Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Ransomware


  • Please log in to reply
5 replies to this topic

#1 Araucano2010

Araucano2010

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buenos Aires, Argentina
  • Local time:07:54 PM

Posted 17 May 2017 - 01:09 PM

Hi, on March 22nd, an unknown ransomware hit one of my Company's PC. I say unknown, because it didn't add any extension to the encripted files, and since we were able to shut down the PC and perform a clean install, we never got any ransom note.

 

The only thing I know about it is that it propagated via networks mappings, and it encrypted lots of file types. I uploaded a sample to ID Ransomware web site, but no luck (case 243c4ae1a00605f90275a685b4d4b3fb4ee7615c)

 

I do have samples available both from binary and text files that have been hit.

 

If anyone can provide any suggestions, I'll be more than happy to hear them

 

Best regards,

 

Miguel



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:54 PM

Posted 17 May 2017 - 02:26 PM

There are several ransomware infections that do not append an obvious extension to the end of encrypted filenames or add a known file pattern (filemarker) which helps to identify it. CryptoWall, CrypMic, DMA Locker, Microsoft Decryptor (CryptXXX), PClock, Spora, Cryptofag, TeslaCrypt v4.0, CryptoHost, MotoxLocker, KawaiiLocker, Hermes, LoveServer and Power Worm do not append or change file extensions.

Some ransomware variants (i.e. DMA Locker, TeslaCrypt, CrypMic) will add a unique hex pattern (filemarker) identifier in the header of every encrypted file so the ransomware can identify the file as one it encrypted. Spora-encrypted files utilize a 4 byte long Crc32 file marker. CryptoWall is identified by how the files are renamed. CryptoWall 3.0 and 4.0 encrypted files typically will have the same 16 byte header which is different for each victim. PClock and Cryptofag do not use a filemarker.

The best way to identify the different ransomwares that do not append an extension is the ransom note (including it's name), samples of the encrypted files, the malware file itself or at least information related to the email address used by the cyber-criminals to request payment. Without any of that information or a file marker/unique hex pattern identifier, it is difficult to determine what you are dealing with.

Demonslay335 may be able to assist with identification using the case SHA1.

Based on current infection rates and statistics, PClock is the most prevalent ransomware variant that does not change the extension or leave a filemarker. Unfortunately, newer PClock variants are not decryptable...there is no longer any way to provide decryption without paying the ransom.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:54 PM

Posted 17 May 2017 - 02:40 PM

It's probably PClock, as there's no hex patterns or anything that ID Ransomware picked up. No way to be 100% certain without a ransom note, the malware, or any contact of the criminal's.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:54 PM

Posted 17 May 2017 - 04:16 PM

I forgot to mention as a suggestion...PClock, like most crypto malware will typically delete (though not always) all shadow copy snapshots (created if System Restore was enabled) with vssadmin.exe so that you cannot restore your files from before they had been encrypted using native Windows Previous Versions or a program like Shadow Explorer. But it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies.

In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work...again it never hurts to try.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Araucano2010

Araucano2010
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buenos Aires, Argentina
  • Local time:07:54 PM

Posted 18 May 2017 - 10:22 AM

Thanks to everyone for sharing your suggestions and tips, I still have a cold copy of the affected files, so I'll try to find out more about this one.

 

Best regards, and thanks again!

 

Miguel



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:54 PM

Posted 18 May 2017 - 10:26 AM

You're welcome on behalf of the Bleeping Computer community and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users