Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pr0tector (.pr0tect) Ransomware Support Topic - READ ME ABOUT DECRYPTION.txt


  • Please log in to reply
3 replies to this topic

#1 SieteCuatro

SieteCuatro

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 29 March 2017 - 01:26 PM

Hi, we got hit by this yesterday, seems it is new.

 

here's the ransom note:

 

Your files were encrypted.

Your personal ID is: PE1GAGURTO#601E16515EE0607529DA319A636F5470
To buy private key for unlocking files please contact us:
pr0tector@india.com
pr0tector@tutanota.com
Please include the ID above.
 
 
Still don't know how it hit us, but we had a few infections worldwide.
Posted this on Spiceworks community.

 

also submitted this to ID Ransomware, no success there.

 

Unknown Ransomware
 Unable to determine ransomware.

Please make sure you are uploading a ransom note and encrypted sample file from the same infection.

This can happen if this is a new ransomware, or one that cannot be currently identified automatically.

You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.

Please reference this case SHA1: 7edd641cf4268cbf6e8dae7e8d773901e495c786

 



BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:12 AM

Posted 29 March 2017 - 01:38 PM

Yes, this is definitely new; we saw the submissions on IDR. Do you know how you were infected? Email, open RDP?

 

Do you happen to have the malware file?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 SieteCuatro

SieteCuatro
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 29 March 2017 - 02:01 PM

Hi xXToffeeXx~, thanks for your reply.

 I have no clue how we got infected, i am part of a freight forwarder and we had hell yesterday, exchange wen't down in the morning for all day then we had these 3 computers 1 in chile other 2 in peru infected and was told that we had some servers and computers in the US infected. I think it is very much related.

We get suspect emails everyday and never had a malware breakout so i don't think we got it by email, also just checked email of users that had computer compromised and didn't see anything weird.

 

we also got this message on some outlook clients yesterday:

 

"Microsoft Exchange administrator has made a change that requires you quit and restart Outlook"

 

but that could just be because exchange got fked up.



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:12 PM

Posted 29 March 2017 - 04:39 PM

I made a new rule off of your upload to point victims to this topic.

 

I would assume you were compromised if you have RDP open on any servers. Weak passwords are a common way of getting in.

 

Afraid we won't be able to do anything without a sample of the malware to analyze whether it has any weaknesses. If you do find the malware, please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Can you locate a few pairs of files that are encrypted, that you have the originals for? We might be able to figure out some info on what encryption scheme it uses atleast by comparing them. You may zip them up and submit to the above link. 


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users