Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Puzzling Ransomware


  • Please log in to reply
7 replies to this topic

#1 staze

staze

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 23 May 2017 - 06:45 PM

Hi Everyone. 

 

Was led to this forum when we were hit with ransomware today. We are scratching our heads on next steps. Here is what I can tell you:

  • AV SW was uninstalled leading me to believe we were hacked via RDP
  • Trying to open any folder called "bitdefender" or "Avast" would halt windows explorer. Unfortunately we killed a few too many processes without documenting the possible culprits.
  • Files are appended with ".id-2559797930_[mk.smoke@aol.com].a97rq"
  • The ransom note contains: "*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***  To decrypt your files you need to buy the special software – «Nemesis decryptor» You can find out the details / buy decryptor + key / ask questions by email: mk.smoke@aol.com
  • ID Ransomware identifies this as Dharma.
  • CRY128 fails
  • CrypON (Nememsis decrypter) fails
  • File size difference is 36 bytes. Emsisoft is calling this Cry36 for which there is no known remedy yet.

This is my first time on boards like this. Please let me know what I can do to help my situation. I do have a pair of known good and infected/locked files.

 

Thanks

Staze



BC AdBot (Login to Remove)

 


#2 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 23 May 2017 - 07:19 PM

Hi Everyone. 

 

Was led to this forum when we were hit with ransomware today. We are scratching our heads on next steps. Here is what I can tell you:

  • AV SW was uninstalled leading me to believe we were hacked via RDP
  • Trying to open any folder called "bitdefender" or "Avast" would halt windows explorer. Unfortunately we killed a few too many processes without documenting the possible culprits.
  • Files are appended with ".id-2559797930_[mk.smoke@aol.com].a97rq"
  • The ransom note contains: "*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***  To decrypt your files you need to buy the special software – «Nemesis decryptor» You can find out the details / buy decryptor + key / ask questions by email: mk.smoke@aol.com
  • ID Ransomware identifies this as Dharma.
  • CRY128 fails
  • CrypON (Nememsis decrypter) fails
  • File size difference is 36 bytes. Emsisoft is calling this Cry36 for which there is no known remedy yet.

This is my first time on boards like this. Please let me know what I can do to help my situation. I do have a pair of known good and infected/locked files.

 

Thanks

Staze

 

You might take a look at the current Dharma thread for more information...

 

https://www.bleepingcomputer.com/forums/t/632389/dharma-ransomware-filenameemaildharmawalletzzzzz-support-topic/



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:37 AM

Posted 23 May 2017 - 08:07 PM

Cry9, Cry128, X3M, Nemesis are all the same as CryptON.

The extension looks to be a new variant or one I have not seen before....Demonslay335 or xXToffeeXx would have to confirm.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 staze

staze
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 23 May 2017 - 08:36 PM

Thanks jwoods301 and quietman7. I'll upload what I can as well as post in the other forum. Appreciate the timely response and will do what I can to help the community.



#5 staze

staze
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 23 May 2017 - 08:47 PM

I submitted a clean and infected version of the same file; bible.bmp.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:37 AM

Posted 24 May 2017 - 06:28 AM

After our experts have examined submitted files, they typically will only reply in a support topic if they can assist or need further information. If not, then the submitted files were not helpful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 staze

staze
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 24 May 2017 - 11:47 AM

Thanks quietman7. Will more examples help?



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:37 AM

Posted 24 May 2017 - 02:27 PM

That will be up to Demonslay335 or xXToffeeXx to decide.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users