Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown ransomware - .7z extension - READ ME.txt


  • Please log in to reply
1 reply to this topic

#1 ssergiio

ssergiio

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 12 June 2017 - 11:22 AM

Hi,

 

Last week our company server (Windows Server 2003) got encrypted in a strange way through an RDP connection from Turkey. I said in a strange way cause this is what the ransom did:

 

  • Compressed "C:" drive root except the OS folders to a C:\c2.7z password-protected file.

 

  • Compressed admin user folder (from Documents and Settings) to a C:\Administrador1.7z password-protected file.

 

  • Dropped the "READ ME.txt" file on C:

 

Content of the "READ ME.txt":

 

Hello I'm a System Expert I Hacked Your System But There Is No Frightening Situation

 
Encrypting your files in a way that your files will be retrieved
 
Your Data will Not Be Saved Absolutely And Will Not Be Returned To You
 
We Are Constraining 12 Hours To Get Your Crisis
 
If You Do not Have Your Files Encrypted We Are Destroying Ourself, We Are Working To Save
 
Your moment is not a situation other than the loss of time and I agree with you Enemy
 
If you have received your payment, you will be able to keep your time files encrypted and you can continue to work from now on
 
And Your System Will Tell You In The Openness I Will Help You Close Your Closure Something Else Will Never Come Home
 
For You To Be Last Submissive Mail Address And Reference Number You Must Tell Us Your Reference Number At Mail
 
Otherwise, it will not be answered absolutely and certainly in reference numbers without a good number of days
 
You send Mail 12 hours I am Waiting...
 
Mail Address:yedekveri258@gmail.com
 
yedekveri258@gmail.com
yedekveri258@gmail.com
 
Reference Number:61
--------------------------------------------------------------------------------------------------------
Olá eu sou uma condição para ter medo, mas eu já invadiu seu sistema, um sistema especialista Nenhum
 
E aproveitando os arquivos abertos em seu sistema voltar eu não consigo descobrir Encryption
 
Não há forma de recuperar dados em cima de verão definitivamente estará de volta e você Getirilmi a Time
 
Restrições podemos fazer para obter sua senha 12 horas 12 horas para o retorno de Vordur Egerer
 
Criptografar com seus arquivos na ausência de auto-destruição
 
Eu postei, sua recuperação logística
 
Compreender o Times Outra perda condição não é seu inimigo e I
Nós não temos os mesmos salários acordados
 
Evet sido dado tempo, se eu apresentar meu pagamento para continuar o seu trabalho de lugar para ficar se a senha
 
Como cortar o seu sistema e você Notifier I suplementares perto de se tornar um bem de novo para não vir à sua cabeça
 
Para, o último como vou dar Alta Número de Referência endereço de email e dizer-nos seu número de referência é necessário para dispor de correio
 
Caso contrário, se o número de referência Envie Response Absolutamente E, certamente, a Bons Dias
 
Nosso endereço de e-mail:yedekveri258@gmail.com
 
yedekveri258@gmail.com
yedekveri258@gmail.com
 
Número de referência:61
 
The mail address led me to think that we've been infected with BTCWare but people on the support topic said that it wasn't BTCWare.
 
Someone knows something about this particular variant? Thank you in advance!
 


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:55 AM

Posted 12 June 2017 - 01:16 PM

I find it a little odd that they use (terrible) English and Portugese, but when that email address was used with BTCWare, they used (still terrible) English and Spanish. I don't speak either of those other languages, so I cannot tell if it is terribly translated for them as well.
 
If they are legitimate 7-zip files (you'll see "7Z" as the first two bytes in a hex editor), then there will be little chance of breaking the password, especially without any info on how long the password they used is, or character set. Since they got in via RDP, they might have zipped them up manually, so there might not be a malware to try reversing (and possibly exploiting).
 
For some reference, here's info on cracking 7zip password-protected files. I've never been able to crack one honestly.
 

Please bear in mind you have quite no chance to crack unknown password (longer than 6-7 symbols) if you have no additional info about it. [/size]


At least from version 3.x, 7-Zip has been using a strong AES algorithm, which doesn't allow any attacks more effective than the brute force. Besides, the key derivation function is very similar to RAR one, and uses more than 130000 SHA-256 transformations and brute force rate on modern CPU is very low, only several hundreds of passwords per second. This carries inference that 7-Zip password encryption is one of the strongest between popular encryption systems in the context of brute force rate. [/size]

 
http://www.crark.net/crark-7zip.html


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users