Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to determine ransomware - Files crypted


  • Please log in to reply
9 replies to this topic

#1 stb

stb

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 04 May 2017 - 03:44 AM

Dear all, thanks in advance.

 

Ref. from ID Ransomware SHA1: 8c0dd1d516557cbe202f8aaff9464c8649bb97d0

 

What kind is this? 

 

 

 
*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***
 
To decrypt your files you need to buy the special software. To recover data, follow the instructions!
You can find out the details/ask questions in the chat:
 
You ID: 1777644912
 
If the resource is not available for a long time, install and use the Tor-browser:
1. Run your Internet-browser
2. Enter or copy the address https://www.torproject.org/download/download-easy.html in the address bar of your browser and press key ENTER
3. On the site will be offered to download the Tor-browser, download and install it. Run.
4. Connect with the button "Connect" (if you use the English version)
5. After connection, the usual Tor-browser window will open
6. Enter or copy the address http://fgb45ft3pqamyji7.onion in the address bar of Tor-browser and press key ENTER
7. Wait for the site to load
 
If you have any problems installing or using, please visit the video tutorial


BC AdBot (Login to Remove)

 


#2 stb

stb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 04 May 2017 - 04:04 AM

see sample at https://www.bleepingcomputer.com/submit-malware.php?channel=168 



#3 stb

stb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 04 May 2017 - 04:25 AM

As i see, it seems that only the first xxx Bytes(10KByte up to 27ff hex)  on each file are encrypted: see sample.....

 

