Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware with no extension change


  • Please log in to reply
13 replies to this topic

#1 bradseven

bradseven

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 07 June 2017 - 01:53 PM

I've got all the symptoms of ransomware but no apparent ransom note.  it appears that all files on all drives that contain any kind of changeable text have been encrypted.  Hoping someone can maybe identify the "family" to get me on the path to decryption.  

 

encrypted file example: 

 

https://drive.google.com/open?id=0BzbkNY-myZWAWThwdFRzNDZkbzQ



BC AdBot (Login to Remove)

 


#2 Moritz30

Moritz30

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 AM

Posted 07 June 2017 - 01:59 PM

Do you have any file in encrypted and unencrypted form by any chance?


White Hat, Security Researcher, Modder, CEO at and founder of @DragonTeamMC, @OmniDragonBot and CryptID. Real name is Matthias Merkel.

#3 bradseven

bradseven
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 07 June 2017 - 02:01 PM

Theyre all encrypted unfortunately.  It deleted all shadow copies.  



#4 Moritz30

Moritz30

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 AM

Posted 07 June 2017 - 02:05 PM

This may sound stupid now but will give us a list of processes, services and such stuff: Please install and run Speccy. Once you have started it wait until it has finished analysing. Then click File->Publish Snapshot, click yes and send us the link


White Hat, Security Researcher, Modder, CEO at and founder of @DragonTeamMC, @OmniDragonBot and CryptID. Real name is Matthias Merkel.

#5 bradseven

bradseven
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 07 June 2017 - 02:13 PM

http://speccy.piriform.com/results/OdoFQZChxMK2xVwG5iIowLY



#6 bradseven

bradseven
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 07 June 2017 - 02:16 PM

and...MSS seems to have gotten rid of the infection since newly created files remain unencrypted but the encrypted files are still encrypted (over 2 months of work) and of course I deleted my history in MSS like an idiot.  



#7 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 07 June 2017 - 02:18 PM

Theyre all encrypted unfortunately.  It deleted all shadow copies.  

 

There are several ways to get an encrypted/unencrypted file pair...

 

If you have any files that were downloaded, download them again.

 

If you have any photos that you have sent to others, ask a recipient to send one back.

 

If you have the OS installation media, get one of the files from there.


Edited by jwoods301, 07 June 2017 - 02:21 PM.


#8 Moritz30

Moritz30

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 AM

Posted 07 June 2017 - 02:22 PM

There are a few running processes I find suspicious. Please follow my instructions EXACTLY to safely send me a copy of the executable without infecting anyone with potential malware:

Take the following files and put them in a PASSWORD PROTECTED ZIP FILE:

C:\Users\PCAUDI~1\AppData\Local\NTUSER~1\dataup\dataup.exe
C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe
C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe
C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe
C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe
C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe
C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe
C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe
C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe
C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe
C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe
C:\Program Files\ByteFence\rtop\bin\rtop_svc.exe
 
Then upload the ZIP file to mega or an other cloud storage and send me a private message with the password and link

White Hat, Security Researcher, Modder, CEO at and founder of @DragonTeamMC, @OmniDragonBot and CryptID. Real name is Matthias Merkel.

#9 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 07 June 2017 - 02:26 PM

 

There are a few running processes I find suspicious. Please follow my instructions EXACTLY to safely send me a copy of the executable without infecting anyone with potential malware:

Take the following files and put them in a PASSWORD PROTECTED ZIP FILE:

C:\Users\PCAUDI~1\AppData\Local\NTUSER~1\dataup\dataup.exe
C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe
C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe
C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe
C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe
C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe
C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe
C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe
C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe
C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe
C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe
C:\Program Files\ByteFence\rtop\bin\rtop_svc.exe
 
Then upload the ZIP file to mega or an other cloud storage and send me a private message with the password and link

 

 

Not really necessary.

 

Malwarebytes identifies Microleaves Traffic Exchange as adware.

 

Run Malwarebytes to remove it.



#10 bradseven

bradseven
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 07 June 2017 - 02:31 PM

Okay i did manage to get encrypted and non encrypted file. 

encrypted: 

https://drive.google.com/open?id=0BzbkNY-myZWAOXZRT1RHbmZpdm8

non:

https://drive.google.com/open?id=0BzbkNY-myZWAby1xSWZGSWNOd2s

 

I'll go ahead and follow your instructions but hopefully these files are helpful



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:23 AM

Posted 07 June 2017 - 04:31 PM

There are several ransomware infections that do not append an obvious extension to the end of encrypted filenames or add a known file pattern (filemarker) which helps to identify it. CryptoWall, CrypMic, DMA Locker, Microsoft Decryptor (CryptXXX), PClock, Spora, Cryptofag, TeslaCrypt v4.0, CryptoHost, MotoxLocker, KawaiiLocker, Hermes, LoveServer and Power Worm do not append or change file extensions.

Some ransomware variants (i.e. DMA Locker, TeslaCrypt, CrypMic) will add a unique hex pattern (filemarker) identifier in the header of every encrypted file so the ransomware can identify the file as one it encrypted. Spora-encrypted files utilize a 4 byte long Crc32 file marker. CryptoWall is identified by how the files are renamed. CryptoWall 3.0 and 4.0 encrypted files typically will have the same 16 byte header which is different for each victim. PClock and Cryptofag do not use a filemarker.

The best way to identify the different ransomwares that do not append an extension is the ransom note (including it's name), samples of the encrypted files, the malware file itself or at least information related to the email address used by the cyber-criminals to request payment.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 AM

Posted 09 June 2017 - 09:42 AM

I've got all the symptoms of ransomware but no apparent ransom note.  it appears that all files on all drives that contain any kind of changeable text have been encrypted.  Hoping someone can maybe identify the "family" to get me on the path to decryption.  

 

encrypted file example: 

 

https://drive.google.com/open?id=0BzbkNY-myZWAWThwdFRzNDZkbzQ

 

Hi bradseven,

 

The file size did not change after encryption, and there is no magic string or similar indicators for the malware. A file extension wasn't added either. That makes identification rather difficult.

 

It is good that you sent a big file here. The first 0x100000 bytes are encrypted, maybe also part of the end of the file (not sure if this is part of the file format or encrypted). This is not visible in the smaller image that you linked in a later post. That might narrow it down. Though, I cannot remember on top of my head what ransomware family only encrypts 0x100000 bytes. Maybe my colleagues know more.

 

gOMo1pw.png


Edited by Struppigel, 09 June 2017 - 09:43 AM.


#13 bradseven

bradseven
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 09 June 2017 - 06:55 PM

one thing that may or may not be helpful...Adobe auditions session (.sesx) files are XML "coherent" files (kind of a n00b on what XMLs even are) that can be opened and edited in notepad which are basically a series of english words, brackets, spaces and hyphens.  If I open one of those files in notepad now its all some kind of oriental language with no spaces or anything other those oriental looking characters.  (the first example I uploaded in original post)


Edited by bradseven, 09 June 2017 - 06:55 PM.


#14 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 AM

Posted 10 June 2017 - 03:51 AM

one thing that may or may not be helpful...Adobe auditions session (.sesx) files are XML "coherent" files (kind of a n00b on what XMLs even are) that can be opened and edited in notepad which are basically a series of english words, brackets, spaces and hyphens.  If I open one of those files in notepad now its all some kind of oriental language with no spaces or anything other those oriental looking characters.  (the first example I uploaded in original post)

If that's the case for the whole file being XML than the end and the beginning of the file are encrypted; much like a sandwich. If you look at the picture above at the very left, you will see the non-encrypted area in blue, and the encrypted area in mixed colors.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users