Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New ransomware infected both work and my computer at home


  • Please log in to reply
5 replies to this topic

#1 kingrogier

kingrogier

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 22 May 2017 - 02:59 AM

Hey guys,

Last Saturday my computer at home got compromised and i have no idea how. Now my work computer is also compromised with ransomware. my computer got not infected by clicking on an email or a download. i rarely use my computer at home. The last time i used it was like 5 days before it got infected.

Does anyone here know or seen this virus? http://i.imgur.com/sELyJG1.jpg

 

I also tried to ID the ransomware using https://id-ransomware.malwarehunterteam.com/ and it came up negative. http://imgur.com/a/hhbmn

 

the extension they used to encrypt my files is ".damoclis"


Edited by kingrogier, 22 May 2017 - 04:31 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:03 PM

Posted 22 May 2017 - 06:12 AM

If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:03 PM

Posted 22 May 2017 - 09:09 AM

Might be something new, but possibly based on something else.

 

Any chance you have the malware the caused the encryption, or know how you got infected? Malicious files may be submitted here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Mikesign

Mikesign

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 27 May 2017 - 03:29 PM

I have the same infection. Started 26 may. Probably by rdp.

Also tested - SHA1: aab64e6aff2542ee1dc454447c7871470e4b3e72

I have upload a zip with notification, infected and uninfected file through the link above.

Trends tool, tested with Nemucod, say infected, but cannot decrypt.

 

Regards Mike


Edited by Mikesign, 27 May 2017 - 03:41 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:03 PM

Posted 27 May 2017 - 05:55 PM

Did you check for any malicious files responsible for the infection....Demonslay335 needs that?

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Mikesign

Mikesign

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 28 May 2017 - 05:40 AM

The Windows System recovery files were unusable and previous ones deleted. It looks like the malicious files were somehow stopped, (the last drive was not 100% encrypted) but my Antivirus is corrupted, cannot start it.

The computer had not been used for a few days, and it seems like a RDP attack.Russian language was also set as default....

The problem is that the computer is old and hardly used anymore, mostly for testing some stuff and very "messy" so its hard to find responsible files.

I will reinstall it without any tears shed.

Below what adwcleaner found, but i will look further.

[-] Sleutel verwijderd: HKLM\SOFTWARE\Classes\OCComSDK.ComSDK
[-] Sleutel verwijderd: HKLM\SOFTWARE\Classes\OCComSDK.ComSDK.1
[#] Sleutel verwijderd tijdens herstart: [x64] HKLM\SOFTWARE\Classes\OCComSDK.ComSDK
[#] Sleutel verwijderd tijdens herstart: [x64] HKLM\SOFTWARE\Classes\OCComSDK.ComSDK.1
[-] Sleutel verwijderd: HKLM\SOFTWARE\Classes\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}
[-] Sleutel verwijderd: HKLM\SOFTWARE\Classes\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
[-] Sleutel verwijderd: HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}
[-] Sleutel verwijderd: HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
[-] Sleutel verwijderd: HKLM\SOFTWARE\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552}
[-] Sleutel verwijderd: HKU\S-1-5-21-1582034999-3929319043-601225766-1001\Software\Microsoft\Internet Explorer\SearchScopes\{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
[#] Sleutel verwijderd tijdens herstart: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
[#] Sleutel verwijderd tijdens herstart: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9}


***** [ Browsers ] *****

[-] [C:\Users\Eigenaar\AppData\Local\Google\Chrome\User Data\Default] [extension] Verwijderd: booedmolknjekdopkepjjeckmjkdpfgl
[-] [C:\Users\Eigenaar\AppData\Local\Google\Chrome\User Data\Default] [extension] Verwijderd: flpcjncodpafbgdpnkljologafpionhb
 

But my NAS files are also infected, and those backups not 100% complete. (I had some problems with my NAS and backing up, and no time...due to kids and work).

It seems that a portion (30%) in the last backup was corrupted.

Kind Regards, Mike






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users