‘”$§ÃXN²ðGmæfÛ<îG-lÐÔiêèÐpš
@òh ¤î¯ä&ØEµ0(´Šð2úc,‡rÕØë®Ùë +ûÆ–¸û©KδDs‰£p Á}Ä‚í‰oÚ´ß—ùX$ÑÕM¹Ýk¿$ô£xÿÆ^ƒüÏHê¾9êæàš¢b,*!´¿D1R´%ÛÔ©À=5ÿ¡¨ê©‹¹4ú†'×^éÄÃÊj(#v<F‹š)ó¯·¤(£¶» ÊøßÔ]˜:…]O¡[ ÅYkÒ´­V…R6Ÿÿõ½¯€‹KètËé8>&?½0È‘Y p†-âïù‹~®[8ìoZüt±žMé6ÐØŽîbl
Y_tï®ÙЗ ” 2‘®½<oº§GÁ‰SzÙÃð§ã@+šhßÍBK¹
&ªkO2œRÚì?{ûrE âwa˜ Xb9Áuô‰@€s‹ ‰RDskË©s¯µ^$'QgG££¢Úä@ÖôDÁîOi‡’„¸Æ-"J­ÉA Fj¾ª …¤rø³©‘\çÒ6ø:Fã!`¬,GÓHŸÇÚ©nÙÉkcGÅÎ?;eúoª¼?úU¬$‰mîH0W:µ`\/Àð‹Ô±ˆ¤t6ƾîº}Ñ*@ì?IÐUž—hƒÝL08­:‹Nð˜±5£¡í8z¥Ù+˜þ¦$®mºÁ>–DÊÝÉê1©¤¥c±{O
Nlw6M˜ì5:`§|åc,ÓqLà<½{EÿÌ5̱Ú2wÙeê¥Î–ÕVå£IEtû2ïlUªˆt¡Ú¨x4’b›qÝ°¿7˜û$ÂïÝ?¡Ý
‰‘IƒNàéÙ‚7ghwÁE=®pàD·Ã(ÛAÓ[×:¶§§˜ž¿‚^ÎO§~MjÍ9à¼Î×~¤ê…œ…Ë#Z¥ùõϹE>Ib“¯¤vöiJN-å²AÝk±x½ã*ŒV¡WJ TDÅÍ·ö|Ÿ‹1–T4µ»í¡ß«§‚~ì…{@}pýÀÅ·¦ú‡’\ *3¼B†>V.{౶•7®YHZ6E›ËøvnåõdËGžŽàËôû¥üµÛApÅh`ß63(öÎÝÀÖÙ|E `]¥íêÕåG=p75cþÁ˜V)–`êüc¯'¨ëÛÿxXìq!5THw/Ž‹$N<~´í–Ó-E× ŒlTÿ ¿ØOBâÞ&긪;Dïx7®\¸i_`СC8ÕÆuºÁD¬‹,†!÷.8`=9Ål1Í„ž²°T^eKu¨9­2ј‹ê _ÿ(ì7U¬>#7¶nóu‘)ŒsýpH6ËyVìçË«jé¤FþAþç‰C7Ð-Šå
y1ð·®\Ðb#wÕsüµÇ‘#h¦I2b1ëŒ ÁÜðî,9jÌ©Ï*uЈ¿ ñ¹SÚX4€Á\ô=@Ðd맮¶ÇŠ@D]šW¦PåG¤álQÛs·Ús†¢õj¡3DÒìÐc³SÀaÌfÖP%¯Åp{—ObÔ'€\xW÷gûGœ7^jίån¿zfí %/ÿÊyô¼Ü÷´·aÐúloݦüC
i?é4¡J„ÜLK3¸¼°Ÿ@®"‡EËs_ü•þ)@=íúM´IJÒ á1 ºÙd³'#}ª »ÈY®ø06ð²ê†b¼>ÂÎñèd!ƒ¹¾s”×ö9ʾ#C—Hc¤e&²vV¾Œ­Ã—á´!!ÒÆú…D¿ž”V»€6m/jcá“7’ÉXé¤t­n3æ±ö­êžŸ5öc8ÛÞ¹ûðìC™u§tƒ©>`7©U‹zÌ"—⻀W^8  •Àd ½": ¶~AKù;bÂeúQVdŽàj­ñ0 ò"‡+~<Z¶H–TUF­"
±Ê$2‰žK3uùïƒRüÉh¾ fY°w‹ùÙE«> Ôm€*Jì0ikˆÊ<óW{ÂÍtðydÙÀ :(ÉdVQ
iüІ´N’µÁçÀCÐ…ÊôÙŽxsý]‘+-b¬º˜!«îß„Ø]GÉXõF[±q6˜cýì«Šêò\ü_®6œÆ¯£Þ•©å EiX×X1U‰\}¸°9ôB®Ñ«Áûß|Ky),‡&ÃÜÇ¿êÚÁW1îU)½7€g_þãóP!ê–ì³Cçvýïáýþ]š_ÐbÈ#:Þ $%$ÞT|oZ™Øˆ'O¹uÛÚ¬ŽÃ¯^ä–¾s„"¤^¼ëºüB‘«©pPD±¸Ú›ÓÝþKAÌI5ç@ò¹…F¼Ëº~<¬ªG>Jµ¤¤àÉI§ïvÂÖ«g„Z§4½âxX¡rIR0X9ÐGw7))bgÔÚðjº`ºà”Щ…¼3÷,h‹½?¬&sغçAØ,41ü¢†,ç—
šͩ0Y”èI`E.3ã’ìCbt‚xn_!O3À™×ÎÐF`jÿeŽjÅç¨6)ã¢m1—´ú gï4hB}'rfàÍíöœè63^hiÒÍmÖ³LÃÛÅöLïî“äeÇX^:׺ãÎa_fPZű•së&夹ҙ$þRüU,k…¯Ù`(úó_º¢vfλjÞOÛw.”þÚ/Ъà8kfu=AêQ`{“7Îа&]ÃÎ]¸fûÛæ¯Æ_l·
