Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.crypton Gryphon Help.txt)


  • Please log in to reply
584 replies to this topic

#436 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:25 PM

Posted 14 August 2017 - 10:38 AM

Caught by this today. Mail sent but no answers from the ransom until now.

 

Example:

FILENAME.url.id-01234567.[gladius_rectus@aol.com].cezar

 

Submited a file to ID Ransomware and it says 4 possible variants about:

 

Dharma (.onion)

sample_bytes: [0xC4020 - 0xC4060] 0x00000000020000000CFE7A410000000000000000000000002000000000000000
custom_rule: Original filename "HDTune.exe" after filemarker 

GlobeImposter 2.0

ransomnote_email: Gladius_rectus@aol.com 

Cryakl

ransomnote_email: gladius_rectus@aol.com 

BTCWare Gryphon

ransomnote_email: gladius_rectus@aol.com 

 But i cant find any information related to this CEZAR extension.

 

It looks like we have a new variant of Dharma, currently looking into it. Any chance you have the malware?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#437 horuscurcino

horuscurcino

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 14 August 2017 - 05:55 PM

 

Caught by this today. Mail sent but no answers from the ransom until now.

 

Example:

FILENAME.url.id-01234567.[gladius_rectus@aol.com].cezar

 

Submited a file to ID Ransomware and it says 4 possible variants about:

 

Dharma (.onion)

sample_bytes: [0xC4020 - 0xC4060] 0x00000000020000000CFE7A410000000000000000000000002000000000000000
custom_rule: Original filename "HDTune.exe" after filemarker 

GlobeImposter 2.0

ransomnote_email: Gladius_rectus@aol.com 

Cryakl

ransomnote_email: gladius_rectus@aol.com 

BTCWare Gryphon

ransomnote_email: gladius_rectus@aol.com 

 But i cant find any information related to this CEZAR extension.

 

It looks like we have a new variant of Dharma, currently looking into it. Any chance you have the malware?

 

Not sure if i need to post here or under the Dharma thread but ive sent some samples to drive:

 

 

"data files encrypted.txt"

https://drive.google.com/file/d/0B7buw-zxwK1GckM2QU9ldnVEZW8/view?usp=sharing

 

"!## DECRYPT FILES ##!.txt.id-4C018334.[gladius_rectus@aol.com].cezar"

https://drive.google.com/file/d/0B7buw-zxwK1GVWlVMG12bHU2X1E/view?usp=sharing

 

Infected "HDTune.exe"

https://drive.google.com/file/d/0B7buw-zxwK1Ga2xCUW1yMU9COU0/view?usp=sharing

 

Safe "HDTune.exe"

https://drive.google.com/file/d/0B7buw-zxwK1GaHpmT0huNnVwYVk/view?usp=sharing


Edited by horuscurcino, 14 August 2017 - 05:55 PM.


#438 al1963

al1963

  • Members
  • 886 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 14 August 2017 - 09:12 PM

It looks like there was double encryption.

Initially, the files were encrypted with Crysis.wallet, then again, already Crysis.cezar.


Edited by al1963, 14 August 2017 - 09:13 PM.


#439 horuscurcino

horuscurcino

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 14 August 2017 - 09:24 PM

It looks like there was double encryption.

Initially, the files were encrypted with Crysis.wallet, then again, already Crysis.cezar.

 

Sorry. It must be one of my rename tries and the payload surely encrypted it again.



#440 al1963

al1963

  • Members
  • 886 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 14 August 2017 - 09:38 PM

>>>>>>Sorry. It must be one of my rename tries and the payload surely encrypted it again.

 

understandably. The encoder file was still active.



#441 horuscurcino

horuscurcino

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 14 August 2017 - 10:51 PM

Another sample of our most recent .CEZAR transformation.

 

 

avast_decryptor_crysis (1).exe

 

Encrypted:

https://drive.google.com/file/d/0BxxHXh_xbM8heDF1a1BobXhwSHM/view?usp=sharing

 

Genuine:

https://drive.google.com/file/d/0BxxHXh_xbM8hYnNoeDhWZEZoRWs/view?usp=sharing

 

 

Just to say about a curious behavior:

I think it neutralized our Cobian solution and sent a DELETE command to the tasks destiny, because it was pointing to a always-ready google drive sync folder and all data disappeared from there and from the cloud. The ransom attack must be quick and doesnt make sense to encrypt first then delete the Cobian output folder. Im now trying to rebuild FAT to recover this folder and, hopefully its contents.



#442 al1963

al1963

  • Members
  • 886 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 14 August 2017 - 11:06 PM

In your case, the most useful file is the encoder file for analysis.

If it is preserved in the antivirus quarantine, then it can be extracted and transferred for analysis.



#443 KCSEC

KCSEC

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 15 August 2017 - 04:26 AM

Hello,

 

We've got someone who has been hit by the new BTCWare Gryphon.

 

As far As I'm aware there is no current decrypter for it.

 

I'll attach what we have to try help fight this new variant. Please let me know if you want anything uploaded.

 

It seems to of been stopped mid encryption as it has not even renamed the files just encrypted them.

 

BTCWare Decryptor seems to load up 2 private keys on startup but could be from previous attacks on this server.

 

 

I've not seen this email address listed anywhere else in the ransom note or without a secondary email address.

