Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Company Got Attacked by a New Form of ransomware. Need Help


  • Please log in to reply
8 replies to this topic

#1 Pinksoshistuff

Pinksoshistuff

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 10 June 2017 - 08:15 AM

Hi there! My company have just got hit by a ransomware. ive tried looking it up online but i cant find any information regarding it.The file extension is .dkdfln . I've also tried ID ransomware and still nothing popped up. I'll post some screenshots. If anyone decide to help out please let me know. Any help will be much appreciated! 

 

http://imgur.com/fuJd5Lg

http://imgur.com/Gy7vULA


Edited by Pinksoshistuff, 10 June 2017 - 08:18 AM.


BC AdBot (Login to Remove)

 


#2 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:12:13 PM

Posted 10 June 2017 - 10:01 AM

First of all, did you upload an encrypted file and the ransom note to ID-Ransomware? What exactly did it reply? If it couldn't identify the ransomware, it would have told you to post the SHA1 hash in your post in this forum.

 

The analysts/researchers will need that to look further at the ransomware.


We are drowning in information - and starving for wisdom.


#3 Pinksoshistuff

Pinksoshistuff
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 10 June 2017 - 10:04 AM

First of all, did you upload an encrypted file and the ransom note to ID-Ransomware? What exactly did it reply? If it couldn't identify the ransomware, it would have told you to post the SHA1 hash in your post in this forum.

 

The analysts/researchers will need that to look further at the ransomware.

Hi there! Here's the SHA1 code Please reference this case SHA1: ab6b9d4dc0bc4ab67a0c094d987e39ab087e01c6



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,555 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:13 AM

Posted 10 June 2017 - 01:15 PM

Looks new. The filenames themselves are just base64, so it's easy enough to rename at least (in an automated sense).

 

The extension appears to be random. I have only one other submission fitting the ransom note and filename pattern with extension ".upzbrf", and it is also from Malaysia. Could be targeting Malaysia currently?

 

Do you have the malware, or know how you got infected? Also, if you have some encrypted files and their originals, it might help with deriving how strong the encryption is.

 

You may submit the malware and file pairs here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Pinksoshistuff

Pinksoshistuff
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 10 June 2017 - 09:01 PM

Looks new. The filenames themselves are just base64, so it's easy enough to rename at least (in an automated sense).

 

The extension appears to be random. I have only one other submission fitting the ransom note and filename pattern with extension ".upzbrf", and it is also from Malaysia. Could be targeting Malaysia currently?

 

Do you have the malware, or know how you got infected? Also, if you have some encrypted files and their originals, it might help with deriving how strong the encryption is.

 

You may submit the malware and file pairs here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

yes im from malaysia sir. and the infected pc is in my house right now cause i've brought it home from the office. unfortunately i dont have an encrypted file and their original. but i have an encrypted older version of the file and the newer version of the same file is not encrypted. will that help?


Edited by Pinksoshistuff, 10 June 2017 - 10:00 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:13 PM

Posted 11 June 2017 - 06:51 AM

Submit what you have....Demonslay335 will let you know if its helpful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Pinksoshistuff

Pinksoshistuff
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 11 June 2017 - 09:46 PM

Submit what you have....Demonslay335 will let you know if its helpful.

I've submitted 2 files. 1 Affected and 1 unaffected. 

 

he just made a new reply to my message 

 

http://imgur.com/6FyJHpq



#8 Pinksoshistuff

Pinksoshistuff
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 11 June 2017 - 10:08 PM

Hope someone can help us :( Ive also dmed demonslay a pair of files. before and after encryption. Hopefully it will help. i chose to dm because the file was too big so i uploaded it to dropbox instead


Edited by Pinksoshistuff, 12 June 2017 - 01:49 AM.


#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,555 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:13 AM

Posted 29 June 2017 - 08:39 AM

Marcelo Rivero of MalwareBytes found a sample: https://twitter.com/MarceloRivero/status/880257537404268544

 

We'll be analyzing it soon.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users