Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New variant of Ransomware Files infected with .ajge extension...


  • Please log in to reply
8 replies to this topic

#1 Lycanus

Lycanus

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 31 March 2017 - 02:31 AM

Hi Friends, I have a costumer infected with a new variant of ransomware, I guess is al-namrood in a new version, i'm not sure because it doesn't use the same methodology, but I guess it is this ransomware because I ran the decryption tool from emisisoft (decrypt alnamrood) and the file was decrypted, but the decrypted file only shows garbage code, I know this happened because the ID used is not the right key to decrypt.

 

http://www.imagebam.com/image/a96704541035844

 

 

the ID used in the section options is BD9BD769 , which is the default when you open the tool....

 

after I checked the file txt decrypted, this file only shows garbage code.... :(, but I know because this is not the right key.

 

http://www.imagebam.com/image/87a670541035845

 

After this, I open the encrypted files with an hexadecimal editor and all the encrypted files show the same code at the end of the file...as you can see on the next image.....

 

http://www.imagebam.com/image/9fa846541035846

 

and the message to recover the files is something like this....

 

http://www.imagebam.com/image/4092d2541035847

 

I've tried to upload all the images here in the post, but they were deleted...or I don't know how to do it... : )

 

I changed the orginal name of the message and the last 6 digits from the original Id to send the mesage, only for security reasons... : )

 

I've tried to obtain a code from the registry keys and deleted files, but at this moment I didn't find another key or .dll file which can indicate me what is the ID right key to decrypt these files.... I checked the whole disk with a recovery program, but none of these encrypted files were deleted, they only were over written....

 

I hope someone here, can help me to know more about this Ransomware... I've tried with another decryptions tools but I haven't had successful. In fact, I have one original xml file and the same file but encrypted to make tests.

 

I've tried with another decryptions tools but I'm not have successful

 

I've uploaded 3 files, 2 encrypted with this ransomware and one original at this link...

https://1drv.ms/f/s!AoQCd6aS2Nkbd64naA5ITCE6kVs

if someone want help me to make tests, you can download these from here...

 

Regards...

 

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 AM

Posted 31 March 2017 - 05:32 AM

There are several different ransomware infections which append a random 4, 5, 6, 7, or 8 character extension to the end of all affected filenames (i.e. CTB-Locker, Crypt0L0cker, Maktub Locker, Alma Locker, Princess Locker, Locked-In, Mischa, Goldeneye, Al-Namrood 2.0, Cerber v4x/v5x and some Xorist variants).

The best way to identify the different ransomwares that use "random character extensions" is the ransom note (including it's name), samples of the encrypted files, the malware file itself or at least information related to the email address used by the cyber-criminals to request payment.

Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Lycanus

Lycanus
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 31 March 2017 - 05:49 AM

Hi, quietman7, I uploaded the ransom note and one  encrypted file, but it wasn't possible to determinate what ransom is...

 

Here is the Result... and the number of SHA1

 

Unable to determine ransomware.

Please make sure you are uploading a ransom note and encrypted sample file from the same infection.

This can happen if this is a new ransomware, or one that cannot be currently identified automatically.

You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.

Please reference this case SHA1: 248f323fdf9c39dc589725829642813ccb45122f

 

 

Regards



#4 Lycanus

Lycanus
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 31 March 2017 - 05:55 AM

Hi, I'm again, the real name of the ransom note is ajge_[costumer's servername].txt

 

Regards...



#5 Lycanus

Lycanus
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 31 March 2017 - 06:37 AM

Hi, I uploaded the encrypted file in virustotal.com to get detection....here the results... Not detection

 

http://www.imagebam.com/image/203e2e541081697

 

Regards.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 AM

Posted 31 March 2017 - 06:55 AM

Demonslay335 most likely will check out the SHA1 when he logs in later today.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Amigo-A

Amigo-A

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:26 PM

Posted 31 March 2017 - 07:03 AM

Lucanus
Do not experiment with files. They can will damaged.
 
Read important recommendations: 
 
First steps when dealing with ransomware

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#8 Lycanus

Lycanus
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 31 March 2017 - 10:51 AM

Hi, I made a exactly copy of the original drive, I have the original drive untouch....  : )

 

I will try to find another files that can help to find how the key was made...this ransomware encrypted too a usb hard drive, I checked this and all the files were encrypted too, but the ransomware not delete any of the files, only they were over written....

 

someone know If I can decrypt these files with another program like decrypt alnamrood?, because this program onle let me to put a key of 8 characters, and I think the key must be longer, : (

 

Thanks for help me.



#9 Amigo-A

Amigo-A

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:26 PM

Posted 02 April 2017 - 03:43 AM

Lycanus

You can tested any decryptors by selecting images and documents files, but experiment only with backup copies, according to the recommendations of Fabian Wosar.


Edited by Amigo-A, 02 April 2017 - 03:43 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users