Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MOTD Ransomware Help & Support Topics (MOTD.txt and .ENC Extension)


  • Please log in to reply
27 replies to this topic

#1 JaM_was_home

JaM_was_home

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 18 March 2017 - 06:46 PM

Hopefully you won't ever see this:
 
****************************************!WARNING!**************************************
*************************************YOU ARE INFECTED**********************************
***********************WITH THE MOST CRYPTOGRAPHIC ADVANCED RANSOMWARE*****************
=======================================================================================
All your data of all your users, all your databases and all your Websites are encrypted
=======================================================================================
Send your UID to e-mail: sook2serit@seznam.cz
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
***************************************************************************************
***************************************************************************************
YOUR UUID IS : 28...
 
****************************************!WARNING!**************************************
 

But if you have, were you able to recover? They're asking 2bitcoin ransom.



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,099 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 18 March 2017 - 06:50 PM

I just literally tweeted a hunt for this based on your ransom note uploaded to ID Ransomware. We don't have any information on this ransomware yet, other than you are the second person to upload that note.

 

Encrypted files have the extension ".enc" correct? Sorry about the false-positives on those, other ransomware have used that extension before.

 

Unfortunately, we will need a sample of the malware in order to analyze whether or not it has a weakness. Do you know where it came from? A downloaded file, email attachment, or RDP/network hacked? If you have the malware or suspicious files related to it, you may submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

I have added a rule to ID Ransomware to point victims to this topic.


Edited by Demonslay335, 18 March 2017 - 06:58 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 JaM_was_home

JaM_was_home
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 18 March 2017 - 08:19 PM

Yes, .enc extention..

 

I strongly suspect it was the result of a Wordpress compromise of some sort. ~180,000 encrypted files and a couple of private RSA keys.

 

cat server-key.enc

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B23BC22B9F68A8C3
...
 
They stored this in 
/root/.cpan/build/IO-Socket-SSL-2.039-rjQlwj/certs
 
The attack appears to have come from:
  pts/0        50.56.221.73     Fri Mar 17 18:19 - 18:27  (00:08)
 
which resolves to:
geoiplookup 50.56.221.73 
GeoIP Country Edition: US, United States
GeoIP City Edition, Rev 1: US, TX, Texas, San Antonio, 78218, 29.488899, -98.398697, 641, 210
GeoIP ASNum Edition: AS33070 Rackspace Ltd.
 
 
Clues to finding malware remnants would be welcome.
 
 


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,099 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 18 March 2017 - 11:23 PM

Was it just website files that were encrypted then? That's interesting. If it's WordPress, I highly recommend the plugin WordFence for all-around security. It's really good at finding malware on an installation as well. The free version is perfectly good.

 

If it's a Windows PC that was infected manually (and it just so happened the website files were encrypted on the volume), then I would search common places such as %TEMP%, %APPDATA%, Downloads, etc. Also run scans with your antivirus, MalwareBytes, and HitmanPro for starters. Judging by the cat command, I'm guessing this was a Linux box though. I'm not too well versed in searching for actual malware on a Linux operating system, so I'm guessing it was just a compromise through WordPress as you suggested. If they were able to actually execute root commands through your website, that is terribly poor security set in place... otherwise it could have been just a PHP script. There has been PHP-based ransomware before.

 

Do you have some encrypted files that you have backups of? Did it encrypt any core WordPress files? I'd like to see a few original/encrypted pairs to see more information on what encryption it might be using. You may zip them up and submit to the link I provided.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Amigo-A

Amigo-A

  • Members
  • 185 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:11:43 PM

Posted 19 March 2017 - 07:18 AM

JaM_was_home
What is name of ransom-note?

Need info? Find her here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#6 JaM_was_home

JaM_was_home
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 19 March 2017 - 07:33 AM

Was it just website files that were encrypted then? That's interesting. If it's WordPress, I highly recommend the plugin WordFence for all-around security. It's really good at finding malware on an installation as well. The free version is perfectly good.

 

...

 

Do you have some encrypted files that you have backups of? Did it encrypt any core WordPress files? I'd like to see a few original/encrypted pairs to see more information on what encryption it might be using. You may zip them up and submit to the link I provided.

The encrypted files are:

/home/*

/root/*

/var/lib/mysql/*

/srv/http/rando/* (/srv/http has many other subdirs that were not touched)

and /etc/motd was modified with the ransom message.

 

I can provide some encrypted cleartext files. I'll upload a selection after I test out my new backup mechanism.



#7 JaM_was_home

JaM_was_home
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 19 March 2017 - 07:36 AM

Was it just website files that were encrypted then? That's interesting. If it's WordPress, I highly recommend the plugin WordFence for all-around security. It's really good at finding malware on an installation as well. The free version is perfectly good.

 

...

 

Do you have some encrypted files that you have backups of? Did it encrypt any core WordPress files? I'd like to see a few original/encrypted pairs to see more information on what encryption it might be using. You may zip them up and submit to the link I provided.

The encrypted files are:

/home/*

/root/*

/var/lib/mysql/*

/srv/http/rando/* (/srv/http has many other subdirs that were not touched)

and /etc/motd was modified with the ransom message.

 

I do have WordFence installed. It had recently alerted to JetPack file modifications - but a manual review showed WF was comparing JetPack 4.7.0 to 4.7.1- at least as far through as I got in reviewing. 

I can provide some encrypted cleartext files. I'll upload a selection after I test out my new backup mechanism.


Edited by JaM_was_home, 19 March 2017 - 07:38 AM.


#8 JaM_was_home

JaM_was_home
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 19 March 2017 - 08:28 AM

 

JaM_was_home
What is name of ransom-note?

 

/etc/motd



#9 JaM_was_home

JaM_was_home
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 19 March 2017 - 08:50 AM

A zip of encrypted and plain text files uploaded. 

Plenty of other examples are available, if there is a preference for file size or type of file (email, html, ...)



#10 Amigo-A

Amigo-A

  • Members
  • 185 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:11:43 PM

Posted 19 March 2017 - 12:55 PM

 

 

JaM_was_home
What is name of ransom-note?

 

/etc/motd

 

This is motd.txt or 'motd' without extension? 


Need info? Find her here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#11 JaM_was_home

JaM_was_home
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 19 March 2017 - 04:41 PM

This is motd.txt or 'motd' without extension? 

 

 

 

/etc/motd is a standard unix text file that contains the Message Of The Day displayed to users at system login. 

For  more information: https://en.wikipedia.org/wiki/Motd_(Unix) or "man motd" on a Unix or Linux system.



#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,099 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 19 March 2017 - 05:34 PM

From the files you sent, I can see the first 8 bytes are reserved to store the file's original filesize, then the rest is the encrypted contents. Since the ciphertext is padded to be mod 16, it is likely a block cipher such as AES.

 

We'll only be able to do anything further by getting a sample of the malware to analyze.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 siverpro

siverpro

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 10 April 2017 - 07:28 AM

Hello,

I believe the files might have been encrypted using this:

https://github.com/jdsecurity/CryptoTrooper

 

Now, is there a chance of decrypting somehow?



#14 cobolus

cobolus

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 12 April 2017 - 09:45 AM

any news on this topic as I think I have the same issue with encrypted .enc files and the same way of breaking in (probably wordpress) ?



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:43 PM

Posted 12 April 2017 - 02:56 PM

Please be patient until one of our crypto malware experts has a chance to review the information provided. BleepingComputer is inundated with support requests and assistance may take some time. Staff members & Security Colleagues are all volunteers who assist members as time permits.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users