Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware (.btcware #_HOW_TO_FIX_!.hta READ ME.txt) Support Topic


  • Please log in to reply
99 replies to this topic

#91 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,888 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:37 PM

Posted Yesterday, 04:22 PM

There weren't consistent backups so finding a pair of any significant size was difficult. I was using a 159kb file but it wasn't large enough. After a partial decrypt I found a 324mb file on one of the computers. I had the same file on my uninfected computer. I used these files to decrypt both computers although they never existed on one of the computers. Is this a problem?

 

Should be fine, as long as the files open up fine after decryption (the decrypter cannot verify if the files are corrupt or not when using the "last resort" method). The only thing that matters is that it was 100% the original file of the encrypted file, same version, etc.

 

We're still working on breaking the newer sample, we'll eventually be able to crack the key to decrypt all files.


Edited by Demonslay335, Yesterday, 04:27 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#92 TechGuru11

TechGuru11

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 PM

Posted Yesterday, 06:21 PM

We had files also with .onyon. Hopefully they will be of some use. 

https://www.sendspace.com/filegroup/G%2BVzzJf6Pp9s0JV0YHlqXA



#93 csilva

csilva

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted Today, 01:53 AM

 

onyon works for me too.
 
found the exe 
decrypteroNyON.exe.onyon
 
do you need it?

 
Yes please. :) Although, looks like that might be encrypted lol... if you could zip it up with an encrypted file and its original that is larger than that exe, then I can decrypt it. :P
 
I've received a sample with that filename, but it doesn't hurt in case yours is a slightly different variant. You may submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168
 
@csilva

 

I haven't seen a sample yet with .[<email>].onyon, so I'm really curious what changes they made. Hope you can find the malware. If you stopped it before it encrypted everything, it should still be on the system somewhere. As mentioned before, it copies itself to %APPDATA% and then deletes from where it was originally ran. I'd honestly be surprised if you did kill it before it finishes, it actually encrypts a whole system rather quickly; takes only 3 seconds on my test runs each time (granted, not alot of data on my VM, but its quicker than most other ransomware I analyze).

 

No luck... Searched everywhere for it, but couldn't find anything. Guess I shouldn't have ran that system restore maybe... Any other way I can help?

 

On another note, when I tried running the decrypter on the infected PC it kept telling me it couldn't find the file specified, and I noticed that when I opened the decrypter it had a message about an error decompressing the bruteforcer or something. Any idea why and how to circumvent it? Tried running from the PC and from a flash drive. The copy is good, when I try it on another computer it works fine.

 

Thanks a lot for your help!



#94 navytut

navytut

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted Today, 03:46 AM

Haven't been able to decrypt .theva files. Tried both v3 and v4 option. Attached the samples of both original and encrypted files. See if it helps. Thanks.

 

https://ufile.io/1enlx



#95 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,888 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:37 PM

Posted Today, 08:30 AM

@csilva

 

I did have a report of an issue with that from another user. It ended up being their antivirus blocking the unpacking of the bruteforce tool, since it tries to load it into %TEMP%. Try disabling your antivirus temporarily. It's a valid signed program, so it shouldn't have triggered the antivirus (funny how they block the good guy tools but not the ransomware eh...).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#96 Dave_Dave

Dave_Dave

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted Today, 08:57 AM

I haven't seen a sample yet with .[<email>].onyon, so I'm really curious what changes they made. Hope you can find the malware. If you stopped it before it encrypted everything, it should still be on the system somewhere.

 

I was hit with this variant overnight, and when I woke up this AM it was still encrypting files over my network. There was a folder called 'system' on the desktop with an .exe inside, as well as a few other files (looks like it tried to encrypt this folder as well). I zipped up the entire folder and submitted it to the link you posted above. Hope it helps.



#97 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,888 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:37 PM

Posted Today, 09:04 AM

@TechGuru11

 

Are you sure that's the original of that file? The encrypted file has ".dcm" extension as well, and it is 80 bytes larger; even the variants that use AES-192 would have only padded up to 15 bytes. Only about 10MB of the file is encrypted as well, so anything past that should be the same, but there's the extra 80 bytes at the end.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#98 Rudigerets

Rudigerets

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted Today, 09:57 AM

Also infected by ONYON.

Files are encrypted en got the extension [newcrann@qq.com].onyon

 

Original file : https://www.sendspace.com/file/c7997h

 

Infected file : https://www.sendspace.com/file/8r6ykn

 

Backup files also infected  :angry:  :angry:  :angry:



#99 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,888 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:37 PM

Posted Today, 10:25 AM

@Dave_Dave

 

It was indeed the malware, and I actually already had the same sample. Thanks for submitting though, I'll hold onto your filepair for hopefully cracking later.

 

@navytut

 

I am confirming I cannot get a key with v3 (which also tests v2 and v3.5 at the same time) or v4. Do you have the malware itself? Could be they changed something, this one is very active.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#100 AAvis

AAvis

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted Today, 03:32 PM

First I would like to say Thank You. I know it has to be a lot of work trying to crack this encryption garbage. Honestly I don't know why you do it other than the challenge.

 

Now some questions on the best way to avoid getting encrypted in the first place.

 

It seems from reading thru these posts there are several ways the stuff gets on computers. Infected websites, email (attachments), RDP and even TeamViewer so far. I don't use TeamViewer anymore but I can't seem to figure out a way it would get thru it unless 1. The TeamViewer database has been hacked or 2. a computer that uses TeamViewer to connect to a server had a 'keylogger' on it and they used that 'log'.

 

Infected websites. I am always very careful about going to websites that are not 'well known' when searching with Google or Yahoo. Sometimes you have to go to those 'unknown' sites to find what you are looking for. Problem with that is sometimes you get MORE than you were looking for without even knowing it. One of the first things this stuff does is disable/uninstall the anti-virus, malware protection, etc. To disable or uninstall anti-virus and malware protection you normally have to jump thru several hoops but they seem to be able to do it instantly!

 

Email and attachments. I personally do not open attachments unless I am 100% sure they are legit. In other words I was expecting the attachment from the that person who sent it and not just because I know that person. I understand email spoofing but that is hard to explain to regular users. I've had a couple of systems attacked because of emails saying they were from FedEx, USPS or UPS with an attachment that let loose an encryption virus. Back then most virus scanners didn't even recognize them as viruses! I guess educating users is really the only way to stop these. We tried blocking all .zip file, .exe files  and any other executable files but we can't do that in all cases.

 

RDP. Remote Desktop made my job a lot easier so I use it a lot. Was RDP hacked into because of weak passwords? When I setup RDP I always change the port it uses does that help? On some systems I also configure the firewall to only allow the connection from a specific ip address. Again does that make it better/safer?

 

I'm hoping that someday you will figure out the btcware encryption (the one without an email address). The system that it got on I did not have a good backup of one of the folders. Seeing you crack some of these other 'versions' is great though. That means a lot of people got their files back without giving in to the criminals!






7 user(s) are reading this topic

0 members, 7 guests, 0 anonymous users