Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.crypton Gryphon Help.txt)


  • Please log in to reply
444 replies to this topic

#436 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:46 PM

Posted 14 August 2017 - 10:38 AM

Caught by this today. Mail sent but no answers from the ransom until now.

 

Example:

FILENAME.url.id-01234567.[gladius_rectus@aol.com].cezar

 

Submited a file to ID Ransomware and it says 4 possible variants about:

 

Dharma (.onion)

sample_bytes: [0xC4020 - 0xC4060] 0x00000000020000000CFE7A410000000000000000000000002000000000000000
custom_rule: Original filename "HDTune.exe" after filemarker 

GlobeImposter 2.0

ransomnote_email: Gladius_rectus@aol.com 

Cryakl

ransomnote_email: gladius_rectus@aol.com 

BTCWare Gryphon

ransomnote_email: gladius_rectus@aol.com 

 But i cant find any information related to this CEZAR extension.

 

It looks like we have a new variant of Dharma, currently looking into it. Any chance you have the malware?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#437 horuscurcino

horuscurcino

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 14 August 2017 - 05:55 PM

 

Caught by this today. Mail sent but no answers from the ransom until now.

 

Example:

FILENAME.url.id-01234567.[gladius_rectus@aol.com].cezar

 

Submited a file to ID Ransomware and it says 4 possible variants about:

 

Dharma (.onion)

sample_bytes: [0xC4020 - 0xC4060] 0x00000000020000000CFE7A410000000000000000000000002000000000000000
custom_rule: Original filename "HDTune.exe" after filemarker 

GlobeImposter 2.0

ransomnote_email: Gladius_rectus@aol.com 

Cryakl

ransomnote_email: gladius_rectus@aol.com 

BTCWare Gryphon

ransomnote_email: gladius_rectus@aol.com 

 But i cant find any information related to this CEZAR extension.

 

It looks like we have a new variant of Dharma, currently looking into it. Any chance you have the malware?

 

Not sure if i need to post here or under the Dharma thread but ive sent some samples to drive:

 

 

"data files encrypted.txt"

https://drive.google.com/file/d/0B7buw-zxwK1GckM2QU9ldnVEZW8/view?usp=sharing

 

"!## DECRYPT FILES ##!.txt.id-4C018334.[gladius_rectus@aol.com].cezar"

https://drive.google.com/file/d/0B7buw-zxwK1GVWlVMG12bHU2X1E/view?usp=sharing

 

Infected "HDTune.exe"

https://drive.google.com/file/d/0B7buw-zxwK1Ga2xCUW1yMU9COU0/view?usp=sharing

 

Safe "HDTune.exe"

https://drive.google.com/file/d/0B7buw-zxwK1GaHpmT0huNnVwYVk/view?usp=sharing


Edited by horuscurcino, 14 August 2017 - 05:55 PM.


#438 al1963

al1963

  • Members
  • 809 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 14 August 2017 - 09:12 PM

It looks like there was double encryption.

Initially, the files were encrypted with Crysis.wallet, then again, already Crysis.cezar.


Edited by al1963, 14 August 2017 - 09:13 PM.


#439 horuscurcino

horuscurcino

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 14 August 2017 - 09:24 PM

It looks like there was double encryption.

Initially, the files were encrypted with Crysis.wallet, then again, already Crysis.cezar.

 

Sorry. It must be one of my rename tries and the payload surely encrypted it again.



#440 al1963

al1963

  • Members
  • 809 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 14 August 2017 - 09:38 PM

>>>>>>Sorry. It must be one of my rename tries and the payload surely encrypted it again.

 

understandably. The encoder file was still active.



#441 horuscurcino

horuscurcino

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 14 August 2017 - 10:51 PM

Another sample of our most recent .CEZAR transformation.

 

 

avast_decryptor_crysis (1).exe

 

Encrypted:

https://drive.google.com/file/d/0BxxHXh_xbM8heDF1a1BobXhwSHM/view?usp=sharing

 

Genuine:

https://drive.google.com/file/d/0BxxHXh_xbM8hYnNoeDhWZEZoRWs/view?usp=sharing

 

 

Just to say about a curious behavior:

I think it neutralized our Cobian solution and sent a DELETE command to the tasks destiny, because it was pointing to a always-ready google drive sync folder and all data disappeared from there and from the cloud. The ransom attack must be quick and doesnt make sense to encrypt first then delete the Cobian output folder. Im now trying to rebuild FAT to recover this folder and, hopefully its contents.



#442 al1963

al1963

  • Members
  • 809 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 14 August 2017 - 11:06 PM

In your case, the most useful file is the encoder file for analysis.

If it is preserved in the antivirus quarantine, then it can be extracted and transferred for analysis.



#443 KCSEC

KCSEC

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 15 August 2017 - 04:26 AM

Hello,

 

We've got someone who has been hit by the new BTCWare Gryphon.

 

As far As I'm aware there is no current decrypter for it.

 

I'll attach what we have to try help fight this new variant. Please let me know if you want anything uploaded.

 

It seems to of been stopped mid encryption as it has not even renamed the files just encrypted them.

 

BTCWare Decryptor seems to load up 2 private keys on startup but could be from previous attacks on this server.

 

 

I've not seen this email address listed anywhere else in the ransom note or without a secondary email address.

 

Server was hacked via RDP.

 

 

Note as follows,

 

!## DECRYPT FILES ##!.txt

 

 

============================== GRYPHON RANSOMWARE ==============================

 
Your documents, photos, databases and other important files have been encrypted
cryptographically strong, without the original key recovery is impossible!
To decrypt your files you need to buy the special software - "GRYPHON DECRYPTER"
Using another tools could corrupt your files, in case of using third party 
software we dont give guarantees that full recovery is possible so use it on 
your own risk.
 
If you want to restore files, write us to the e-mail: 90x@aolonline.top        
In subject line write "encryption" and attach your ID in body of your message
also attach to email 3 crypted files. (files have to be less than 2 MB)
 
It is in your interest to respond as soon as possible to ensure the restoration
of your files, because we wont keep your decryption keys at our server more than
one week in interest of our security.
 
Only in case you do not receive a response from the first email address
withit 48 hours, please use this alternative email adress:                          
 
Your personal identification number:
 
bg3wWbNOJmN99eyf8Y9yKFt/tLrzB1wCiI2IPJk5zrTACS1ZJGfqe9YngHpCZ3gy68zRX5liZXVOwgpA
hgBvGVBTpo1Pit4iVkGHw8GjXN/QbHYaMybbGhR0Hun4zOFZ71Dn1TJdD0BqbaqZp6Ln/q5gjIfh5q9yQqZYgEdKkHI=
 
============================== GRYPHON RANSOMWARE ==============================


#444 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:46 PM

Posted 15 August 2017 - 07:54 AM

...We've got someone who has been hit by the new BTCWare Gryphon.
 
As far As I'm aware there is no current decrypter for it....

That is correct. It is an AES-256 version of the malware which use a different RSA-1024 key and is not decryptable unless you have the private AES key from the criminals.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#445 KCSEC

KCSEC

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 15 August 2017 - 07:58 AM

 

...We've got someone who has been hit by the new BTCWare Gryphon.
 
As far As I'm aware there is no current decrypter for it....

That is correct. It is an AES-256 version of the malware which use a different RSA-1024 key and is not decryptable unless you have the private AES key from the criminals.

 

Thank you for confirming this.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users