Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware attacked again with ERROR-ID-63100778


  • This topic is locked This topic is locked
9 replies to this topic

#1 prasaddlv

prasaddlv

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 06 June 2017 - 08:10 PM

When our system was attacked yesterday morning, we could decrypt the files using Xorist decryptor.  But again when we checked this morning, it attacked again with the following Error message:

 

All your important files were encrypted on this computer.
You can verify this by click on see files an try open them.

Encrtyption was produced using unique KEY generated for this computer.

To decrypted files, you need to otbtain private key.

The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet;
The server will destroy the key within 24 hours after encryption completed.
Payment have to be made in maxim 24 hours

To retrieve the private key, you need to pay 2 BITCOINS

If you are  not familiar with bitcoin you can buy it from here :
SITE : www.localbitcoin.com

Bitcoins have to be sent to this address: 1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK
After you've sent the payment send us an email to : support_repair@qq.com with subject : ERROR-ID-63100778(2BITCOINS)

After we confirm the payment , we send the private key so you can decrypt your system.

 

It would be helpful if anyone can confirm if it is something new or it belongs to Xorist.



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:39 PM

Posted 06 June 2017 - 08:43 PM

Did you try the Xorist decrypter again? The note looks like it likely is, but you haven't provided what the extension of files are, or an results from ID Ransomware.

 

You really need to lock down RDP; use strong passwords, block it from WAN, and use VPN. You're just asking to get hit again if you don't fix the initial way they got in. I had advised you in the other topic to do so already.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 mk46360

mk46360

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 06 June 2017 - 09:53 PM

Our win 2008 R2 server was also hit with this today.  looks like Xorist but no luck with any of the decryptors yet.  



#4 thyrex

thyrex

  • Members
  • 526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:05:39 AM

Posted 06 June 2017 - 10:19 PM

Please upload encrypted doc or docx file onto https://sendspace.com and give us download link


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#5 mk46360

mk46360

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 06 June 2017 - 10:38 PM

Please upload encrypted doc or docx file onto https://sendspace.com and give us download link

https://www.sendspace.com/file/hbs7td

 

just a couple of desktop shortcuts but thats the best we could find that would be identical



#6 thyrex

thyrex

  • Members
  • 526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:05:39 AM

Posted 06 June 2017 - 10:59 PM

I have asked encrypted  doc or docx file


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#7 inmanmd

inmanmd

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 07 June 2017 - 12:51 AM

Hello,

 

Do you have a solution to this ransom?

I have exactly the same situation (infected 10 hours ago):

- Win Server 2008 R2 64bit;

- All files have the extension "support_repair@qq.com";

- No working decrypter found;

- No Doc or Docx files available on the server :(.

 

Thank you.


Edited by inmanmd, 07 June 2017 - 01:43 AM.


#8 thyrex

thyrex

  • Members
  • 526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:05:39 AM

Posted 07 June 2017 - 01:34 AM

@inmanmd

Are you have encrypted xls or xlsx files?

Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#9 prasaddlv

prasaddlv
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 07 June 2017 - 01:43 AM

Hello,

 

Do you have a solution to this ransom?

I have exactly the same situation (infected 10 hours ago):

- Win Server 2008 R3 64bit;

- All files have the extension "support_repair@qq.com";

- No working decrypter found;

- No Doc or Docx files available on the server :(.

 

Thank you.

In our case, it is Xorist again.  We could decrypt the files again using Xorist decryptor.

Please check if you have any one original file as a copy (before encrypting happened) and follow the instructions at:

https://decrypter.emsisoft.com/xorist



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:39 PM

Posted 07 June 2017 - 06:33 AM

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users