¤'ñë$­V ѹKAÌI;Ê°sí7<º–ô:JO»SórMYX|ñ]†8]Û†–+cö…28 DZt»©r÷¬£4ö`¤šèDúìˆÇ)oJ®uFÓ·žÊ¶cÞ&¼‹cæåïÊ»ÙÂÜÔG’<lŽ^xèK¯œ9pŸ‘·Œ3—ñÁœ¯˜êœ¨ Tµî]Ì«€kMò«ÞM-va¯ˆ‘­¾§FÚbg7Ø·šˆCGž¼Ìÿ±–YÑ“ÈÜÑ!PâL“CZxœ^ VXBÁ¼ŽF¸§²@
ý ÔøÇlÇëŽNü’¼ðÔÇžœÛ¨E‘¸otz[AØóÎ'~ œq_¹åWãÛ¢£S±Ãˆù ·øQ°º4ÝæÒÌ"×Öœ¹ˆÅþ µÃ’)[‰Ù_AL"±jà ¶èï
6‚ïú0ÅïøZª¸,{nZ™†ªFm©¿…½mÄÔ›·ÌðO–
h¢ƒ|q±^]éck§e#hfn°;ÚIîãc‰ˆ=æéÀ“²OL91öúdÀÚe(“ãç‘·¦öºÝ¼ÊÁÆsDÑ1/ÝH«ô¶—Hç<Ϭ“w‰xyÇÄBwúp
ï|ØgjØG—ŸtàÉGNºˆ0]~ÄbÖT8ÈNÖv£q-1voflYÒ‰¼¿Ôª<NýŒ5»®YÊ\iVX†$¯-~ å;xü`#As¾ûÚ°œ@uWÈœi×uÓ“îoÓ/üX>×6i½‘wôȦ4ì3M'þõ‰€2d¾F‚ÀÄä嵬Z¾«±ÌeP ’4ÆC7®¯$exгŠ{åì\†¼ ZÊè…|7QŽÃg™e§)tæN·ê¨4g2:u¤¿HÁ€|Š ì
‡çTXûü(#s·Û;öËhÉiçû‚܃¿s±‡ýAKî8Œ;öÜ/N¯°qhéX!<yü“ÒÄê©®ËvÏ!”LJ?tOÕöå6Vò²ÌŽ6F Zi™ù†ÿaZYäûîTµdH…1/%1¡:h$O<’?XChYCB”¹¸m5i9稂 J–ômaTÌñb–)G+l´ûÅýDªèÀÍúáäÏÖacöb˜«,>Û*è
¬}§<ôêa]*!Ç’¶I9G<Ûÿ B€‹éa ÂHŸ¦ÃWßÚIA/i
–rÛÅö@SsàêT,ºŒuåd3˜æ¬ìkQÚáÿ•wl)_Û‰#'Øeˆ2¨WPQT{LœÇá*Ú›-xBwbÓÿa`ÙPB¾OÉìVÑ£Ù°N\jw²ÔP 7t!‡Æ­×$…þ^
þÞÙÐ`VÑr|
s¢ßÇóJ
“¡Ï¤úrTŒœû·è—}Ž—ªWDíäí!©®t _"%Í.á¬ïÓö}úðsxÿêN ظ£<’Ë>n¸èk_kôç<÷!SS¯°2z´Ûæb§T\µE5¸¨c¶ô¤¤ù—|µ ã‡VW¯¸”´Â(ý†"Gx6(ÄpRQh÷•6ÓãH°[ÈæÖS..³¾µ=*+@¥h`f7д峎ççè¤Ñƒ€P)û#]µo¥.ùÎOÏJyQïèc4Yzkîø3o…Ƀ—Ý;ú@©ÞA‹›&aÎrÅÂ>w×qú<UªýîÐàöxóN*jãox-è¾U†²ZIƒl]nàT‰^‡~Ú#ˤJ3PáŸeiÇS×W
<÷!×;ÀGÈ4lVNωk• Ä,ËSÈ™–¡”´¶6Ó‘àýA¥.SS¥Cð€Ê©üê_w-¦>3´Ôû8Áj·¦8 Ìb`Þ²ñ!婉…Ég7Ç[df{œÅÜ$€”ŽdjK—âû2¤µI¡úÊÜüˆrcÕ†cMÔh¬¿ªçò!þÚ
è³#3©»\3"ÖjÊn‘+?åļI¼N4ü?VÞ­àÞ„\%¨±(]{*Z€ù BK†óÃüwÕk,Å·l»ŒÏ–ÏFÜSÍbÊT\—ü= 0k©J:g”1MEìƇ¢Sš0ROòD»Ü)vÿÆ7Aâf!åñÖ ^Èan #7÷ì;ò¸ä™JXƒÅ4¼ÑëÌH
e&*F ¯Íe+÷žÉŒÓ«çýå}ß’ËbQ›Yÿ¯[³p?rû‘¡, ò&Δò’!¡Ú…üU{›¾‡p}™"á„ê¨pÛá ÌÒº[tÖyåM;|vÁ]*¤N·|¬|‘ûW•n•Íoµ¤K¿r¿*H©5h“b¼Ü˜†èÕ–äúOìéשMzz$È?3rT·“ܸs`Cýƒ+oJjmÌËóÂ%±€¹÷RôGlìÆžo“5ât4øîg“7þðYì׶ûÐh¥•ãoxâ¯ôXÜ6µm%SSŽ¡oa—ùçÚ{ÔäÏzí‰Ú4¡pKŒ;1_µáËÍÈ‘Ÿm<ÃLôð$™½ðWŒ6D>ÇÁHªãÀ­a…:Ín–‰ïkJ¡Öô`-fÏŽÀ‡‚«
œqq§Oª¦˜Ið›õ\$\*Cš|Ä¢ˆEW˜…§¿Â<ê³DØMSöûíõü H@Þì˜jÔí+¾_iây;å=tuNê³ÁX*Ó¥œæ­dö÷¸þ]!Þ›uß„yžÉ{ƒ>Ã_2Äs¯ÀÆ37÷äúŽ€¢6EúöGx£÷¬ä¤vohJ›ÿ”€'+Óç—B_ù©×³)5TþëóÓNlÀ©íX¨Ð¨ü=˜³QŠí/(bÒKgZ¹Äå¯}uæ¿«œVfítú2ryµ›aóõíÒ„ös´7Íjg¥qÖ9eÍÜÒT‡`/Ê‹¯^‹Å
