei

yinmingwei
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 15 March 2017 - 03:26 AM

A computer of my friend got infected, ID ransomware unable to identify the encryption
Please reference this case SHA1: fe924e6aa6a7eba43b4c64cd99921c7a5f94fe63[/size]
All the files (.doc, .pdf, .jpg) have been encrypted.  I have submitted some files in the website that you provide. Their extensions are normal, but they are all encrypted. I haven’t still found other useful messages. I hope these files will be helpful  with your analyzing and investigating. Thanks again. If you have any question, please send an email to me anytime. My email address is ymw2722578@163.com. I am looking for your reply.  I recieved a strange email three times today. Probably,  I think it comes from the hacker. However, I can not upload the screenshot images about the ransom email. Could you give me your email address?  The links about the screenshots are shown as follows. Meanwhile, I have submitted the ransom email in the website that you provide.

 

https://i.screenshot.net/5r1dpfg

https://i.screenshot.net/5glrns6

https://www.bleepingcomputer.com/forums/t/641578/ransomware-all-the-filesdoc-pdf-jpg-are-encrypted/






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users