Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New type of ransomware?


  • This topic is locked This topic is locked
6 replies to this topic

#1 RuudV

RuudV

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 06 June 2017 - 01:52 PM

Hi, I am new to this forum, so please forgive me if I do not enter the right info the first time.

 

I seem to have a new ransomware encryptor. I submitted the requested files to the website and it came up with that it did not recognise my type.

The case ID I got back is: f5950158b56c55df5489f127b5a3f781ed439637.

 

The PC that was hit was a virtual one, so no sweat there. But I had a couple of shares with video files that are encrypted now, and I really would like these video files back.

So if there is anyone who knows this type of ransomware, and moreover, has a decryptor, I would be gratefull all my life!.

 

The textfile is ### DECRYPT MY FILES ###.txt,

"

* ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions in the chat:
https://l2r7cz455k6bdu2o.onion.to , https://l2r7cz455k6bdu2o.onion.cab (not need Tor)

If the resource is not available for a long time, install and use the Tor-browser:
1. Run your Internet-browser
2. Enter or copy the address https://www.torproject.org/download/download-easy.html in the address bar of your browser and press key ENTER
3. On the site will be offered to download the Tor-browser, download and install it. Run.
4. Connect with the button "Connect" (if you use the English version)
5. After connection, the usual Tor-browser window will open
6. Enter or copy the address http://l2r7cz455k6bdu2o.onion in the address bar of Tor-browser and press key ENTER
7. Wait for the site to load

// If you have any problems installing or using, please visit the video tutorial

############################################### OR ###############################################
contact by email: yotabyte@protonmail.com



Your personal ID: <some number>

"

 

All files have the same renaming like <a_far_green_country.pdf> to <a_far_green_country.pdf.id-3635170959_[yotabyte@protonmail.com].4se9s>

 

A thourough search on the internet did not give me the solution. Known decryptors like .exe and decrypt_Cry128.exe did not give the key.

 

Anybody out the that can be of help, please?

 

Regards,

Ruud de Vries

The Netherlands

 

 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:49 AM

Posted 06 June 2017 - 02:03 PM

It's part of the Cry family, most likely Cry36, which is still under analysis. I'm still working out file marker detections for the Cry family (they're a real pain).

 

Since the important files that were encrypted were shared from another system, you have higher chances of Shadow Copies still being intact. I'd give ShadowExplorer and Recuva a shot.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 RuudV

RuudV
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 06 June 2017 - 02:11 PM

Thanks! Bur since the video files where very big (totally some 7 TB), I have no shadow copy active on that partition. The chance of SchadowExplorer or Recuva resolving this is very small I think.

 

I have another question: the virtual PC that is infected is not active anymore, but does the crypto software reside anywhere on the system that had the shares, i.e. the file server?



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:49 AM

Posted 06 June 2017 - 02:21 PM

It's not known to worm or anything like that, so you should be fine. Never hurts to scan any systems though, I would recommend MalwareBytes and HitmanPro in addition to your antivirus.

 

And... backups, backups, backups!


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 RuudV

RuudV
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 06 June 2017 - 02:38 PM

Scan is running (AVG and Spyhunter), nothing found so far.

I had 4 shares infected, 3 of them were backupped (in more then 1 way & on an external system) so I could get those back easily.

The 4th is full with video-files, around 7 TB on a 9 TB RAID system, and no backup-medium available of this size, so.....

I sure will use Malwarebytes and HitmanPro, thanks. And of course I will constantly watch this forum & scan the internet for decryptors for this.

Thanks for your advices



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:49 AM

Posted 06 June 2017 - 03:29 PM

Sounds like you're 90% to a good backup plan, but apparently there's a hole with it still. CrashPlan has unlimited storage for one flat rate, it's what I use for a few TB myself. Probably take a long time to upload/download, but it works well.

 

Oh, and I've added proper detection for Cry36 to ID Ransomware now. Your file matches the filemarker, so it's definitely Cry36.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:49 PM

Posted 06 June 2017 - 04:59 PM


There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users