Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DoNotChange Ransomware (.id-7ES642406.cry, .Do_not_change_the_file_name.cryp)


  • Please log in to reply
15 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,183 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:56 AM

Posted 30 March 2017 - 11:48 AM

Yet another ransomware out there. The DoNotChange ransomware uses AES-128 to encrypt victim's files. Currently, victim's files may have ".id-7ES642406.cry" or ".Do_not_change_the_filename" appended to their filenames.

 

The following ransom notes are left behind.

 

HOW TO DECODE FILES!!!.txt

*******************************************************************************
ATTENTION!!! Changing the file name makes the restore process impossible!
*******************************************************************************

Your data is encrypted.
To receive a program of decoding, You need to pay ~ $ 350 and
You need to send the personal code:

[redacted]

To the email address robert.swat@qip.ru
Then you will receive all the necessary instructions.
Attempts to decipher independently will not lead to anything, except irretrievable 
loss of information.

We respond to all emails, if there is no answer within 10 hours, duplicate your
letter  other email services.

Thank you for your attention and have a good day.


*******************************************************************************
ATTENTION!!! Changing the file name makes the restore process impossible!
*******************************************************************************

КАК РАСШИФРОВАТЬ ФАЙЛЫ!!!.txt

*******************************************************************************
ВНИМАНИЕ!!! Изменение имени файлов делает процесс восстановления невозможным!
*******************************************************************************

Ваши данные закодированны.
Для получения программы по раскодировки от вас требуется оплата ~350$ для этого
Вам необходимо отправить код:

[redacted]

На электронный адрес tom.anderson@india.com,DE_CODER@mail2tor.com,scryptx@meta.ua
Далее вы получите все необходимые инструкции.  
Попытки расшифровать самостоятельно не приведут ни к чему, кроме безвозвратной 
потери информации.
Если сами не будете затягивать - то через 1-2 часа сможете продолжать работу как 
ни  в чем ни бывало + избавитесь от лазеек в системе и никто вас более не потревожит.

Если вы не получили от нас ответа, попробуйте для связи использовать публичные
почтовые сервисы: mail.ru, rambler.ru и т.д.
Мы отвечаем на все письма, если ответа нет в течении 10 часов, продублируйте свое
письмо с других почтовых сервисов.

Спасибо за внимание и хорошего Вам дня.


*******************************************************************************
ВНИМАНИЕ!!! Изменение имени файлов делает процесс восстановления невозможным!  
*******************************************************************************

I have created a free decrypter for this ransomware. It currently supports the extension ".id-7ES642406.cry".

 

If you have been hit by this ransomware, and your files cannot be decrypted by this decrypter, I will need a sample of the malware that encrypted the files in order to help you. You may upload the malware here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

 

2017-03-30_1126.png

 

https://download.bleepingcomputer.com/demonslay335/DoNotChangeDecrypter.zip


Edited by Demonslay335, 21 June 2017 - 09:18 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#2 inf2

inf2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 14 June 2017 - 02:17 AM

Кто нибудь знает, как можно расшифровать. Все потеряно ((( . Id 9858B7906.

Does anyone know how to decipher. All is lost ((( . Id 9858B7906.


Edited by inf2, 14 June 2017 - 02:18 AM.


#3 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 AM

Posted 14 June 2017 - 03:21 AM

Try Google Translate.

 

https://www.google.com/search?q=Google+Translate.&ie=utf-8&oe=utf-8



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 AM

Posted 14 June 2017 - 05:11 AM

If you have been hit by this ransomware, and your files cannot be decrypted by this decrypter, I will need a sample of the malware that encrypted the files in order to help you.

translation

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 inf2

inf2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 14 June 2017 - 05:23 AM

Sorry, but I wrote in two languages. I do not know English well. The essence of the problem: I caught "DoNotChange". I would very much like to find the decryptor of encrypted files with the extension * .. id-9858B7906.cry



#6 inf2

inf2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 14 June 2017 - 05:53 AM

The executable code of the virus can not be found. There is a message and files: encrypted and not encrypted. Files sent by reference

 

 

If you have been hit by this ransomware, and your files cannot be decrypted by this decrypter, I will need a sample of the malware that encrypted the files in order to help you.

translation

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic.

 


Edited by inf2, 14 June 2017 - 05:55 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 AM

Posted 14 June 2017 - 07:39 AM

Ok...you will need to wait for Demonslay335 to see if there is anything else he needs or can do.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 inf2

inf2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 14 June 2017 - 07:42 AM

Ок!

Ok...you will need to wait for Demonslay335 to see if there is anything else he needs or can do.



#9 inf2

inf2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 15 June 2017 - 02:35 AM

Demonslay335 replied, but I need a virus code, but it's not there. It looks like we made a clever hack, first brutforce passwords RDP, then "hijack.controlpanelstyle", then encrypted the files, the executable code of the encryptor was carefully wiped. It seems that the executable code of the cryptographer remains a mystery. But anyway, thanks to everyone for their help and quick response. Be vigilant, some anti-viruses do not see viruses


Edited by inf2, 15 June 2017 - 02:35 AM.


#10 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,183 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:56 AM

Posted 15 June 2017 - 08:03 AM

Afraid antivirus doesn't have anything to do with it when they have full control of the server. If someone came in via RDP, it takes 2 seconds to turn off any defenses you have, just as you would be able to. It's important to not have RDP exposed to the world and to use strong passwords - use VPN. Also, backups.

 

I will let you know if I obtain a copy of the malware to update the decrypter.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 mrtm

mrtm

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 21 June 2017 - 04:36 AM

Hi, we have files encrypted by DoNotChange Ransomware. Files were renamed to original_filename.id-4R4NZ0109.cry.

Can you help me? I think that i can find ransomware exe file...



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 AM

Posted 21 June 2017 - 05:11 AM

Did you try Demonslay335's DoNotChangeDecrypter.zip?
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 mrtm

mrtm

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 21 June 2017 - 07:49 AM

Did you try Demonslay335's DoNotChangeDecrypter.zip?

Yes, i tried it. It skipping encrypted files.



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 AM

Posted 21 June 2017 - 07:56 AM

Then you will have to wait for Demonslay335.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 mrtm

mrtm

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 21 June 2017 - 03:59 PM

Then you will have to wait for Demonslay335.

 

I find some exe files in c:\users\user\videos\

virustotal detected that is a malware... i hope it will be helpfull.

 

https://www.sendspace.com/file/7e577q

pass: virus






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users