Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unidentified Crypto virus "voxcox/vox900" with ramsom note "readme.crypt.txt"

  • Please log in to reply
3 replies to this topic

#1 NatHolder


  • Members
  • 3 posts
  • Local time:08:05 PM

Posted 10 March 2017 - 06:33 PM

Our server was hit with a crypto virus that doesn't match the signature of any other ransomware that I can tell. I searched https://id-ransomware.malwarehunterteam.com/, AVG, EMSISOFT, and https://www.nomoreransom.org.  We're trying to identify the virus to determine if any of our data was transferred offsite.  We do not need to decrypt any of the files.  Thanks for any help!


Ransome note filename: "readme.crypt.txt"


Ransome note contents:

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.

CONTACT US BY EMAIL: voxcoxservice@mail.com

Ransome note file was left in every folder that contains files that were encrypted.


Files in all folders on network shares that were accessible to user were encrypted.


Some files were not encrypted:.ini, windows shortcuts


All encrypted files were renamed, except for PDF files, by appending "!___voxcoxservice@mail.com___.vox900" to the filename, eg:

original filename: SSRSExportReport.exe.config

renamed encrypted filename: SSRSExportReport.exe.config!___voxcoxservice@mail.com___.vox900


Has anyone seen ransomware that matches this signature, or can you recommend any tool or website that can help determine what kind of virus this is?


Thanks in advance!



Edited by NatHolder, 10 March 2017 - 07:22 PM.

BC AdBot (Login to Remove)


#2 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,579 posts
  • Gender:Male
  • Location:USA
  • Local time:09:05 PM

Posted 10 March 2017 - 06:45 PM

We did see those files come through ID Ransomware (got alerted due to the email address in the filename). I am suspecting it may be a variant of RotorCrypt based on the filename pattern. Can't be certain without seeing a sample of the malware though.


You can see if there are similarities with your case from other information in this topic: http://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-help-topic-tar-c400-extensions/

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#3 NatHolder

  • Topic Starter

  • Members
  • 3 posts
  • Local time:08:05 PM

Posted 10 March 2017 - 07:18 PM

Thanks!  I don't think we have the malware - nothing showed up when we did a virus scan (using Symantec Endpoint Protection) on the user profile that was infected, so it may have been deleted by the unauthorized user that downloaded the malware.

Windows Defender did identify two infectsions:

startup:C:\Users\testuser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OTYBGTQZ.lnk
file:C:\Users\testuser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OTYBGTQZ.lnk


I'm wondering if there is an analysis of RotorCrypt that identifies whether it transfers any data back home, or if it just encrypts in place?


The other detail about our ransomware is that it found all files on network shares, if that helps to ID it.

Edited by NatHolder, 10 March 2017 - 07:21 PM.

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,937 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:05 PM

Posted 10 March 2017 - 09:21 PM

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users