Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mafia Malware - Indonesian Virus


  • Please log in to reply
7 replies to this topic

#1 Cepot

Cepot

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 28 March 2017 - 10:40 AM

Hi,

 

my laptop is infected by a ransomware.  It encrypted most of my files and moved them into a folder called "Mafia infected files".  the ransom note signed by Mafia Malware Indonesia.  All of the encrypted files are renamed randomly and have new extension, which is .locked-by-mafia.  

 

I used malwarebyte to remove the ransomware, and I think it went successfully because when I scanned later on, no ransomware detected anymore.  however, the encrypted files are still not changing and still cannot be opened.  I have tried file recovery software, data recovery, shadow explorer, etc, but no file is decrypted yet.

 

been trying to google the solution, but cannot find anything that might help my issue.  Can anybody urgently help?  I have also tried id-ransomware.malwarehunter.com, and they still cannot analyse the file.

 

I would like to upload some screenshots here to show you, but don't know how - am a newbie on this kind of forum.  so if anybody can help, would be greatly appreciated.

 

Thanks!

 

 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:02 AM

Posted 28 March 2017 - 11:00 AM

We may need the malware to confirm which variant of this ransomware it is. Can you restore it from MBAM quarantine, or happen to know how you got it?

 

You may submit malicious files here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Cepot

Cepot
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 28 March 2017 - 11:22 AM

am not sure how i got it.  but my best hunch was from attachment of an email.  yesterday i received an email from my bank, but after I checked with my bank, they didn't send it.  I already click on the attachment, so I guess that's how i got it.

 

i submitted the screenshot of the ransom note to the link that you provided.

 

thanks,



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:02 AM

Posted 28 March 2017 - 12:57 PM

Thanks. I have a sample of that variant that I will be analyzing soon. I think it might be decryptable on first glance. Could you zip up several of the encrypted files and submit them as well?

 

The malware authors won't have a way of decrypting your files based on how they encrypt files, so do not pay them. Also, filenames cannot be restored I'm afraid, as they randomly generate a new one and don't save the old one...


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 AM

Posted 28 March 2017 - 04:34 PM

am not sure how i got it.  but my best hunch was from attachment of an email.  yesterday i received an email from my bank...

Phony emails with attachments containing a malicious payload is not uncommon. Section :step2: in this topic explains the most common methods Crypto malware (file encrypting ransomware) and other forms of ransomware is typically delivered and spread.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Cepot

Cepot
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 29 March 2017 - 02:34 AM

Thanks. I have a sample of that variant that I will be analyzing soon. I think it might be decryptable on first glance. Could you zip up several of the encrypted files and submit them as well?

 

The malware authors won't have a way of decrypting your files based on how they encrypt files, so do not pay them. Also, filenames cannot be restored I'm afraid, as they randomly generate a new one and don't save the old one...

 

 

Ok, can i get your email to send the Zip several of the encrypted files?



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:02 AM

Posted 29 March 2017 - 08:27 AM

It would be best if you submit them to the link I posted.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 Cepot

Cepot
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 29 March 2017 - 08:45 AM

It would be best if you submit them to the link I posted.

 

Sent!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users