Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Ramsonware infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 KinKaray

KinKaray

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 12 May 2017 - 10:54 PM

Hello guys and girls,
 
My mother laptop got infected with a Ransomware and now most her documents are locked with a .ba4d extension. I´ve tried uploading a file to the ID Ransomware but was unable to verify wich ransomware it was. I have the files, and the original .rar he ransomware created, but I don´t think I have the ransom request anymore.
 

Thanks in andvance for any help you guys can give me!

 

P.S.: I can't seem to find the "attach file" button, or anything like that!

 

P.S.: 477e4479e37a7b67249d7e1df4695f004cfd7865 is the hash created when I uploaded the file on the ID ransomware site


Edited by KinKaray, 12 May 2017 - 10:56 PM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,555 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:16 AM

Posted 12 May 2017 - 11:31 PM

Hmm, none of the files are actually renamed? Just the extension ".ba4d" added like the two you submitted? I could only look at a hex preview the PDF while on mobile, but it looks to be not encrypted. Could you try removing the extension and opening some files?

I've only seen that extension with Cerber before, which renames files to <random 10 char>.<random 4 char>, and just by the roll of the dice some people have had that extension.

If you have the malware itself, you may submit it here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168

Edited by Demonslay335, 12 May 2017 - 11:33 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 KinKaray

KinKaray
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 12 May 2017 - 11:34 PM

First thing that I thought... Tried removing the extension, but said file corrupted when I've tried.

I'll try again tomorrow, you replied just when I was going to sleep! I'll post another reply first thing in the morning

P.s. Dank you auto correct

Edited by KinKaray, 12 May 2017 - 11:36 PM.


#4 KinKaray

KinKaray
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 13 May 2017 - 08:32 AM

@Demonslay335

 

Hi, I've tried to remove the .ba4d from a pdf file, and when I've tried opening, I got an error saying that the "root object is missing or invalid".

 

And unfortunately I don't have the original virus. Is there another way to determine if the virus was this Cerber you say?


Edited by KinKaray, 13 May 2017 - 08:34 AM.


#5 KinKaray

KinKaray
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 13 May 2017 - 09:00 AM

One more bit of information...

 

I was doing some research about this cerber, while talking to my mom, and when we saw a picture of a exemple ransom note from Cerber she recognized. I'm pretty sure this is the one we got!


Edited by KinKaray, 13 May 2017 - 09:00 AM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,555 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:16 AM

Posted 13 May 2017 - 10:42 AM

I have the files, and the original .rar he ransomware created

 
What do you mean by this? I thought you meant you had the malware.
 
It looks like the files are indeed encrypted, but just from 0x700 and on in the case of the HTML file. I'm not sure this would be the real Cerber, as the entire file would be encrypted, plus renamed as I mentioned before. Without a ransom note or the malware, there's no way to be 100% certain.

 

It probably came from an email attachment or something she downloaded, so best to start looking there.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 KinKaray

KinKaray
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 13 May 2017 - 11:12 AM

Okay, I'll check it...

 

I meant I have the files that the ransomware crated, and the .rar file the ransomware created.... The .rar is not encrypted nor password protected, just the files are encripted

 

P.S.: My mom have a few emails with files attached to it, from the day the problem started. You want me to sent it all to analysis, or there is a commom spot I should look for it? Like syze, file extension, or something like that...


Edited by KinKaray, 13 May 2017 - 11:21 AM.


#8 KinKaray

KinKaray
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 13 May 2017 - 02:18 PM

Well... I found one of the virus files.... I've uploeaded on the ID Ransomware, and I got the Cerber 4.0/5.0 answer... So I guess we're screwed??

 

The case file, in case you're wondering, is 3480eca86a3a5ae8aba25e871ab29e8a91e00bf9


Edited by KinKaray, 13 May 2017 - 02:19 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:16 AM

Posted 13 May 2017 - 03:51 PM


Trend Micro released a Ransomware File Decryptor for victims of earlier Cerber v1 infections but it has limitations. BloodDolly explains wny the decrypter is not very effective. Unfortunately, there is still no known way to decrypt files encrypted by Cerber v2/v3 or newer v4x/v5x variants which use 10 random characters with a random 4 character hexadecimal extension (i.e. 1xQHJgozZM.b71c) without paying the ransom.

There is an ongoing discussion in this topic victims you can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.When or if a solution is found, that information will be provided in that support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users