New variant of Ransomware Files infected with .ajge extension...

Hi Friends, I have a costumer infected with a new variant of ransomware, I guess is al-namrood in a new version, i'm not sure because it doesn't use the same methodology, but I guess it is this ransomware because I ran the decryption tool from emisisoft (decrypt alnamrood) and the file was decrypted, but the decrypted file only shows garbage code, I know this happened because the ID used is not the right key to decrypt.

 

http://www.imagebam.com/image/a96704541035844

 

 

the ID used in the section options is BD9BD769 , which is the default when you open the tool....

 

after I checked the file txt decrypted, this file only shows garbage code.... , but I know because this is not the right key.

 

http://www.imagebam.com/image/87a670541035845

 

After this, I open the encrypted files with an hexadecimal editor and all the encrypted files show the same code at the end of the file...as you can see on the next image.....

 

http://www.imagebam.com/image/9fa846541035846

 

and the message to recover the files is something like this....

 

http://www.imagebam.com/image/4092d2541035847

 

I've tried to upload all the images here in the post, but they were deleted...or I don't know how to do it... : )

 

I changed the orginal name of the message and the last 6 digits from the original Id to send the mesage, only for security reasons... : )

 

I've tried to obtain a code from the registry keys and deleted files, but at this moment I didn't find another key or .dll file which can indicate me what is the ID right key to decrypt these files.... I checked the whole disk with a recovery program, but none of these encrypted files were deleted, they only were over written....

 

I hope someone here, can help me to know more about this Ransomware... I've tried with another decryptions tools but I haven't had successful. In fact, I have one original xml file and the same file but encrypted to make tests.

 

I've tried with another decryptions tools but I'm not have successful

 

I've uploaded 3 files, 2 encrypted with this ransomware and one original at this link...

https://1drv.ms/f/s!AoQCd6aS2Nkbd64naA5ITCE6kVs

if someone want help me to make tests, you can download these from here...

 

Regards...

 

 

There are several different ransomware infections which append a random 4, 5, 6, 7, or 8 character extension to the end of all affected filenames (i.e. CTB-Locker, Crypt0L0cker, Maktub Locker, Alma Locker, Princess Locker, Locked-In, Mischa, Goldeneye, Al-Namrood 2.0, Cerber v4x/v5x and some Xorist variants).

The best way to identify the different ransomwares that use "random character extensions" is the ransom note (including it's name), samples of the encrypted files, the malware file itself or at least information related to the email address used by the cyber-criminals to request payment.

Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

Hi, quietman7, I uploaded the ransom note and one  encrypted file, but it wasn't possible to determinate what ransom is...

 

Here is the Result... and the number of SHA1

 

Unable to determine ransomware.

Please make sure you are uploading a ransom note and encrypted sample file from the same infection.

This can happen if this is a new ransomware, or one that cannot be currently identified automatically.

You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.

Please reference this case SHA1: 248f323fdf9c39dc589725829642813ccb45122f

 

 

Regards

Hi, I'm again, the real name of the ransom note is ajge_[costumer's servername].txt

 

Regards...

Hi, I uploaded the encrypted file in virustotal.com to get detection....here the results... Not detection

 

http://www.imagebam.com/image/203e2e541081697

 

Regards.

Demonslay335 most likely will check out the SHA1 when he logs in later today.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto experts.

Hi, I made a exactly copy of the original drive, I have the original drive untouch....  : )

 

I will try to find another files that can help to find how the key was made...this ransomware encrypted too a usb hard drive, I checked this and all the files were encrypted too, but the ransomware not delete any of the files, only they were over written....

 

someone know If I can decrypt these files with another program like decrypt alnamrood?, because this program onle let me to put a key of 8 characters, and I think the key must be longer, : (

 

Thanks for help me.

Lycanus

You can tested any decryptors by selecting images and documents files, but experiment only with backup copies, according to the recommendations of Fabian Wosar.

Edited by Amigo-A, 02 April 2017 - 03:43 AM.