Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HOW-TO-DECRYPT-FILES.txt


  • Please log in to reply
21 replies to this topic

#1 systemflipper1

systemflipper1

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 18 June 2017 - 10:20 PM

Hi Guys, 

 

Last week one of my windows server 2012 took its last breath bec of the infamous malware .

 

all files are encrypted including backups (replication) and changed to .CC file externsion with blockedblocked.cc.blockedblocked.cc file names. 

 

I just want to ask if anyone experience the same and how did you deal with it? 

 

TIA

 

Ransom note:

 

YOUR SYSTEM IS LOCKED AND ALL YOUR DATA HAS BEEN ENCRYPTED.
 
DON'T WORRY YOUR FILES AS SAFE.
 
TO RETURN ALL THE NORMALLY YOU MUST BUY THE DECRYPTOR PROGRAM.
 
PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK.
 
YOU CAN GET THEM VIA ATM MACHINE OR ONLINE 
 
https://coinatmradar.com/   (find a ATM)
 
https://www.localbitcoins.com/  (buy instantly online any country)
 
THE PRICE FOR DECRYPTOR SOFTWARE IS 1 BTC
 
BTC ADRESS : 13erqqbBFUaVLyLPwm3dUhApG4xAVQd5Ei
 
VERRY IMPORTANT !
 
DO NOT TRY TO SCAN WITH ANTIVIRUS YOU RISK LOSING YOUR DATA .
 
For more information : secure2017@tuta.io    (24/7)
 
Subject : SYSTEM-ID:20172018
 


BC AdBot (Login to Remove)

 


m

#2 L_Pudding

L_Pudding

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 18 June 2017 - 10:38 PM

maybe a new kind of ransomware....could you provide the source virus file?For example,some suspicious excutable files in %startup% or %APPDATA%.(I'm so sorry for my bad English.)



#3 systemflipper1

systemflipper1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 18 June 2017 - 10:48 PM

Hi,

 

All i have right now is the encrypted files saved in my external drive. Unfortunately the server is stuck in to boot loop and reformated the system already. 

 

this is the format of the file:

 

excel.xls.blockedblocked.cc.blockedblocked.cc.blockedblocked.cc.blockedblocked.cc.blockedblocked.cc

extension: .cc

 

Thanks


Is there any tools for windows or linux that can decrypt the files? 


Edited by systemflipper1, 18 June 2017 - 10:48 PM.


#4 L_Pudding

L_Pudding

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 18 June 2017 - 10:59 PM

Hi,

 

All i have right now is the encrypted files saved in my external drive. Unfortunately the server is stuck in to boot loop and reformated the system already. 

 

this is the format of the file:

 

excel.xls.blockedblocked.cc.blockedblocked.cc.blockedblocked.cc.blockedblocked.cc.blockedblocked.cc

extension: .cc

 

Thanks


Is there any tools for windows or linux that can decrypt the files? 

Sorry,I've never seen this extension....



#5 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 18 June 2017 - 11:09 PM

Follow the instructions for submitting samples to ID Ransomware...

 

https://www.bleepingcomputer.com/forums/t/608858/id-ransomware-identify-what-ransomware-encrypted-your-files/



#6 systemflipper1

systemflipper1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 19 June 2017 - 12:48 AM

Hi Jwoods , yep followed it and it seems i have a new version of ransomware for it did not return any results. 



#7 al1963

al1963

  • Members
  • 824 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 19 June 2017 - 01:29 AM

@systemflipper1,

 

Add a couple of files: encrypted and its original (taken from a clean copy) on http://sendspace.com and give us a link to these files in your message.

--------

It is desirable that it is an office document: doc or xls


Edited by al1963, 19 June 2017 - 01:30 AM.


#8 systemflipper1

systemflipper1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 19 June 2017 - 03:03 AM

Hi @al1963,

 

Please see the link: https://www.sendspace.com/file/a2ktlu

 

 

Unfortunately, I dont have the original file all files from my replicated backup has been encrypted as well.

 

Thanks Alot!



#9 al1963

al1963

  • Members
  • 824 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 19 June 2017 - 03:46 AM

@systemflipper1,

 

Then look for encrypted files like this:

 

Chrysanthemum.jpg
Desert.jpg
Koala.jpg
Lighthouse.jpg

 

And also add them by clicking on the "sendspace.com" link.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,728 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 PM

Posted 19 June 2017 - 04:56 AM

Hi Jwoods , yep followed it and it seems i have a new version of ransomware for it did not return any results.

If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

BTW...Xorist Ransomware variants are known to leave files (ransom notes) named HOW-TO-DECRYPT-FILES.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 sankmurthy

sankmurthy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 19 June 2017 - 07:44 AM

Hi guys,

 

    The files on my Windows server 2007 are encrypted and i have the same ransom note. Can anyone please help me out. All my files are encrypted and filename change to  .blocked@blocked.cc as an extension to the existing names. 

 

This is the ransom note 

 

YOUR SYSTEM IS LOCKED AND ALL YOUR DATA HAS BEEN ENCRYPTED.
 
DON'T WORRY YOUR FILES AS SAFE.
 
TO RETURN ALL THE NORMALLY YOU MUST BUY THE DECRYPTOR PROGRAM.
 
PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK.
 
YOU CAN GET THEM VIA ATM MACHINE OR ONLINE 
 
 
https://www.localbitcoins.com/  (buy instantly online any country)
 
THE PRICE FOR DECRYPTOR SOFTWARE IS 1 BTC
 
BTC ADRESS : 13erqqbBFUaVLyLPwm3dUhApG4xAVQd5Ei
 
VERRY IMPORTANT !
 
DO NOT TRY TO SCAN WITH ANTIVIRUS YOU RISK LOSING YOUR DATA .
 
For more information : secure2017@tuta.io    (24/7)
 
Subject : SYSTEM-ID:20172018


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,728 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 PM

Posted 19 June 2017 - 01:15 PM

Our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if the encrypted files can even be decrypted. Samples can be submitted (uploaded) here.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:50 PM

Posted 19 June 2017 - 05:59 PM

The files uploaded to ID Ransomware do look like they were encrypted by Xorist. @thyrex would be best to advise in these cases, as I'm not sure if they are multiple layers of the same encryption. Seems actors using Xorist lately have been extremely sloppy in their encryption... and they come in via RDP, so secure that.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 systemflipper1

systemflipper1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 19 June 2017 - 06:08 PM

Thanks Demonsly335,

 

Thanks for the prompt response, Secured RDP done after reformatting the system, lucky for I salvaged some files using linux distro and mounted the drive before reformatting.

 

Please advise for any solution and thanks for the help @thyrex

 

Regards



#15 sankmurthy

sankmurthy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 20 June 2017 - 01:09 AM

I have uploaded the file 

quietman7

 

plz any help is appreciated.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users