Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Azer / EXTE Ransomware / CryptoMix Revenge (.mole, .mole02, azer) Support Topic


  • Please log in to reply
77 replies to this topic

#76 Gretsky99

Gretsky99

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 17 July 2017 - 07:48 PM

Got hit with the .mole ransomware due to a brute force attack on terminal server.    I tried the mole decryptor 1.0.1 and it did not did work.   I think this is some sort of different revision to the virus.  I submitted this for analysis but haven't gotten any response. 

 

I also tried re-infecting some virtual machines with the trojan and using wireshark try to find the RSA key.    Funny thing is i do see the connections going out to IP in China over http, but in intercepting the data, it only indicating the Guid which matches the id that is in the txt files and not showing any RSA keys.  

 

IF that the case then the package must contain the RSA decrypt key.   How can we get a solution to this. 


Edited by Gretsky99, 17 July 2017 - 07:56 PM.


BC AdBot (Login to Remove)

 


#77 Muttiej

Muttiej

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 22 July 2017 - 10:11 PM

I hope this is the right topic... I have a couple of questions. I'm new to this website. I tried to read and understand everything what is said previously on this topic but because I don't know a lot about computers, I don't think I understood everything that is already said, I might ask some things that are already answered.

 

I think my laptop got infected by this virus. All my files are encrypted and marked as MOLE03 file. And some files are marked as HELP INSTRUCTION with an explanation in it how to decrypt it. I'm afraid to do that because first of all, how do I know that I don't get myself in deeper trouble by following that link and those steps? And second, I'm not prepared to pay for it because it's criminal activity and I don't want to support that. Still, it sucks because I didn't make any backups the last 4 months since I'm travelling so all my travel photo's and music are gone (I know it's not the worst thing in the world and that other infected computers probably have way more valuable documents encrypted, but still, if there's a solution to this, I would like to know about it). I think I know exactly when and how my computer got infected so if someone is interested, ask and I will tell. My questions now are:

 

1. Do I have to remove something from my laptop to prevent new files becoming encrypted as well? (If yes, how do I know what to remove? My anti virus programs didn't detect anything wrong)

 

2. Can I infect other computers without knowing it?

 

3. Do I have to delete all the encrypted files? (As in; are the encrypted files dangerous to other (new) files/computers? And is there a slight chance that I can decrypt them in the future?)

 

Please someone answer my questions because I don't want to do anything that makes it worse and I do like to make new files which don't get encrypted!



#78 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,123 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:44 AM

Posted 23 July 2017 - 07:30 AM

When you discover that your computer is infected with ransomware, one of the first things we advise is to create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system (and all encrypted data) in the event that a free decryption solution is developed in the future.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes 3.0, HitmanPro and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.

Note: Disinfection will not help with decryption of any files affected by the ransomware.

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users