Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FartPlz Ransomware Help & Support Topic (.fartplz & ReadME_Decrypt_Help_1.html)


  • Please log in to reply
12 replies to this topic

#1 outofhabit78

outofhabit78

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 15 May 2017 - 09:14 PM

I work for a small local government agency in the US and a couple weeks back we got hit with a fairly severe bit of ransomware which tagged all of our files with .fartplz as the extension. Much as I love a good fart joke, this has been a little hard to take.
 
Paying the ransom is out of the question and while we have gotten the bulk of our data recovered using backups, we still have a server or two that we can't get back. There's no useful information out there on this one and ID-Ransomware wasn't any help either. Have any of you folks run into it? Is there another way to identify the encryption method?
 
 

fartplz.jpg


Edited by Grinler, 20 May 2017 - 10:11 AM.
Added image for identifications purposes


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:11 PM

Posted 16 May 2017 - 06:07 AM


There are several different ransomware infections which append a random 4, 5, 6, 7, or 8 character extension to the end of all affected filenames (i.e. CTB-Locker, Crypt0L0cker, Maktub Locker, Alma Locker, Princess Locker, Locked-In, Mischa, Goldeneye, Al-Namrood 2.0, Cerber v4x/v5x and some Xorist variants).

Did you upload both encrypted files and ransom notes together? Doing that provides a more positive match and helps to avoid false detections.

Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

The best way to identify the different ransomwares that use "random character extensions" is the ransom note (including it's name), samples of the encrypted files, the malware file itself or at least information related to the email address used by the cyber-criminals to request payment.

Based on infection rates we see, you are most likely dealing with CTB-Locker or the newest Crypt0L0cker variant. If the extension is not random...it's something new.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 outofhabit78

outofhabit78
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 16 May 2017 - 07:50 AM

Much obliged.

 

Here's the case id from ID Ransomware:

 

909dbca73a38f522bd911ebf4164499fba199d4f

 

I did upload both ransom and an example. They didn't leave an e-mail, just a number of hyperlinks. 



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,589 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:11 AM

Posted 16 May 2017 - 08:19 AM

It's definitely something new. I tweeted a hunt about it awhile ago when I noticed a note come through; I'll add a rule to point victims to this topic.

 

https://twitter.com/demonslay335/status/859403281965228033

 

We will need a sample of the malware to analyze.


Edited by Demonslay335, 16 May 2017 - 08:20 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:11 PM

Posted 16 May 2017 - 08:19 AM

Looks like it is something new....Michael Gillespie on Twitter: "#Ransomware Hunt: extension ".fartplz


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:11 PM

Posted 16 May 2017 - 08:20 AM

Looks like it is something new....Michael Gillespie on Twitter: "#Ransomware Hunt: extension ".fartplz


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 outofhabit78

outofhabit78
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 16 May 2017 - 06:51 PM

It's definitely something new. I tweeted a hunt about it awhile ago when I noticed a note come through; I'll add a rule to point victims to this topic.

 

https://twitter.com/demonslay335/status/859403281965228033

 

We will need a sample of the malware to analyze.

Thanks! A couple of us actually saw your tweet a few days ago. You were the only reason we didn't think we were out of our minds.

 

I'd be happy to get you a sample, probably in the morning. What's the best way to send it?


Edited by outofhabit78, 16 May 2017 - 06:53 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:11 PM

Posted 16 May 2017 - 06:59 PM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 outofhabit78

outofhabit78
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 17 May 2017 - 10:12 AM

Done. I've submitted copies of both an encrypted file and the ransom. Many thanks to both of you for your time and efforts.



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,589 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:11 AM

Posted 17 May 2017 - 10:37 AM

We really need the malware - the virus that encrypted the files.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 outofhabit78

outofhabit78
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 17 May 2017 - 10:41 AM

We really need the malware - the virus that encrypted the files.

Yeah, can't help you there. We never located anything.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:11 PM

Posted 17 May 2017 - 02:06 PM

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,589 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:11 AM

Posted 18 May 2017 - 07:48 AM

Seems Lawrence Abrams may have found a sample, we'll try digging into it soon.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users