Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

nCrypt Ransomware (.nCrypt, how_to_back_files.html) Support & Help Topic


  • Please log in to reply
17 replies to this topic

#1 RodneyHamp

RodneyHamp

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:03:28 PM

Posted 13 May 2017 - 10:48 PM

Hello-
  This past Tuesday night, I was hit with some ransomware that encrypted all the files on my computer with the extension *.nCrypt. When I uploaded an encrypted file to the id-ransomware site, it was unable to determine what it was, with the reference "SHA1: a762efe08c7b19f8dc82d6ba444c71621d29e9d6" I also tried uploading the ransom note, and it came back with 2 results: GlobeImposter 2.0 and GlobeImposter. Naturally I did a little bit of research on those and the ransom note I have looks much different from that one, the one I have doesn't even say how much money to give them, just to e-mail them to find out. Any help I can receive would be greatly appreciated.
 
Thanks in advance for any assistance anyone can provide!
 
here is the ransom note that was left:
ransom%20note_zpsasjizhn4.jpg

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:28 PM

Posted 14 May 2017 - 06:30 AM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 RodneyHamp

RodneyHamp
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:03:28 PM

Posted 14 May 2017 - 09:37 AM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

 

Thank you, I will go ahead and do that.



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:28 PM

Posted 14 May 2017 - 10:38 AM

What indicators triggered for GlobeImposter? Was it just the ransom note filename? Could be a false-positive.

 

The note definitely looks new. Not pulling up anything by the BTC or email address on Google.

 

Could you find some encrypted files and their originals for comparison? I'm seeing not the whole file is encrypted, could be a clue. Also, more importantly, we really need the malware itself to analyze. You can zip them all together and submit to the same link.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 RodneyHamp

RodneyHamp
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:03:28 PM

Posted 14 May 2017 - 10:54 AM

What indicators triggered for GlobeImposter? Was it just the ransom note filename? Could be a false-positive.

 

The note definitely looks new. Not pulling up anything by the BTC or email address on Google.

 

Could you find some encrypted files and their originals for comparison? I'm seeing not the whole file is encrypted, could be a clue. Also, more importantly, we really need the malware itself to analyze. You can zip them all together and submit to the same link.

I'm guessing the file name for the ransom note triggered GlobeImposter, I think it is the same file name that they use. I have zipped up a couple of encrypted files and their unencrypted versions as well as the ransom note. Unfortunately, I don't have the malware. Before I knew what ransomware was, I immediately ran every anti-malware program to get rid of everything, which I now know I shouldn't have done. The only things they found were a "safesearch .ch hijacker" and a backdoor program called  "1.exe"

 

I will upload the zip file I created.  I have more encrypted/unencrypted twins I can upload as well if needed. 

Again, thank you for taking the time to help me out!



#6 PuterPro

PuterPro

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 18 May 2017 - 06:46 AM

I'm also dealing with the .nCRYPT extension Ransomware.

 

The owner tried fixing it herself so the malware is gone, nothing left but lots of encrypted file. Amateurs .... {Grin}

 

Attempts to submit for identifying have failed, except as @RodneyHamp noted about GlobeImposter...

 

I'm submitting an encrypted Word docx as a sample. Any help, of course would be greatly appreciated.

I've been a lurker here for years, but have donated several times to the cause. :-)

Thx!

All the Best, PuterPro



#7 RodneyHamp

RodneyHamp
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:03:28 PM

Posted 18 May 2017 - 08:40 AM

Yeah, I'm one of those annoying amateurs who probably ended up screwing myself :(

 

All that does is make me angrier too.  Ugh.  I hate this helpless feeling!  At least I now know I am not the only one who has been hit with this.  Hopefully someone can get a decryption key. I never even knew this stuff existed before. I will be donating to the cause for sure.

 

If you hear of anything, please let me know!



#8 PuterPro

PuterPro

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 18 May 2017 - 09:34 AM

Amateurs - LOL! Wasn't aimed at you, Rodney! ... ;-)

 

The people who own the machine told me nothing had been done to it.

So I get the machine and find they had run 3 different scanners and removed all evidence of the problem!

Well, except for hundreds of encrypted documents and spreadsheets that they had no backup for. Nice.

 

I, like you, am waiting with bated breath for those who know more than I on this stuff to weigh in.

I've been a Tech for 37 years in Computers (47 as an Electronics Tech), and I learned long ago that trying to know everything about computers is like trying to swallow the ocean. Good luck with that!

 

Hope someone throws us a life ring, LOL!

PuterPro



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:28 PM

Posted 18 May 2017 - 10:12 AM

What is the actual name of the ransom note?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 RodneyHamp

RodneyHamp
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:03:28 PM

Posted 18 May 2017 - 10:25 AM

What is the actual name of the ransom note?

 

my ransom note is "how_to_back_files.html" which I think is why I got a false positive on GlobeImposter.


Amateurs - LOL! Wasn't aimed at you, Rodney! ... ;-)

 

The people who own the machine told me nothing had been done to it.

So I get the machine and find they had run 3 different scanners and removed all evidence of the problem!

Well, except for hundreds of encrypted documents and spreadsheets that they had no backup for. Nice.

 

I, like you, am waiting with bated breath for those who know more than I on this stuff to weigh in.

I've been a Tech for 37 years in Computers (47 as an Electronics Tech), and I learned long ago that trying to know everything about computers is like trying to swallow the ocean. Good luck with that!

 

Hope someone throws us a life ring, LOL!

PuterPro

 

hahaha thanks :)  I am a 35 year old teacher, I grew up in the 90s and was a whiz with windows 95 hahaha.  nowadays?  not so much!!



#11 PuterPro

PuterPro

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 18 May 2017 - 10:38 AM

Rodney - HA! I feel ya.

I feel like I'm running through hip deep mud trying to keep up! Fast as I learn it it's changed.

 

I'm a general tech, so I know a little bit about a whole lot of things, every once in a while I have to plunge deep, like for this ransomware nonsense.

 

quietman - "What is the actual name of the ransom note?" - Mine was the same as Rodney's - how_to_back_file.html.

 

I resubmitted the files as a RAR, the unencrypted, an original of it, and the ransom note a little while ago,


Edited by PuterPro, 18 May 2017 - 10:44 AM.


#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:28 PM

Posted 18 May 2017 - 10:59 AM

This might actually be a new variant of GlobeImposter after all. Digging more into it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:28 PM

Posted 18 May 2017 - 11:01 AM

Just got confirmation from xXToffeeXx that this is the new GlobeImposter. They've changed up the look of the ransom note. Afraid it is not decryptable. I've updated ID Ransomware to add the extra indicators.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 PuterPro

PuterPro

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 18 May 2017 - 12:43 PM

Thanks SO much for the update, Sad news, but I expected it was so... Thanks again!!

PuterPro



#15 RodneyHamp

RodneyHamp
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:03:28 PM

Posted 18 May 2017 - 08:11 PM

Crap crapity crap. Thanks so much for taking the time to help me out. I've backed up my encrypted files to an external HD, and I guess I'll just have to keep my fingers crossed and keep checking to see if it ever becomes decryptable. I'll keep checking your twitter. Thanks again, I really appreciate it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users