Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Azer / EXTE Ransomware / CryptoMix Revenge (.mole, .mole02, azer) Support Topic


  • Please log in to reply
77 replies to this topic

#1 sdmiller

sdmiller

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 14 June 2017 - 01:05 PM

This virus hit file server(s) today renaming file extensions with mole02 on the end
 
There is no help with web search, so far all I have found is wipe the drive and restore from backup, not a good option


Edited by quietman7, 21 June 2017 - 05:49 AM.


BC AdBot (Login to Remove)

 


#2 twin_suns

twin_suns

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 14 June 2017 - 02:09 PM

I've just had a business customer with this on one of their computers. It deletes shadow copies and doesn't even appear be in antivirus definition files yet.



#3 cybercynic

cybercynic

  • Members
  • 549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:04:43 AM

Posted 14 June 2017 - 02:30 PM

This virus hit file server(s) today renaming file extensions with mole02 on the end

 

There is no help with web search, so far all I have found is wipe the drive and restore from backup, not a good option 

 

Upload an encrypted file and the ransom note to ID-Ransomware to get a positive identification. If ID-Ransomware cannot identify the ransomware, it will ask you to post the SHA-1 hash here for the analysts to review.


We are drowning in information - and starving for wisdom.


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:43 AM

Posted 14 June 2017 - 02:30 PM

We've been looking into this, it almost appears to be a new version based on CryptoMix Revenge, which used the same filename scheme and ".MOLE". However, the Tor site and ransom note contents are different.

 

If either of you have samples of the malware, it would be most useful.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 twin_suns

twin_suns

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 14 June 2017 - 03:01 PM

We've been looking into this, it almost appears to be a new version based on CryptoMix Revenge, which used the same filename scheme and ".MOLE". However, the Tor site and ransom note contents are different.

 

If either of you have samples of the malware, it would be most useful.

 

I've yet to identify the malware itself but uploading to ID ransomware does come back as CryptoMix Revenge. Would you like me to link a copy of an encrypted file?



#6 ShaleMacGregor

ShaleMacGregor

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 14 June 2017 - 03:31 PM

Have an active copy still encrypting, shut down the system for now. Is there a typical file location to grab malware sample for you?

 

 

 !!!IMPORTANT INFORMATION!!!
 
 All of your files are encrypted with RSA 2048 and AES-128 ciphers.
 More information about the RSA and AES can be found here:
 
 Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
 
 Follow these steps:
 1. Download and install Tor Browser: http://www.torproject.org/download/download-easy.html
 2. After a successful installation, run the browser and wait for initialization.
 3. Type in the address bar: http://supportjy2xvvdmx.onion/
 4. Follow the instructions on the site.
 !!! Your DECRYPT-ID: ************************************ !!!
 
 
 
Backlink to another post with a mole problem
 
 
has the same onion link.

Edited by ShaleMacGregor, 14 June 2017 - 03:37 PM.


#7 jlucivero

jlucivero

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 14 June 2017 - 03:37 PM

We were just hit with this at 11:30am. Had some directories on share drive affected. I am currently contacting our antivirus Sophos to add the  definitions and for analysis. I will post an update as soon as I have one.



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:43 AM

Posted 14 June 2017 - 03:39 PM

You'll have to scan the system to find the infection. Common locations may be %APPDATA%, %TEMP%, Downloads, etc. If you find it, please submit the malware here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 ShaleMacGregor

ShaleMacGregor

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 14 June 2017 - 03:47 PM

Ok I uploaded it, found in c:\users\username\appdata\roaming\0ABCF2F2.exe



#10 Merryworks

Merryworks

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 14 June 2017 - 03:56 PM

Got hit today with it as well.  Have not found how it entered the network yet.  Nothing suspicious in the user's email or web history.



#11 jlucivero

jlucivero

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 14 June 2017 - 03:57 PM

found the infected PC on our network. Right-click file - Details look at author of file.



#12 cramit

cramit

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 14 June 2017 - 03:57 PM

Company PC in Ohio affected, Win7 Pro, approx 1150a EDT, user not admin on machine. I started MBAM Chameleon to force an update. All desktop files locked, extensions changed to .MOLE02, internet and file download access still a-OK for the moment. Running MBAM. Attempted to upload encrypted file to ID-Ransomware but nothing identified.

 

Submitted file 025879390F...D49.MOLE02

 

Will update with scan results when finished.

 

Update: MBAM found nothing remarkable. Same with SpyHunter and SUPERantispyware, nothing outside of standard cookie mess. User has been directed to a higher authority. User was remote and not on VPN, attack isolated to his machine. Remote servers he was mapped to were unaffected. Prepping replacement machine, old machine being returned for diagnostic and potential shadow copy restore.


Edited by cramit, 15 June 2017 - 09:10 AM.


#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:43 AM

Posted 14 June 2017 - 05:10 PM

Confirmed the sample @ShaleMacGregor shared was the ransomware. We'll have to analyze it to see if it's something completely new, or just a new variant (and of course most importantly, whether it can be decrypted).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 MCGITServices

MCGITServices

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 15 June 2017 - 07:58 AM

Had a client get hit with this yesterday at 10:20 AM EDT. Did locate PC it originated from (suspected anyway, since it was the only PC that also had encrypted files) and there were some important things to note:

 - OS Was Windows 10

 - User DID NOT have elevated privileges

 

I'm having the owner try to determine today how she installed it. Did she run a java script? Possibly ask another owner (owners have admin ID's) to install or run something? I'll let you know what I hear. I did back up the user's APPDATA section of their profile but I believe I inadvertently deleted all the other folders (my docs, etc)

 

Server files were all restored by backup and I have confirmed server is not infected.



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,123 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:43 AM

Posted 15 June 2017 - 02:28 PM

Most crypto malware (ransomware) typically will run under the security credentials of the user....it will run on non-admin accounts under the same privileges as the infected user and encrypt any files that are accessible to that user. If the user can write to a file then the ransomware will be able to encrypt it. Ransomware needs write-access to files it encrypts so it will not be able to encrypt files owned by another account without write-access while running as a non-admin account.

Since crypto malware can run as a non-admin user, you will not see a UAC prompt. If your normal user account is member of the Administrator group, the malware can install itself to run for all users.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users