ê°Œ¨º6Oœ°jJ³Ù^TÃ(ëòÿétdŒÚ›€,QJ­ŽœÙb-è=÷+k‰Šwª!ýâ#ÃF¿´—o¶0Ι]hóÜK?@~ézží*Ó6®²”“ÚÿÛñæ³r¹ŒœØ/¦?®^¦TÃÈP»¯ŠC®Yƒ‡RÿGÔú¹…ãfuC’ªÄÓÈDï÷`Ó(ãŠ|WsÂþ·6‡°÷83íÅJØÉ ¯Om7I!¨o¯EÔ¾f(ùÇX:óTÔbí_ÖmäíEPƒÍG q¶Í‡b
ù³ížG']‹‡ ºæFõ—/«=UWrú¦ãˆëã¾h_Ýn×/Χ
¬Ìu†} ¾-ù(ðfŠB–H¶>ÑG'ªãF׬C@TÃoå¸ÑvëñéSNÉÞ³ Ó³.}ÎM¯µ»ãEÿÝrFÙý·eÒ¤‚ÝxÑ ^þF¢]¿˜+Ž)…kRHôÙâTÐå=#"„Ï°MãÄj-ƒì—Õ¤ðF¸ê…¦ÊÓkß@u ŒltÜÈ:ÑmœàVÿÂRÞX«ÆNõWçeîŸý2Ïõ7xØx‚Qµ-´Šü6(ÊIy£¦#N*Ë*áª/¸Ä¿_òCW">kdŽ(ê¾uG÷>ÎmaÆ1êöYD”BýO;½ñs.œ²ë˜né1‰—¬³R 4€]펮ë¢È€NŸ»4ýç>ßZ™¹Øà„‡è© dÉâbáîZV¹hH0Vfär¢;»ÑŸçW_ÿ_)z;›ä»r¨<Ò•Ï&³qœíx®Í ig;ŽWŸ ˜æYæc&ÕFïú`bé¹oBÕTlDŒ¥¬uGÛÝÔoð†úL.V\ôÜGÓ¬£OùY@#Ÿ„˜AIZ*6Õ¨äÐÙ$6$Æ@í2Ú/rׄZEõV]`=Ê,MÅS@FšS:.±˜ÚñôÙÅ­ÂÎòÙ<
n•`·×ØÞÄ>"‹Us‡Ü™Y©g„oâ¦Éb†6*àxìžPc^ñ(ü+ý~½ ³’®ù“ ÝM|
õ.ñšÖŒ ìéKq?¯1ø­Ô&HŽ¾‹7§€¿ùäL*ZV*à–Ûæ`Œü´o³+9óTþÓ-¬¡åR7(—¶þêè [Ž«Cš,G+683¨b³ÊúEq$¾4RüšxènÛ1<žŸÔ@OzsŠÛoÿÉ=P¥í×ûMñûpò&?q›"¹s¼ît÷Úðù‘ç-dMš\¬só’¶æ¸³Dsø«3¥‰¨˜ò-Z!ZÙŽÍ[pr,ì5ˆ€fâE¼ÖÔ'ý§àüf1KºîؽeòêÔ‹³(}=t¯£ãe²¾„ÏP*
ûÜó©¼üà’› ã¦Ð:`u+@®çw­JMx,ßäë'R‰ƒ^Ïž=Ú „„<°g½Ð¤wµ k§Îë=‹)¢žh´Ö§6ÿ~Ë’ˆ!<É'O€+,Â}añ\û¶r$–ÂÝÌ
 † ¡L³ÜvÅœˆ9?9óëx«@ƒ~rƒÖí#\¼þ™†ƒ°„ÓÜ6‡°0æ/X`%ºkÞ¼8Ð=ä)Wâd¼«ÿôÓŠMy¼Î֣߶?25šÏø—¡++eÆë
9‡zeIRzœ"Öìx#: _#*ûÔ}·“=€­Ÿ´"§Vsúá7âÁtƘ(QuÀmL1äÖ±ØS‘x³® øuPÏé`Á›—¶ç2 ¶<1“-9p÷/.+\yE>”iסw­ú‰@[¢ç-Œl²Õ£­4eÝYÐðË¿ãå%Îâ “bUìÙHÏ‘Ø!JS•Û¯ÿ5ÎewNiñŒ+¬dÁÅ0Ëâå!¼&ŠPïßîÝ‚3G~24üØó$,[}µ,Úù|ò8ºùíÞV”ÇuŽAHP^ÿExvWñý"ïi iˆçFáiŒ·YSÖZÎLTq‰U ÓÂͤGðԔ÷jAŒ«/¸Èâæˆ1æ¾Û<ʲ¥†Hˆ[0…ØCʆ‰DŠ„5å,5îÁ&i„¢ˆ\¤÷Pàdˆ
:˜¹Ã¤…YÁéóñx‡›š·¨Åø‰ú$ïÎ𛻈dk(1C¼ÓxW“<(3¹†¡du{ú…bþ¶‚!:lá^Wb>'4üÙcâ‰júã†Ê9¶í8”Èßh <N-t“qÒ+y¯Ð}Z¢Œ±h©qˆG¥WãjЋ{M}Ï¢ÐÜG;û=˯w¶+õååºá¡+¡†P>PÕånQûŒEobÄ~±mãÕ/Cѵ‡j§Ñá·Aªo.j~H¡úSt¼‹à”<û),~;öÆÀ}m6P˜.‰ž©§õß]gÉ©¤|˜°I¹&ÕèøaïCEœ~KKš.¸ÃZ–%ŠÃdûÁæyPbŽÖ:œì¯Æ2~5‡waµvðK[½îy•k&‚«‹^~§Æ
