Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New ransomware infection; no note & id-ransomware cannot identify


  • This topic is locked This topic is locked
23 replies to this topic

#1 Hank_T

Hank_T

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 29 April 2017 - 03:37 AM

I have a several thousand files encrypted and have tried several decryption tools in an attempt to help me. So far, no luck.
 

As I have confirmation still turned on for administrative tasks, I caught the process trying to delete virtual shadow volumes.



BC AdBot (Login to Remove)

 


#2 Hank_T

Hank_T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 29 April 2017 - 05:08 AM

I uploaded an encrypted .txt file and linked it back to this topic/thread



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:30 PM

Posted 29 April 2017 - 06:13 AM

Did you upload samples here?

Are there any obvious file extensions appended to or with your encrypted data files? If so, what is the extension and is it the same for each encrypted file or is it different?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Without a ransom note it may be difficult to determine what infection you are dealing with. The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, the malware file itself, any obvious extensions appended to the encrypted files, samples of the encrypted files and information related to any email addresses used by the cyber-criminals to request payment.

Our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if the encrypted files can even be decrypted.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 shellystudio

shellystudio

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 29 April 2017 - 06:44 AM

HI Hank, 

I just got infected by i guess the same ransomware. it crypted all my files but did not change the extention of it. i did not get any Note anywhere. 
when i try to open a photo, video or documents excel words i always get the message format or extention incorrect. however the extentions are exactly the same as before. 
Malwarebyte found the ransomware and puted it in Quarantaine. the exe was wposys.exe. :(( i dont know why that happen when they dont even ask for a Ransom hic 
i did upload a txt encrypted https://www.bleepingcomputer.com/submit-malware.php?channel=168 now im just hoping for a decrypter ...


Edited by shellystudio, 29 April 2017 - 06:48 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:30 PM

Posted 29 April 2017 - 06:48 AM

Malwarebyte found the ransomware and puted it in Quarantaine. the exe was wposys.exe. :(( i dont know why that happen when they dont even ask for a Ransom hic

Our crypto malware experts most likely will need a sample of the malware file itself to analyze.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 shellystudio

shellystudio

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 29 April 2017 - 06:50 AM

 

Malwarebyte found the ransomware and puted it in Quarantaine. the exe was wposys.exe. :(( i dont know why that happen when they dont even ask for a Ransom hic

Our crypto malware experts most likely will need a sample of the malware file itself to analyze.

 

do you need The wsposys.exe? or need a encrypted file?



#7 Hank_T

Hank_T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 29 April 2017 - 08:01 AM

Did you upload samples here?

Are there any obvious file extensions appended to or with your encrypted data files? If so, what is the extension and is it the same for each encrypted file or is it different?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Without a ransom note it may be difficult to determine what infection you are dealing with. The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, the malware file itself, any obvious extensions appended to the encrypted files, samples of the encrypted files and information related to any email addresses used by the cyber-criminals to request payment.

Our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if the encrypted files can even be decrypted.

Yes, there.

All files retain their native extensions.

As I stated opening this thread, no message.

 

HI Hank, 

I just got infected by i guess the same ransomware. it crypted all my files but did not change the extention of it. i did not get any Note anywhere. 
when i try to open a photo, video or documents excel words i always get the message format or extention incorrect. however the extentions are exactly the same as before. 
Malwarebyte found the ransomware and puted it in Quarantaine. the exe was wposys.exe. :(( i dont know why that happen when they dont even ask for a Ransom hic 
i did upload a txt encrypted https://www.bleepingcomputer.com/submit-malware.php?channel=168 now im just hoping for a decrypter ...

I found the same executable.  Here is the really BLEEPED up bit about this, the PC on which this infection happened has been unmanned for more than a week. It had been running a historical market data analysis. I can't comprehend how that application got on this machine.
 

Additioinally, I have found 5 files that none of the malware/antivirus scans have picked up. They are in a directory off of AppData\Local\AQworks and each of the files ends in a ".3" and contain a mixture of Chinese & Korean characters and wingding font. Each file is 158kb in size. 

 

The only software that I had running outside of the data analysis was TeamViewer. No web browser was open nor an e-mail client.

The windows security service/defender was stopped, the task manager disabled and now none of the "native" windows 10 apps will run.

Scratching my head and pissed off as hell.


Edited by Hank_T, 29 April 2017 - 08:44 AM.


#8 shellystudio

shellystudio

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 29 April 2017 - 08:44 AM

 

Did you upload samples here?

Are there any obvious file extensions appended to or with your encrypted data files? If so, what is the extension and is it the same for each encrypted file or is it different?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Without a ransom note it may be difficult to determine what infection you are dealing with. The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, the malware file itself, any obvious extensions appended to the encrypted files, samples of the encrypted files and information related to any email addresses used by the cyber-criminals to request payment.

Our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if the encrypted files can even be decrypted.

Yes, there.

All files retain their native extensions.

As I stated opening this thread, no message.

