Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New *.oled ransomware extension - filename.[black.mirror@qq.com].oled


  • Please log in to reply
9 replies to this topic

#1 mmachado

mmachado

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 25 May 2017 - 08:44 AM

Hey guys,
 
Just got a customer hit with a new ransomware extension via RDS... Cant find anything about it...
Here are some details.
 
filename.[black.mirror@qq.com].oled 
DECRYPTION.txt (instructions file)

 

Your ID: 
*
 
All your files have been encrypted due to a security problem with your PC.
If you want to restore them, write us to the e-mail: black.mirror@qq.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
 
FREE DECRYPTION AS GUARANTEE
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 5Mb
 
How to obtain Bitcoins
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller
by payment method and price
 
Attention!
Do not rename or move encrypted files - this may compromise the integrity of the decryption process
Do not try to decrypt your data using third party software, it may cause permanent data loss.
 


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:23 PM

Posted 25 May 2017 - 08:52 AM

I did see your note and files come through the alerts this morning.

 

We believe this is a new variant of Amnesia that is still being analyzed.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 wwejason

wwejason

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 25 May 2017 - 04:34 PM

We had a customer get the same today too.



#4 JesseBropez

JesseBropez

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 25 May 2017 - 05:26 PM

Just found both of these on a system hit by this ransomware >  

 

https://www.virustotal.com/en/file/b30afd10893d55117ed3ce623954267c661e3b7919c6cf98007c3a8f7274eac3/analysis/1495748102/

https://www.virustotal.com/en/file/9072879167eb5a9e355bb6cbdbf9b6c7ee8fa1170f77f05d6c71b4fa8a0c90cf/analysis/

 

Compromised Remote Desktop user account was "shop".


Edited by JesseBropez, 25 May 2017 - 05:37 PM.


#5 Amigo-A

Amigo-A

  • Members
  • 587 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:23 PM

Posted 26 May 2017 - 11:34 AM

If you compare the ransom notes, then there is a similarity.
awGEFEn.png
 
OnyonLock Ransomware
 
Oled Ransomware

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:23 PM

Posted 26 May 2017 - 11:49 AM

Globe / Amnesia uses a victim ID pattern of 614 numbers. BTCWare (OnyonLock) uses base64 for the victim's ID (it's their key encrypted by the RSA key).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Amigo-A

Amigo-A

  • Members
  • 587 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:23 PM

Posted 26 May 2017 - 02:24 PM

Globe / Amnesia uses a victim ID pattern of 614 numbers. 

 GlobeImposter / Amnesia


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:23 PM

Posted 26 May 2017 - 02:44 PM

GlobeImposter uses hex separated by spaces for the ID. Amnesia is more or less Globe4 really.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 JesseBropez

JesseBropez

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 14 June 2017 - 12:50 PM

Here's more samples of this being distributed very recently:

 



#10 Oddvar

Oddvar

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 28 June 2017 - 04:33 PM

Hello.

 

IT worker from Norway here.

 

A friend of mine was to a customer and noticed that on the backup disk, the files of the backup had a wierd name and ended with .oled

He, just renamed it back to its original name, and it actually worked.

 

Hope this could be useful for someone.

 

Sidequestion

Anyone figured out a decrypter for NM4 yet? (assume not)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users