 

Server was hacked via RDP.

 

 

Note as follows,

 

!## DECRYPT FILES ##!.txt

 

 

============================== GRYPHON RANSOMWARE ==============================

 
Your documents, photos, databases and other important files have been encrypted
cryptographically strong, without the original key recovery is impossible!
To decrypt your files you need to buy the special software - "GRYPHON DECRYPTER"
Using another tools could corrupt your files, in case of using third party 
software we dont give guarantees that full recovery is possible so use it on 
your own risk.
 
If you want to restore files, write us to the e-mail: 90x@aolonline.top        
In subject line write "encryption" and attach your ID in body of your message
also attach to email 3 crypted files. (files have to be less than 2 MB)
 
It is in your interest to respond as soon as possible to ensure the restoration
of your files, because we wont keep your decryption keys at our server more than
one week in interest of our security.
 
Only in case you do not receive a response from the first email address
withit 48 hours, please use this alternative email adress:                          
 
Your personal identification number:
 
bg3wWbNOJmN99eyf8Y9yKFt/tLrzB1wCiI2IPJk5zrTACS1ZJGfqe9YngHpCZ3gy68zRX5liZXVOwgpA
hgBvGVBTpo1Pit4iVkGHw8GjXN/QbHYaMybbGhR0Hun4zOFZ71Dn1TJdD0BqbaqZp6Ln/q5gjIfh5q9yQqZYgEdKkHI=
 
============================== GRYPHON RANSOMWARE ==============================


#444 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:25 PM

Posted 15 August 2017 - 07:54 AM

...We've got someone who has been hit by the new BTCWare Gryphon.
 
As far As I'm aware there is no current decrypter for it....

That is correct. It is an AES-256 version of the malware which use a different RSA-1024 key and is not decryptable unless you have the private AES key from the criminals.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#445 KCSEC

KCSEC

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 15 August 2017 - 07:58 AM

 

...We've got someone who has been hit by the new BTCWare Gryphon.
 
As far As I'm aware there is no current decrypter for it....

That is correct. It is an AES-256 version of the malware which use a different RSA-1024 key and is not decryptable unless you have the private AES key from the criminals.

 

Thank you for confirming this.



#446 liquid_user

liquid_user

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 21 August 2017 - 07:11 AM

Heya one of our serves was hacked by RDP and ALETA was variant, that code everything. Here: https://www.hybrid-analysis.com/sample/d68dab1892b2b63d4aa76a6e40f3586da83f379679647fac1a234786729069ed?environmentId=100 one engine that I uploud active sample to see how things goes on. Hope info is useful for future use. There is exports and download of that sample or all commands and files executed. 

 

I don't know, if this will in real world, but can try use strong password for any change about antivirus, in our case ESET was removed by ESET cmd, there is option to disable this environment. Other interesting thing we found, that when system was infected, there was some strange install of malwarebytes core dll tool, it's look like this interface was used to transfer files. Catch log, that for every encrypted file, was made sha-1, sha-256 and sha-512 and kept.

 

Also for ESET, removed, file by file, move change security permission and putted back to execute final uninstall...



#447 ternuz

ternuz

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 24 August 2017 - 04:33 AM

Hi all
Also our client thought this one week ago (.gryphon). He try to pay first 0.2 bitcoin and then other 0.3 without receiving any key (DON'T PAY!!! THEY DON'T GIVE THE KEY ANYWAY).
We found an Italian society help us to recover all the data (the price is high but the quality of the final work is perfect).
I hope you can found as soon as possible a solution!
Thanks for all and the forum!

#448 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:25 PM

Posted 24 August 2017 - 11:44 AM

Hi all
Also our client thought this one week ago (.gryphon). He try to pay first 0.2 bitcoin and then other 0.3 without receiving any key (DON'T PAY!!! THEY DON'T GIVE THE KEY ANYWAY).
We found an Italian society help us to recover all the data (the price is high but the quality of the final work is perfect).
I hope you can found as soon as possible a solution!
Thanks for all and the forum!

 

Willing to bet you anything they just paid the criminals for you. Happens all the time; they didn't actually crack the encryption if that's what they told you. Only chance legitimate recovery companies have is proper "undelete" recovery.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#449 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:25 PM

Posted 29 August 2017 - 09:42 PM

If anyone has been hit by the .[<email>].nuclear variant and has not rebooted the system, please PM me.

The .[<email>].nuclear variant also has a serious bug that irreversibly destroys some files. If an encrypted file has nothing but 0x00 bytes at the beginning, then it has been bleeped up by the bug, and even the criminals cannot recover it.
 
*Edit:
 
The .[<email>].gryphon variant has this same bug, but is just slightly less likely to happen due to a few factors (compared to .[<email>].nuclear). Again, if your .[<email>].gryphon files have 0x00 bytes at the beginning, then the file is lost forever.

 

Thanks to @mauronz for all the intricate analysis.


Edited by Demonslay335, 30 August 2017 - 02:11 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#450 Kapoon

Kapoon

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 02 September 2017 - 10:05 AM

Hi I infected by gryphon .nuclear not rebooted not deleted just killed process 1 hour ago. Can give you teamviewer connection. have shadow copy of files. have 4gb encrypted and decrypted file


Edited by Kapoon, 02 September 2017 - 10:10 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users