 þ¥ü€[ÐrÚT°‰ û+õ¤æYŒÜû1öIU«ÃKûöün0˜ç)À›]…Ýö\§4Vsê·â<‚%»Ù0T¥ódžì)\g9¿Y #¬KKÚu„jû¸‚M~^CÃŒü6UH£Vƒ¦üêæb7F¢Ý§"Ê+ÛäJN7½ØjK]}!”›=¿X—Ä6­KƒQý:›fþûÈàxJ·ØHx#øÚm¦\ˆB3§5‘ïóq;3С”´B‰€ŽO'|¤øxû¿ëKåWÔ$q!>‹3¿P~‚e‚fß1GÁƒÄ¯¯8råŸWi;L"9ˆJ0È)­AU1~
hf|\6§eûÇ?{BFÉ6[›£¢ùö½¦õÂÍù9‡iQÿö:
Y åäÓ™+¡Å1€†‹¼
„Äâ¨0B®…zr}\oZ¹evè‰æ\íYJΗñÑOÍó³wBÃ)>…1+"µŽÊS±ÉÚ‰¬:‘û<á´h™]Óç;,½HßKŸ‡iµŒ–Àµsz[Ápp&¤m"Ï°UEå¡gÞžºh:Éì”^è÷=ضù„}ˆÈ†KB~v€ÅÌß)eJ·OŸ4Z<bžÖú$¿¥¼þã˜Æ'’ ;…, dw¯`ng«çEBH}#NŽ…ïÓ%
—VF7`$}Dƒô¼º´4:ÝWž{úO¢u–ÄŠån“…¦è)^±ä7ª¾súAµÇú¢€#yv_﶑3dOo²™{3ÜÙçVg¥qᄈn•Ê"^9t
u؃Tý¯eYÃz¶†'‘i=Übȃ|ûu
8‘#SˆýÆ™„Ž@þàŽò´m"¶@¹it·Kö°8Kî®o8;Q£5vRÝa!µ³ 
pØy'aM^uøù~Àqƒøö¥B¨š;08‘æÓ…ô}¢8Z*Ú30 vj±Àæ’ñø뛧3ØÞ@ˆ(ä²Ñ½ÓêØ"CáVÐÇûuíY`‰„ô˶²]ƒHé§7}J|ƒ!œï‚ÍB?tWʬϵGˆ)‰U]X
YrÃÈÈhþ[{€0Î}Rƒ€›¹¼V~}º‚¹5ðƒÊ¾—ÈTû‹0M°ä.Q8{?Æw˜²Ü oÝjóÑY1€°ãá¤bÌ#$Çá¾ôaØÇÌz?O–'ord¶-fÙJS¢`\ÊGi“‹&L„ŸÝ’ø õ=÷ý_íô¿èëBšÃRs‚fÚ<ÀÉîý™á+“Í w¹§1¡6‹h|#3½õ§h¹ñÒóø=y¥™P9˜*¾™°ðèêª%p{£žß+E‰Ya¼<µ™æ¼€
û¯—bž~_Ô„û²¥Éã›AHšÝ\K›+ðǃ_ši|ʤ°‘ø¹n|»_U|'V'‰‘“þÔêÇnIxÜœ)
zÛÝ­
rIfªûe¯os ÕKe üÒ§ßmé|ÙXÕ - e^uïtî•|†#¬ÌÀ;ö#ùØc
a(”8Ï‚1y²ˆ4m£¼n®&ᑳfŽ–AÁavy’Lü`á²^Ð)«éߺb7[p{ø9]¨ù „ë-üãA…gG²íùl`ùú¶a'×Ûv¿­™?¬È?XÞƔ٠µZ£–7ç#»&"†DÃú]m¬³E^ÊîÔ‚
ñ€Ý¯IJUümÃgx!U楎FÕk‰CØÛ?Â|³¬ì5a×.Óm˜Î á½mô"Þ8|Òyd ÑÚ+bf0.‹:V”Ó¼VßÜGt k"#*MsƒK9éáPh«{}
ýÒÿÉÉ=j€Âüi´µA¾Ã«#¦RòuÛ–k»j¼¹õ#Èþ\¦ß=v󔡤ðn¹ ºœu!àd :}×$@ƒ‰CïïŸ\Ú”c ºuvâP5€k¦NP’²[ô´ ¹lñø4Z*0å¶,ˆüâq³V,ûŠ¹¼ñf=_z†$Ì
öÁ>O²ÛF…Ý@í9AÈ¢rÅ ßOWK÷Á浄¾}‘ÜþCGݾ½‹!»ƒ‰bUxú0÷™±“‘¶×@È{‡ÏûÓñˆ´2éìÊQ´~ÕC8œ­–߯GX$e8Þ%-8|äâo3ƒö+êç4‘iÎV•Á]âÍ‚“#’6X#”
ŽÈóTSì]ôí×ܧҽY%w³ûš¼›Æ"†-";F)p–Û.YÚØç!™j0^¼êbjfx)Ê}Aú‚3‰åCãfR:cþ°²ÆûÎE³ï%¤¾u¾ë ²/…ž?±¸à:ömôl¿”RgAÞ;ì»àöΩ)ãÍh¼¹qs†+–nQ¹WDÂ-©Ñy
?.5Z=ûv"»Á¶vD\5¢UîûÿÊMþºPR-ã¹Á~Ã.×r ô=:µEè%7·!uËÆ¡˜º„}?÷Ôò?‡›ìSDõ¤ªýÊ#|Z{&Å«À
ý
®AôÍB^›–ß"ð(2,ŤJá^¥›y†:¯]½ÅÎXØïîלHö]<³;qi‘K‘¸O9h ¤Ÿe®Y¾>.¦† Èvö¼Ðä,øË”|”÷©Tšö/ÙŠ;‡É¼7á?Ì~#ÎÔAóÀX+ŒX™ý½K“;áH|B³¶ µ0œ™²ÉVˆ¸7³¸ËEÜeÇc¸ž'F«BÄI-')Êfï*¤ª¨‹)ÃÉ·
Êíû¬^/Ÿ¤ŸÞS²_)ét ?ËãÝÍqÎkõo.㉗!ÙØ…ð:oRŸn­k¶±½£µ_{Ø´•}âs\à±`3?;ÎÉB;œÚ8z¦}ÀÆÍ;C‚Êé`cs™.膎¬×¾dNnÄ8Ôꦟ-CÇäÂ…lë[Ø¢êK€¿{÷\‰`ã'Á˜*’Yúæ8”*Ê)Nsý¦¤‰/LçK«$XPÊг!±žŒpßÔÏ_ùaG*¼ÉÎlq»˜†T¥›