 

HI Hank, 

I just got infected by i guess the same ransomware. it crypted all my files but did not change the extention of it. i did not get any Note anywhere. 
when i try to open a photo, video or documents excel words i always get the message format or extention incorrect. however the extentions are exactly the same as before. 
Malwarebyte found the ransomware and puted it in Quarantaine. the exe was wposys.exe. :(( i dont know why that happen when they dont even ask for a Ransom hic 
i did upload a txt encrypted https://www.bleepingcomputer.com/submit-malware.php?channel=168 now im just hoping for a decrypter ...

I found the same executable.  Here is the really BLEEPED up bit about this, the PC on which this infection happened has been unmanned for more than a week. It had been running a historical market data analysis. I can't comprehend how that application got on this machine.

The only software that I had running outside of the data analysis was TeamViewer. No web browser was open nor an e-mail client.

The windows security service/defender was stopped, the task manager disabled and now none of the "native" windows 10 apps will run.

Scratching my head and pissed off as hell.

 

i really hope for a decrypter :( 4 years of work as photographer. over 10 tb of data losted :( yes i i did backup to another HDD that was connected to the PC so i losted all. Maybe im crazy but if at least i could find how to send the ransom i would pay it to recovery my files :(  



#9 Hank_T

Hank_T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 29 April 2017 - 09:36 AM

 

 

 

i really hope for a decrypter :( 4 years of work as photographer. over 10 tb of data losted :( yes i i did backup to another HDD that was connected to the PC so i losted all. Maybe im crazy but if at least i could find how to send the ransom i would pay it to recovery my files :(

 

There are pay services that claim they can decrypt.

 

I spoke to one virus help desk on Friday to tell them I had the virus running on a PC live and was going to give them access to it to get all of the background information they could - they were not interested as I was not a current client.

I have over 6,000 files encrypted. Strangely, on the directory tree on a 2tb drive where I store pictures, only the first 2 levels of the directory structure were encrypted. It means several thousand, but not the 405gb, or 65k pics, from level 3 downward.

The spread via cloud drive is a terrible pain however.



#10 Hank_T

Hank_T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 29 April 2017 - 09:37 AM

I'm hitting the rack (GMT +8) and will check back in 7-8 hours.



#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:30 PM

Posted 29 April 2017 - 06:37 PM

Most likely you were hit by PClock. It is the most prevalent ransomware right now that leaves no filemarker or extension on files (ID Ransomware would have picked up something). PClock is no longer decryptable as of 2015.

 

It may have come in via RDP if you have it active and the port open to the world.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 Hank_T

Hank_T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 29 April 2017 - 07:48 PM

Most likely you were hit by PClock. It is the most prevalent ransomware right now that leaves no filemarker or extension on files (ID Ransomware would have picked up something). PClock is no longer decryptable as of 2015.

 

It may have come in via RDP if you have it active and the port open to the world.

 

I tried uploading the following files to https://id-randsomware.malwarehunterteam.com/identify.php: .jpg, .doc, .docx, .dotm, .dotx, .mp4(file is too big: 35mb), .pdf, .pptx, .txt, .xls, .xlsx and a .zip

The result from all submissions "Unable to determine ransomware"



#13 Hank_T

Hank_T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 29 April 2017 - 07:59 PM

 

Most likely you were hit by PClock. It is the most prevalent ransomware right now that leaves no filemarker or extension on files (ID Ransomware would have picked up something). PClock is no longer decryptable as of 2015.

 

It may have come in via RDP if you have it active and the port open to the world.

 

I tried uploading the following files to https://id-randsomware.malwarehunterteam.com/identify.php: .jpg, .doc, .docx, .dotm, .dotx, .mp4(file is too big: 35mb), .pdf, .pptx, .txt, .xls, .xlsx and a .zip

The result from all submissions "Unable to determine ransomware"

 

From most recent submission (zip file I think):
Please reference this case SHA1: 05b8f2e6621cb474c59f0314b12f86db727e36aa
 



#14 dagerm

dagerm

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:30 AM

Posted 01 May 2017 - 05:47 PM

Hi, 
I'm also into photography and I think I had the same one as you.
Avast detect the same file  \appdata\roaming\microsoft\wposys.exe
And my files have the same name, extension, and no ransom note.
Did you find something?



#15 Hank_T

Hank_T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 01 May 2017 - 06:09 PM

Hi, 
I'm also into photography and I think I had the same one as you.
Avast detect the same file  \appdata\roaming\microsoft\wposys.exe
And my files have the same name, extension, and no ransom note.
Did you find something?

 

Nothing. No help with neither identifying the ransomware nor decrypting my files.

Unfortunately, my earlier assessment of my picture directory was wrong. I opened a .png that was fine, but all of my raw and all of my .jpg/.jpeg/.mpg/.mp4 files are encrypted.

 

A search on wposys.exe has turned up {crickets}{crickets}. I think the three of us in this thread may be early victims.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users