Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with ransomware .SON file - HOW TO RECOVER ENCRYPTED FILES.txt


  • This topic is locked This topic is locked
8 replies to this topic

#1 carlj12

carlj12

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 08 May 2017 - 11:10 AM

I have a client that has gotten a new variant of possibly the dharma, amnesia or Globe3 ransomware but I could be wrong. I tried the ESET and Kaspersky dharam decryptors but they did not work. I have not tried the amnesia or Globe3 descriptors yet as I still have to find an original file. If any one has any more information on this variant it would be greatly appreciated. Below is a sample of the file names and text document.

 

File names:

2M000000001O9Dna2eX0HEuLprIpPwDU.[byd@india.com].SON

60000000000BXXbjWnC+jvvS7EsK3xcd3AqdSYhejEr6WpuKPXI3b0.[byd@india.com].SON

400000000010F1uexp8wczf3C-b2V8gk.[byd@india.com].SON

 

Text File (HOW TO RECOVER ENCRYPTED FILES.txt)

====================================================================================================

All your files have been encrypted!

Your personal identifier
[REMOVED]

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: byd@india.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. 
If you can't contact us by mail:byd@india.com You can write to us on this mail: berwinwaylt@protonmail.ch
Free decryption as guarantee
Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 10Mb. 
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. 
https://localbitcoins.com/buy_bitcoins 
Also you can find other places to buy Bitcoins and beginners guide here:: 
http://www.coindesk.com/information/how-can-i-buy-bitcoins 
Attention!
Do not rename encrypted files. 
Do not try to decrypt your data using third party software, it may cause permanent data loss. 
Decoders of other users are incompatible with your data, as each user has a unique encryption key 

====================================================================================================


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,930 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:20 AM

Posted 08 May 2017 - 01:35 PM

Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 carlj12

carlj12
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 08 May 2017 - 01:39 PM

Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation?

 

Yes I did and it said it was either Globe3 or GlobeImposter2 but looking at the ransom note the note matches more with daharma or amnesia .

 

EDIT: Result page: https://id-ransomware.malwarehunterteam.com/identify.php?case=dcc155fd78f2db33c580e96581d1bb64ded8b152


Edited by carlj12, 08 May 2017 - 01:43 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,930 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:20 AM

Posted 08 May 2017 - 03:09 PM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 carlj12

carlj12
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 08 May 2017 - 08:40 PM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

 

I have submitted a zip containing infected images, the ransom note, wallapaper bitmap, suspicious file named "hm.exe" and what I am sure is the actual virus executable and dlls. Please let me know if you need any more information.



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:20 AM

Posted 08 May 2017 - 09:46 PM

I've added filemarker calculations for Amnesia to ID Ransomware a little earlier today; your files all match that filemarker.

 

Fabian is still working out the algorithm to decrypt the filenames, but if you can find an encrypted file and its original, you should have some success with the Amnesia decrypter (you'll have to change the extension to ".amnesia" for them to get picked up).

 

One of the executables you submitted looks to be a BitCoin miner possibly by the way.


Edited by Demonslay335, 08 May 2017 - 09:48 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 carlj12

carlj12
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 08 May 2017 - 10:27 PM

I've added filemarker calculations for Amnesia to ID Ransomware a little earlier today; your files all match that filemarker.

 

Fabian is still working out the algorithm to decrypt the filenames, but if you can find an encrypted file and its original, you should have some success with the Amnesia decrypter (you'll have to change the extension to ".amnesia" for them to get picked up).

 

One of the executables you submitted looks to be a BitCoin miner possibly by the way.

 

Thank you. I am currently running the amnesia decrypter and will post my results when complete. I'm assuming your talking about the emsisoft decrypter right?

 

As for the other files yes you are right the svghost.exe is a CryptoNight bitcoin miner. The hm.exe file is the dropper for it. I tested in a VM. Unfortunately it's probably not the source of the original ransomware exe. Where does amnesia usually reside?



#8 carlj12

carlj12
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 08 May 2017 - 10:43 PM

The amnesia decrypter worked. Though the file names still need decrypting and the file extensions need to be manually fixed.

 

Is there any way to manually input the key and iv once found into the decrypter without having to brute force again?



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,930 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:20 AM

Posted 09 May 2017 - 12:46 AM

Since the infection has been confirmed...rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users