Þë±i!ÐsYWÙÇí­Ê÷<j 5'Š–q_©¿ù¼]y7熉hǾZ’ð•òNTAu¶÷·œ‚a Ⱥ”'[RBÛ$Ó¥W-¸<ÌÍ%å' #ÝN--¶ÇµÕ4Q!šBïvõ÷òeÈŠÝm½$>ô×»s\Í2¦M Jnj_S¬äq‹ á'½ò*ïqÐ!³È#a“t®*ÛwO²Ù·Ó69‚›<®‰6úe¨WMžâåЦ-^‹
>)E«¥Ú<´³Ê,ÝS¯1%U<2áG#ælåŒH‡Ì£vA‰Eü5o:ZR\vÕ@hK¿È#u4[+%×°H{ºäévNX£LgñÚÝZ\u¿—5Ü<ñ>Ö©5+…3BØʃ2Ùü•\Š¬´Øs*€NèoyÐË8œÚ¸á‚½çÈt|ÃR«¦ðD Ô\˜a¿³ª¬ —pNÏ‹çÖ Î]õOÉpä€ÕoÆ|ADh"øÇ1U$,»Òä†
ÑQW­™ÀÀ6¾Iî¯T4Ü:îå¼t1?-ÿ¡¨‰%Íåãö„R¢%yOéöÂB>§(俦-¡+(VõbﱤúÅÕ `Tyrw{¯ Óî1W–ª•R[Ðå=Q:ÚCÝ_ÇLwJ`„i£ Lny¶k«)¹@‰´K*b½÷óJYŠ"Ö£á]Ú÷Õ~]¥wš'ëå¬ÜûE‹ïZD]1u™3ê)¢öÛ—Rëι˺sœñ)Ÿ‘õ×µ]5çôH„óæ±WBíqe–‡à¥ö»@ˆÍÌëLÿ=(c|Ô ¨PèKlÝ(5‹69óÕX(Ìž*ϸ7„úUÄáeñJðc0¤;dó›Ç¤kx\°W¯Ca‘,„rÀrac{€¯;€jL½Çú›åÁx´€¢¹ÑòHÙœ\—öÊn¬ê;ëˆK£SF$v&°ñ
Û²Gc oCAØ2ðê.Iþ;¡-%Š›ûZ„
éË<AO?× G×a·MI 8Š)—Ƭ >/{
$⼚žÌ5zäô4}{–_“’iX?ÜðµÖT(×ßœ%õTv!CYuu°Zâ¸Yõ/ûBæ'¨ÝÚï×Ëe¶ hUdnÎ${½äé›ág*ˆ€ºž/É™³¾7þÕ:ʪÏÌ°ä fɨÇ)éI¸(:Õ!™˜×.«™[a*&åìŸ+#xLÝ0*‚'1cUÅÎVÃ-Œ‹¿ˆbDbÃ#š/=‹“ÝGûñ©–¯f­@oÈÉ=<q5’/O ˜Á,e5ð' I|zÑ'E©yC%“òâ RìÌcksºZ…Y!3šâi³î–Q=U‰ª£‡#¿N_[зϮȊØDõ9u•¤8lÐP>ÄqÅ­ÃuÏ$¼¼jä£Â†ìåÿA«@zÿ£7—ð#O’ªrØû®•sJñŒÛ߬¿uôÒÔ*Éͽä)ÆFl®w™ù§;Wi8“³ìÔ´wk)ÏÕëe—UýªXÃ1±mW)9kxŒWãŸhTä?ù žÊ$,¢}NRðœ+àÁ€Ì¹ï¸Y•ED·ãâI.½¨‡™“´Ó:cÁxTQWUˆsuÝ:•W¨­”þÁ{F.Ewð ñÙkO€‰ŽËÈ—…/›êMÿ0ü¾~xÔ6òÔpSB˜qâ­0Ç €Ï‚Û‰ÇhþnÇi2ÇòskZ22PÙ4‹|]ã¶ZzÈääÌØ; åÍoÂ(¡žÓäÚÃ,(˜ká7©¾WèšÈØŽ'"¹N•Ð¹¬«Mmôw Þà}y‡áŠ Ýsxx6e‘æ/YÎ$»ƒ ¯
‚`Sz„´Äó¦[”R ëruÂñë>h{úÐ\°zøÎèaÕþ‘•SO‹–€Ãnë"Üzÿ”|/IhÂVMChõ<ìºÖK–5Þgñª‘ú…Š†Œˆåü¨ì!ßi/1}ª)ÆTž±ÓŸÈkœŸ”ÄÛõû󤽵þ{˜ß^Œß@q:ü[¿Å×>Ymàj„û-ÊÓ
Ôó¶Ñ„s6ßÇä“õ,
‰"jÄUûóvÙœ(.6™=oƒsûºÆ%ðŠ ¾!K:ø32\2Ô
šÇöbGìÚ4ðûð§²%Ë›Sí_n÷ÿøIt1@éo#;ØŠ%D4üwù¤V‚¼'šû|"öG8¢àò Ô¹ÊhÌÿÆ‚L;oyÛtQO»˜ëÖN´^ÐÌoÛ’…EFõˆ{’ã¦Õ™=^FÖ"jâT[b|ÈqxKZƒ¬hp0–ð´N$Ë5þu¹ÖÀ„æè"
ŽÄúž+æãsl¦cKaqÆ‹W5™_Kô¾©¨ØY,këPðüæ™íáŠ2[bHù@ßc÷=Ën{ªÇÍ{éɸZ9IýÄœZÂ:ö¤sÝg’f[oÙK›šÊ Verlag, Heidelberg (1978) 468–508
<br>Rom WN: Environmental and occupational medicine. Little, Brown and Comp, Boston (1983)
