Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Azer / EXTE Ransomware / CryptoMix Revenge (.mole, .mole02, azer) Support Topic


  • Please log in to reply
89 replies to this topic

#76 Gretsky99

Gretsky99

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 17 July 2017 - 07:48 PM

Got hit with the .mole ransomware due to a brute force attack on terminal server.    I tried the mole decryptor 1.0.1 and it did not did work.   I think this is some sort of different revision to the virus.  I submitted this for analysis but haven't gotten any response. 

 

I also tried re-infecting some virtual machines with the trojan and using wireshark try to find the RSA key.    Funny thing is i do see the connections going out to IP in China over http, but in intercepting the data, it only indicating the Guid which matches the id that is in the txt files and not showing any RSA keys.  

 

IF that the case then the package must contain the RSA decrypt key.   How can we get a solution to this. 


Edited by Gretsky99, 17 July 2017 - 07:56 PM.


BC AdBot (Login to Remove)

 


m

#77 Muttiej

Muttiej

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 22 July 2017 - 10:11 PM

I hope this is the right topic... I have a couple of questions. I'm new to this website. I tried to read and understand everything what is said previously on this topic but because I don't know a lot about computers, I don't think I understood everything that is already said, I might ask some things that are already answered.

 

I think my laptop got infected by this virus. All my files are encrypted and marked as MOLE03 file. And some files are marked as HELP INSTRUCTION with an explanation in it how to decrypt it. I'm afraid to do that because first of all, how do I know that I don't get myself in deeper trouble by following that link and those steps? And second, I'm not prepared to pay for it because it's criminal activity and I don't want to support that. Still, it sucks because I didn't make any backups the last 4 months since I'm travelling so all my travel photo's and music are gone (I know it's not the worst thing in the world and that other infected computers probably have way more valuable documents encrypted, but still, if there's a solution to this, I would like to know about it). I think I know exactly when and how my computer got infected so if someone is interested, ask and I will tell. My questions now are:

 

1. Do I have to remove something from my laptop to prevent new files becoming encrypted as well? (If yes, how do I know what to remove? My anti virus programs didn't detect anything wrong)

 

2. Can I infect other computers without knowing it?

 

3. Do I have to delete all the encrypted files? (As in; are the encrypted files dangerous to other (new) files/computers? And is there a slight chance that I can decrypt them in the future?)

 

Please someone answer my questions because I don't want to do anything that makes it worse and I do like to make new files which don't get encrypted!



#78 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,728 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 PM

Posted 23 July 2017 - 07:30 AM

When you discover that your computer is infected with ransomware, one of the first things we advise is to create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system (and all encrypted data) in the event that a free decryption solution is developed in the future.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes 3.0, HitmanPro and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.

Note: Disinfection will not help with decryption of any files affected by the ransomware.

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#79 electronm

electronm

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 02 August 2017 - 06:30 PM

Hi, a friend got caught with this the morning it came out.  Is there any update on a decryptor for this yet?

 

Thanks



#80 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,728 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 PM

Posted 02 August 2017 - 06:42 PM

All current information we have is in this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#81 mbial

mbial

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 03 August 2017 - 03:47 PM

It appears I have contracted another new variant of CryptoMix Revenge using the .PIRATE extension and cannot find any information about it or how to decrypt the files.  It created the text file _INTERESTING_INFORMACION_FOR_DECRYPT.TXT with the following message contained in it:

 

All you files encrypted

 
For decrypt write to email:
 
msdecry@aol.com
 
Then it has an ID for my system.  I have already submitted to ID Ransomware to detect.  Where do I go from here?  Any help would be huge.  Thank you!


#82 rabotnik1

rabotnik1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 04 August 2017 - 12:44 AM

Hello friends

 

there are any cure for "Mole" extention ? I can upload sample (crypted file) meybe I have a chance fo decryption ? :)



#83 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,728 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 PM

Posted 04 August 2017 - 05:24 AM

A decryptor has been released for the Mole02 variant...see here.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#84 rabotnik1

rabotnik1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 05 August 2017 - 01:45 AM

Thank you. I have tried this , but with no luck. I have .mole extention no .mole02



#85 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,728 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 PM

Posted 05 August 2017 - 05:59 AM

In cases where there is no free decryption fix tool and victims are not willing to pay the ransom, the only other alternative is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.

Law enforcement authorities have had some success arresting cyber-criminals, seizing C2 servers and releasing private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time. Several of them have done that here at Bleeping Computer.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#86 Gretsky99

Gretsky99

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 19 August 2017 - 10:51 AM

mbial:    For me it seems like the same email:  msdecry@aol.com

mbial:  For me it seems like the same email address was used:  msdecry@aol.com  for a .mole version.     

 

Rabotnik1:   You can try the mole decryptor but if you have the same version i have, your out of luck.    Looks like they modified something to make 1.01 not work.   I can't for the life of me find the key being reported back to the servers.  Its not passing any traffic except for the quant count of files encrypted so they know who they can get more money out of.   Lost a lot of personal data, but i'd rather bite my lips then pay them a dime.    My guess is the key is hard coded or predefined which means its shared. So i would think one day they will come out with something.  I've submitted samples to the developers of Moledecryptor 1.0.1 including the decryptor package.  I haven't hear back.   Do you have that same file that ran in your appdata folder.  Have any details on it?



#87 rabotnik1

rabotnik1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 21 August 2017 - 03:02 AM

mbial:    For me it seems like the same email:  msdecry@aol.com

mbial:  For me it seems like the same email address was used:  msdecry@aol.com  for a .mole version.     

 

Rabotnik1:   You can try the mole decryptor but if you have the same version i have, your out of luck.    Looks like they modified something to make 1.01 not work.   I can't for the life of me find the key being reported back to the servers.  Its not passing any traffic except for the quant count of files encrypted so they know who they can get more money out of.   Lost a lot of personal data, but i'd rather bite my lips then pay them a dime.    My guess is the key is hard coded or predefined which means its shared. So i would think one day they will come out with something.  I've submitted samples to the developers of Moledecryptor 1.0.1 including the decryptor package.  I haven't hear back.   Do you have that same file that ran in your appdata folder.  Have any details on it?

 

Hello,

Bad news, but I will be waiting

files on friends PC, I will try to ask him



#88 mbial

mbial

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 21 August 2017 - 10:04 AM

I'll give the mole decryptor a try too, but I believe I attempted this initially after the infection.  I'll let you know if I have any luck.



#89 coffee0327

coffee0327

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 25 September 2017 - 01:02 AM

any help on mole03 ?



#90 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,728 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 PM

Posted 25 September 2017 - 06:10 AM

There is no decrypter for the mole3 variant that I am aware of.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users