Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Zixer2 extension ransomware?


  • Please log in to reply
4 replies to this topic

#1 ilevyas

ilevyas

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 03 April 2017 - 04:57 AM

Hello everyone, thanks in advance for all the useful informations I've always found on this forum.

Today I received a call from a customer who got infected by a ransomware. I asked for a couple encrypted files in order to identify the worm, but what I got actually surprised me.

 

IMG_9***.JPG.zixer2

IMG_9***.JPG.zixer2

IMG_9***.JPG.zixer2

IMG_9***.JPG.zixer2

HOW TO DECRYPT FILES.TXT

 

Here's the content of the txt:

 

 

ATTENTION !

All Your Files Was Encrypted !
E-mail addresses: Datares@india.com

 

Nothing more.

Apparently, from what I could deduce by the email address, it's somehow related to the Dharma ransomware, but I could not find anything on the web, nor in this forum.

Anyone knows something about this Zixer2?

Thanks again for your time.

Greetings from Italy.

 

Valerio


Edited by ilevyas, 03 April 2017 - 05:43 AM.


BC AdBot (Login to Remove)

 


#2 thyrex

thyrex

  • Members
  • 526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:11:40 AM

Posted 03 April 2017 - 07:47 AM

Please upload samples of encrypted files (jpg, doc, docx) onto https://sendspace.com and give us download link

Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:40 AM

Posted 03 April 2017 - 08:25 AM

The note and email are identified as Xorist on ID Ransomware by multiple victim's uploads. Try the Emsisoft Xorist decrypter. You'll need an encrypted file and it's original, they will be the same filesize. Drag them onto the decrypter as the instructions show, and when it finds a key, it will let you select folders to decrypt. Try a test folder first and verify it decrypts properly.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 AM

Posted 03 April 2017 - 03:24 PM

If you encounter an error when using the Emsisoft decrypter, you will need to share the file pair(s) you are using for our crypto malware experts to take a look at.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 thyrex

thyrex

  • Members
  • 526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:11:40 AM

Posted 03 April 2017 - 03:50 PM

I think that it's ilevyas'es pictures https://www.sendspace.com/file/7o3bhp :)


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users