Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unknown ransomware - .7z extension - READ ME.txt

  • Please log in to reply
1 reply to this topic

#1 ssergiio


  • Members
  • 3 posts
  • Local time:08:13 PM

Posted 12 June 2017 - 11:22 AM



Last week our company server (Windows Server 2003) got encrypted in a strange way through an RDP connection from Turkey. I said in a strange way cause this is what the ransom did:


  • Compressed "C:" drive root except the OS folders to a C:\c2.7z password-protected file.


  • Compressed admin user folder (from Documents and Settings) to a C:\Administrador1.7z password-protected file.


  • Dropped the "READ ME.txt" file on C:


Content of the "READ ME.txt":


Hello I'm a System Expert I Hacked Your System But There Is No Frightening Situation

Encrypting your files in a way that your files will be retrieved
Your Data will Not Be Saved Absolutely And Will Not Be Returned To You
We Are Constraining 12 Hours To Get Your Crisis
If You Do not Have Your Files Encrypted We Are Destroying Ourself, We Are Working To Save
Your moment is not a situation other than the loss of time and I agree with you Enemy
If you have received your payment, you will be able to keep your time files encrypted and you can continue to work from now on
And Your System Will Tell You In The Openness I Will Help You Close Your Closure Something Else Will Never Come Home
For You To Be Last Submissive Mail Address And Reference Number You Must Tell Us Your Reference Number At Mail
Otherwise, it will not be answered absolutely and certainly in reference numbers without a good number of days
You send Mail 12 hours I am Waiting...
Mail Address:yedekveri258@gmail.com
Reference Number:61
Olá eu sou uma condição para ter medo, mas eu já invadiu seu sistema, um sistema especialista Nenhum
E aproveitando os arquivos abertos em seu sistema voltar eu não consigo descobrir Encryption
Não há forma de recuperar dados em cima de verão definitivamente estará de volta e você Getirilmi a Time
Restrições podemos fazer para obter sua senha 12 horas 12 horas para o retorno de Vordur Egerer
Criptografar com seus arquivos na ausência de auto-destruição
Eu postei, sua recuperação logística
Compreender o Times Outra perda condição não é seu inimigo e I
Nós não temos os mesmos salários acordados
Evet sido dado tempo, se eu apresentar meu pagamento para continuar o seu trabalho de lugar para ficar se a senha
Como cortar o seu sistema e você Notifier I suplementares perto de se tornar um bem de novo para não vir à sua cabeça
Para, o último como vou dar Alta Número de Referência endereço de email e dizer-nos seu número de referência é necessário para dispor de correio
Caso contrário, se o número de referência Envie Response Absolutamente E, certamente, a Bons Dias
Nosso endereço de e-mail:yedekveri258@gmail.com
Número de referência:61
The mail address led me to think that we've been infected with BTCWare but people on the support topic said that it wasn't BTCWare.
Someone knows something about this particular variant? Thank you in advance!

BC AdBot (Login to Remove)


#2 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,581 posts
  • Gender:Male
  • Location:USA
  • Local time:12:13 PM

Posted 12 June 2017 - 01:16 PM

I find it a little odd that they use (terrible) English and Portugese, but when that email address was used with BTCWare, they used (still terrible) English and Spanish. I don't speak either of those other languages, so I cannot tell if it is terribly translated for them as well.
If they are legitimate 7-zip files (you'll see "7Z" as the first two bytes in a hex editor), then there will be little chance of breaking the password, especially without any info on how long the password they used is, or character set. Since they got in via RDP, they might have zipped them up manually, so there might not be a malware to try reversing (and possibly exploiting).
For some reference, here's info on cracking 7zip password-protected files. I've never been able to crack one honestly.

Please bear in mind you have quite no chance to crack unknown password (longer than 6-7 symbols) if you have no additional info about it. [/size]

At least from version 3.x, 7-Zip has been using a strong AES algorithm, which doesn't allow any attacks more effective than the brute force. Besides, the key derivation function is very similar to RAR one, and uses more than 130000 SHA-256 transformations and brute force rate on modern CPU is very low, only several hundreds of passwords per second. This carries inference that 7-Zip password encryption is one of the strongest between popular encryption systems in the context of brute force rate. [/size]


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users