<br>Valentin H, Lehnert G, Petry H, Weber G, Wittgens H, Woitowitz HJ: Arbeitsmedizin Vol 2: Berufskrankheiten. Thieme, Stuttgart (1985)
<br>Wilson JD, Braunwald E, Isselbach KJ, Petersdorf RG, Martin JB, Fauci AS, Root RK: Harrison’s principles of internal medicine. 12th Edition. McGraw Hill, New York (1991) 
<br>Wirth W, Gloxhuber C: Toxikologie. Thieme, Stuttgart (1985)
<h1>Chrysocolla</h1>
<h3>Classification:</h3> Chrysocolla belongs to the zeolites; for further information see under the heading zeolite group.
<h3>Synonyms/Trade Names:</h3> Goldleim, Kieselkampfer, Kieselmalachit.
<h3>Chemistry/Composition:</h3> CuSi<sub>3</sub>+H<sub>2</sub>O.
<h3>Structure:</h3> All zeolites are built of groups of silicon or aluminum atoms in a tetrahedral oxygen configuration. The tetrahedra are linked in sharing all oxygen atoms. Large cavities and channels contain the cations. These are relatively loosely bound and induce a broad variation of chemical composition. The structural differences between the members of the zeolite groups are related by the various linkages of the rings of tetrahedra.
<h3>Crystallographic Constants:</h3> 1.580 1.597 1.617 90.000 90.000 91.105.
<h3>Crystal Group:</h3> monoclinic.
<h3>Color:</h3> Blue, brown, or black.
<h3>Optical Properties:</h3> Data not available.
<h3>Pleochroism:</h3> Weak.
<h3>Powder Diagram:</h3> 1.43 17.9 2.90 2.56 (27–188).
<h3>Natural Sources:</h3> Chile, Russia (Ural), the USA, and Zaire.
<h2 style="color:#990000;">Medical Importance:</h2>
<h3>Key Hazards:</h3> Possibly fibrogenic, possibly carcinogenic.
<h3>Involved Organs:</h3> Probably lung.
<h3>Exposure/Epidemiology:</h3> Used as Cu ore (seldom), or as an ornamental stone.
<h3>Thresholds:</h3> In Germany, MAK 6 mg/m3.

