Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.TraNs .TraNs550DonE


  • Please log in to reply
3 replies to this topic

#1 Chadm357

Chadm357

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 09 June 2017 - 06:51 AM

Good day all,

 

Just been hit with ransomware with the .TraNs extension. I've been searching all over and cannot find any information on this. 

 

ID Ransomware picks it up as Xorist based on the ransom note, however the decryptors do not work. 

 

It seems to have started at 09:08 this morning based on the file modified dates, we were lucky to find this and shut down the machine by 09:32, limiting the damage. What I have found interesting is the following:

 

Affected files have been encrypted with .TraNs, however, some files higher up in the folder structure have .TraNs.TraNs550DonE, eg;

 

1 .docx.TraNs.TraNs550DonE

2 .docx.TraNs

 

The .TraNs encrypted files open with an exe located in C:\Users\User\AppData\Local\Temp, called 0t82XO7TI241IXx.exe

Files encrypted with .TraNs.TraNs550DonE open with an exe located in C:\Users\User\AppData\Local\Temp, called LIn3s91vZpl92ge.exe

 

Opening the files launches a window that displays the ransom note and then takes you to a location where you are asked to input a password 

 

I had two .exe files left on the desktop, Crypt1.exe and Crypt2.exe, but unfortunately these were removed before I could copy them off.

 

Below is from the dropped HOW TO DECRYPT YOUR FILES note:

................................................................................................................................................................................................................

ATENTION!
 
Many of your documents, photos, videos, databases and other files
are no longer accessible because they have been encrypted.
Maybe you are busy looking for a way to recover your files, but do not waste your time.
Nobody can recover your files without our decryption service.
 
You must pay 550$ via BTC for the decryption key
You have 4 days to pay for my services. After this period, you will lose all your files.
 
Step 1 - Create an account www.localbitcoin.com
Step 2 - Buy bitcoin worth 550 USD
Step 3 - Send the amount to this address: 1F6nfAKenZvzSg7RLjM4JhuzV4Aix5i4A4
Step 4 - Contact us on this email: bkmf@gmx.com with subject : DECRYPT KEY FOR ID-CLIENT-76785007
 
After these steps you receive softwere + key and tutorial for decryption.
 
For any questions please contact us at this email address: bkmf@gmx.com
...................................................................................................................................................................................................................

 

Suspected access is through RDP. The password is 62 characters long and completely random so not sure how they got passed this but they did. We have multiple full backups so doing the restore now.

 

 

 

 

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,937 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:57 PM

Posted 09 June 2017 - 07:54 AM

HOW TO DECRYPT YOUR FILES is a ransom note name used by several ransomware variants but the extension looks new.

Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 thyrex

thyrex

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:03:57 AM

Posted 09 June 2017 - 08:10 AM

Are you still have C:\Users\User\AppData\Local\Temp\0t82XO7TI241IXx.exe and C:\Users\User\AppData\Local\Temp\LIn3s91vZpl92ge.exe ?

If these files still exists send them to me please (pack to archive with password "virus", upload onto https://sendspace.com and send link to PM)


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#4 Chadm357

Chadm357
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 12 June 2017 - 03:26 AM

Are you still have C:\Users\User\AppData\Local\Temp\0t82XO7TI241IXx.exe and C:\Users\User\AppData\Local\Temp\LIn3s91vZpl92ge.exe ?

If these files still exists send them to me please (pack to archive with password "virus", upload onto https://sendspace.com and send link to PM)

Unfortunately all of the .exe files jumped ship before I was able to get them. I only have encrytped and unencrypted copies of the files, I can upload these if that helps at all? We have recovered the system with no issues so we have no need to decrypt any files, but if I can help in anyway with what I have, please let me know. I wanted to make a full clone of the infected server before we recovered but we were under a short time line to get the system back online. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users