Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to determine Ransomware


  • This topic is locked This topic is locked
9 replies to this topic

#1 undoubted

undoubted

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 28 May 2017 - 01:53 AM

Hello,

 

I used malwarehunterteam.com to investigate a new ransomware infection on my PC. After uploading sample ransom note and encrypted file, received message " Unable to determine reansomware". It said to reference this case: SHA1: 4ec0f18937e9ef3062b1805ee65689f92b46cc00

 

All affected names now have the following extension added to them: .[BM-NBM1DiE52wgzUUnzcRPwjMjPEcV4qfpr@bitmessage.ch].master

 

I ran these files through several detection tools that I found online and none picked up the type of ransomware this is.  

 

If someone has any ideas on what I can do next, please let me know.  I do have a few good (backed up) files that I can restore against encrypted files. I just don't have all my files backed up.

 

Following is the ransom text:

 

[WHAT HAPPENED]
Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail: BM-NBM1DiE52wgzUUnzcRPwjMjPEcV4qfpr@bitmessage.ch 
or makedonskiy@gmx.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
 
[FREE DECRYPTION AS GUARANTEE]
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb
 
[HOW TO OBTAIN BITCOINS]
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller
by payment method and price
 
[ATTENTION]
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files
 
Your ID: 

Edited by undoubted, 29 May 2017 - 12:26 AM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:48 AM

Posted 28 May 2017 - 11:41 AM

I saw another submission with the ".[<email>].master" format come through recently, and I suspect it may be a new version of BTCWare. The contents of the notes match almost exactly, just a little difference in how they format the headers.

 

Could you share a few pairs of an encrypted file and its original? If it is truly BTCWare, then it is probably based on the newest version we are still trying to crack, but I might be able to help you decrypt some files.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:48 AM

Posted 28 May 2017 - 04:57 PM

I've updated BTCWareDecrypter to allow the .[<email>].master extension. Could you load the largest encrypted/original filepair you can find into the "Find Key" dialog, and see if it lets you decrypt some test files? It should automatically tell you it cannot find a key and offer to decrypt files up to the size of the files you gave it.

 

https://download.bleepingcomputer.com/demonslay335/BTCWareDecrypter.zip


Edited by Demonslay335, 28 May 2017 - 04:58 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 undoubted

undoubted
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 28 May 2017 - 05:25 PM

Hello Michael, thank you so much for your help. I have download your utility and followed the instructions. After selecting the original and encrypted files, I click start. The message below states "no key found". It does not seem to be doing anything unless it's quick and I don't notice the progress, or I am doing something wrong. I tried various Threads and Versions, removed my AV program and restarted the computer. Here's a link to the test files I was working with:

 

https://app.box.com/s/cna0fy9z2nvrarzwxh0lo1kcds2zwovk

 

Thanks again, looking forward to your reply! 



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:48 AM

Posted 28 May 2017 - 06:02 PM

The encrypted file is much bigger than the original. You are sure it is the same file? If so, then I wonder if they made changes to the encryption scheme in the malware; my decrypter will only offer the "last resort" option if it detects the two files are the same file size, as that is the only way I can extract a valid keystream. I marked this extension as v1.6 for now and told the decrypter to not even try to bruteforce a key, as it would be in vain.

Can you shared several other pairs of encrypted files and their originals? Also, can you find the malware itself? I'd need it for analysis if they changed anything - I'm just blindly guessing at this point based on the last .onyon samples we've analyzed.

Edited by Demonslay335, 28 May 2017 - 06:04 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 undoubted

undoubted
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 28 May 2017 - 06:44 PM

I have uploaded more files for your review - just use the same link above. In some cases the file size is different, but most do appear to be the same size now that I am looking at a larger data set. 

 

Please advise of the best way to locate the virus itself. Is there a particular AV scanner or utility that would work best for this? 



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:48 AM

Posted 28 May 2017 - 06:56 PM

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes 3.0, HitmanPro and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 undoubted

undoubted
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 28 May 2017 - 09:50 PM

Found the below through a google search. This ad is posted in Russian and talks about the "master ransomware" and the dude is looking for "business partners". Its genealogy, as per the post, is as follows: CrptXXX -> BTCWare -> THEVA -> OnyonLock -> MASTER-RansomWare. There are a few more details regarding how this variant of the cryptolocker works and you could probably use google translate to read the whol thing. But if it is of help, I know someone who can translate. Let me know and I'll post the translation here. 

 

Hopefully, the above aids in identification of what we are dealing with here. 

 

http://darkmarket.cc/threads/master-ransomware-partnjorstvo.10391/


Edited by undoubted, 28 May 2017 - 09:55 PM.


#9 undoubted

undoubted
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 28 May 2017 - 10:15 PM

IT WORKED!! I ran the BTCWareDecrypter again against the sample files I uploaded in my earlier post and was able to recover 16 out of the 19 files. Now I have a few questions:

 

1) I have close to 80GB of data with thousands (if not tens of thousands) of files that are important archive records that I have to restore 100% of. Is it possible to unlock them all? If the above formula is correct, I will lose about 20% of my files, which would be pretty bad.

 

2) If there is no way to recover all files, how would I know which files were skipped? Again, dealing with many thousands of files here

 

3) What is the particular process / procedure I should follow from this point on to ensure maximum recovery?

 

Thanks so much everyone for your help



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:48 AM

Posted 29 May 2017 - 05:03 AM

We are glad to hear that BTCWareDecrypter worked.

Now rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users