Edited by stb, 04 May 2017 - 05:03 AM.


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,427 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:37 PM

Posted 04 May 2017 - 08:59 AM

Not sure what encrypted it. The file pattern is similar to Cry9 / Cry128, but it does not have the filemarker. Could you upload a ransom note to the site as well? That'll be the only way to fully identify.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 stb

stb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 04 May 2017 - 09:20 AM

the ransom note, pls seen below    - i am wondering they encrypted only the first 10 kbytes of each file     36 Bytes more on the encypted files
i am wondering about that the first 40HEX Bytes - seems to be a keypair

Edited by stb, 04 May 2017 - 09:28 AM.


#6 stb

stb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 04 May 2017 - 09:27 AM

https://id-ransomware.malwarehunterteam.com/identify.php?case=e32db51a878079a97f4cb8471410b779aa318bda

 

tells me cry9

 

1 Result
Cry9
 This ransomware is decryptable!

Identified by

 

Click here for more information about Cry9


#7 stb

stb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 04 May 2017 - 09:44 AM

the decryptor decrypt_Cry9 would not decrypt because the filesize differeces are not 6? bytes - that are 36 bytes 



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,427 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:37 PM

Posted 04 May 2017 - 09:58 AM

Hmm, that is odd that it didn't encrypt the whole file. That Tor link is confirmed or Cry9, but the file doesn't have the filemarker.

 

Do you have the malware? That'll be the only way we can really help at all.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 mclaugb

mclaugb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 04 May 2017 - 09:13 PM

I posted a number of items in this forum on the gebdp3k7bolalnd4onion version of this.  This forum is more detailed:

https://support.emsisoft.com/topic/27231-cry9-invalid-crypton-file-pair/

 

I caught several exe files that showed up under c:\ and the c:\windows\dell directory.  I've zipped them up in a password protected zip file and am happy to share them if you tell me how to send them to you.  I submitted them to Mcafee (which was running at the time when this ransomware took over the machine) and encrypted everything.  

 

 

Lots of files are exactly 32 bytes larger than the originals.  But some appear to not follow that exact pattern.

 

The CRY128, CRY9, and a host of other decryptors don't work on this one yet.  

 

Any help appreciated!!!

 

Bryan


Edited by mclaugb, 04 May 2017 - 09:15 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:37 PM

Posted 05 May 2017 - 05:48 AM

I posted a number of items in this forum on the gebdp3k7bolalnd4onion version of this.  This forum is more detailed:
https://support.emsisoft.com/topic/27231-cry9-invalid-crypton-file-pair/ ...

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users