Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Intercepted Ransomware That I Haven't Seen Before.


  • This topic is locked This topic is locked
4 replies to this topic

#1 sikm8

sikm8

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 30 May 2017 - 01:52 AM

Hi All,

 

I recently intercepted some ramsomeware on a client's PC before it completed and removed itself. I haven't seen this one before and there is little online about it, they used a bruteforce attach on RDP (Non standard port) to gain access to the PC, they then removed/disables the AV and downloaded Process Hacker 2, they then uploaded and ran the ransomeware.  I have a copy of the executable and encrypted files, is there somewhere I can upload these for people to check out?

 

Regards 

Fady



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:19 AM

Posted 30 May 2017 - 02:24 AM

Yes, please submit and malware and information you have here with a link to this topic: http://www.bleepingcomputer.com/submit-malware.php?channel=168

Also if you could zip it up with any ransom notes, and encrypted files (and their originals for comparison if possible).

By chance did you submit a random note and encrypted file to ID Ransomware to see if it's already something identifiable?

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Ruben-e

Ruben-e

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 30 May 2017 - 03:30 AM

It sounds a lot like what we got over the weekend.

Nonstandard RDP port, installed, encrypted and deleted itself. AV did not detect it (it suffered a critical error). I found Processhacker's setup too. It did detect a Bitcoin miner that was left behind.

https://www.bleepingcomputer.com/forums/t/648073/possible-new-version-of-nemesisdharma/



#4 sikm8

sikm8
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 30 May 2017 - 05:53 AM

I just upped everything I have, 2 zip files (Due to size restri.ction).

 

File 1 contains encrypted files, recovery messages and an original file that I could work out.

 

File 2 contains Process Hacker Programs and user appdata files aswell as the original ransomeware binary.

 

Let me know if I can help with any other info.

 

Just a Note, It ID'ed as amnesia but the decrypter didn't work


Edited by sikm8, 30 May 2017 - 06:00 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,609 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:19 AM

Posted 30 May 2017 - 06:07 AM

Ruben-e was dealing with CryptON (Cry9, Cry36, Cry128, X3M, Nemesis).

Fabian Wosar released a decrypter for victims of Amnesia.However, the decrypter does not work on some of the newer Amnesia variants so they are still investigating and analyzing.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users