Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xorist Ransomware - .encryptedfile@tutanota.com.cerberV6


  • Please log in to reply
12 replies to this topic

#1 Techindahaus

Techindahaus

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 04 April 2017 - 12:27 PM

Hi - I have a client who got this ransomeware which apparently is a varient (6th gen) of the Cerber ransomeware.

 

Note:

 

"All your important files were encrypted on this computer.
You can verify this by click on see files an try open them.

Encrtyption was produced using unique public key RSA-4096 generated for this computer.

To decrypted files, you need to otbtain private key.
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet;
The server will destroy the key within 48 hours after encryption completed.

To retrieve the private key, you need to pay 11  bitcoins

Bitcoins have to be sent to this address: 1GoysYnEmxve8sNNaRUvTqK3qfR6Fa7vQZ

After you've sent the payment send us an email to : encryptedfiles@tutanota.com  with subject : DECRYPT-ID-6310A11BTC
If you are  not familiar with bitcoin you can buy it from here :
SITE 1 : www.coinbase.com
SITE 2 : www.bitstamp.net

After we confirm the payment , we send the private key so you can decrypt your system."

 

Any assistance with this would be appreciated.



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:53 PM

Posted 04 April 2017 - 04:05 PM

Hi Techindahaus,

 

I can confirm that this isn't Cerber. What extension is added to your files, and what is the ransom note called?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 Techindahaus

Techindahaus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 04 April 2017 - 04:14 PM

Hi Techindahaus,

 

I can confirm that this isn't Cerber. What extension is added to your files, and what is the ransom note called?

 

xXToffeeXx~

Note:

All your important files were encrypted on this computer.
You can verify this by click on see files an try open them.

Encrtyption was produced using unique public key RSA-4096 generated for this computer.

To decrypted files, you need to otbtain private key.
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet;
The server will destroy the key within 48 hours after encryption completed.

To retrieve the private key, you need to pay 11  bitcoins

Bitcoins have to be sent to this address: 1GoysYnEmxve8sNNaRUvTqK3qfR6Fa7vQZ

After you've sent the payment send us an email to : encryptedfiles@tutanota.com  with subject : DECRYPT-ID-6310A11BTC
If you are  not familiar with bitcoin you can buy it from here :
SITE 1 : www.coinbase.com
SITE 2 : www.bitstamp.net

After we confirm the payment , we send the private key so you can decrypt your system.

 

and the file extensions: .encryptedfile@tutanota.com.cerberV6



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:53 PM

Posted 04 April 2017 - 05:09 PM

I don't know if it was you or not, but a victim from the US uploaded a file with that extension and a ransom note called "HOW TO DECRYPT FILES.txt" with the same contents, including the same BTC address. It was identified as Xorist by the ransom note. Please try the Emsisoft Xorist decrypter using an encrypted file and it's original.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 04 April 2017 - 05:12 PM

So it's another fake cerber?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:53 PM

Posted 04 April 2017 - 05:16 PM

Likely. There's CerberTear, that fakes Cerber but is based on HiddenTear (and is decryptable), malware actors of Xorist have spoofed other ransomware extensions before so this wouldn't surprise me.

 

@Techindahaus

 

If you have the malware itself, that would also be useful for us to confirm what it is. You may submit malicious files here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Techindahaus

Techindahaus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 04 April 2017 - 05:26 PM

Ok, Ill see if I can get the decrypter to work remotely. The machine is barely moving. Any idea how the malware created a bunch of bogus accounts on the system?



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:53 PM

Posted 05 April 2017 - 06:38 AM

So it's another fake cerber?

You can tell by the note that it's fake.
 
 

Ok, Ill see if I can get the decrypter to work remotely. The machine is barely moving. Any idea how the malware created a bunch of bogus accounts on the system?

Chances are is that they got in via RDP, allowing the criminals to create all those accounts, not the ransomware itself. Check whether RDP is enabled and then please secure it with a non-default username and a complicated non-brute forcible password.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 dimo70

dimo70

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sofia
  • Local time:07:53 PM

Posted 06 April 2017 - 03:47 AM

Hi Guis,

My Client have paid ransome for cerber and now we have original decryptor. Can I help you somehow to make universal decryptor?


Sofia, Bulgaria

WWW: http://eastcomputerservise.com/

 


#10 ronaldmirello

ronaldmirello

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 06 April 2017 - 04:26 AM

the theoretical tool was built with the key of "your" customer.
And 'difficult, if not almost impossible, to decrypt create a "universal" starting from that.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 06 April 2017 - 05:11 AM

If you received a working decrypter, you can zip and submit it here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic along with a few encrypted files and anything else the malware writers provide.

Even though the decrypter will not work for other victims, our crypto malware experts may be able to get some information by analyzing it further.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 dimo70

dimo70

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sofia
  • Local time:07:53 PM

Posted 06 April 2017 - 05:30 AM

I have submitted already decryptor and ransome text here https://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Hope help.


Edited by dimo70, 06 April 2017 - 05:31 AM.

Sofia, Bulgaria

WWW: http://eastcomputerservise.com/

 


#13 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:53 PM

Posted 06 April 2017 - 07:57 AM

Hi Guis,

My Client have paid ransome for cerber and now we have original decryptor. Can I help you somehow to make universal decryptor?

You were dealing with the actual Cerber, not this fake Cerber.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users