Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NO ext. change NO ransom note "CRYPTOLOCKER" look alike


  • This topic is locked This topic is locked
11 replies to this topic

#1 McDano

McDano

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 23 June 2017 - 02:18 PM

Hi there,
 
I appear to have some form of ransomware issue on my laptop that has encrypted my files. It has encrypted almost two thirds of my files and than has stopped I guess... cause I have never received any ransom note. Malwarebytes recognised threads as:
Trojan.Fileless.MTGen....
Rootkit.Fileless.MTGen....
Ransom.CryptoLocker....
 
I am hopeless... Need help because it also corrupted files stored in onedrive.
Please HELP.
 
I have some original and encrypted files if those would help.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 PM

Posted 23 June 2017 - 02:47 PM

There are several ransomware infections that do not append an obvious extension to the end of encrypted filenames or add a known file pattern (filemarker) which helps to identify it. CryptoWall, CrypMic, DMA Locker, Microsoft Decryptor (CryptXXX), PClock, Spora, Cryptofag, TeslaCrypt v4.0, CryptoHost, MotoxLocker, KawaiiLocker, Hermes, LoveServer and Power Worm do not append or change file extensions.

Some ransomware variants (i.e. DMA Locker, TeslaCrypt, CrypMic) will add a unique hex pattern (filemarker) identifier in the header of every encrypted file so the ransomware can identify the file as one it encrypted. Spora-encrypted files utilize a 4 byte long Crc32 file marker. CryptoWall is identified by how the files are renamed. CryptoWall 3.0 and 4.0 encrypted files typically will have the same 16 byte header which is different for each victim. PClock and Cryptofag do not use a filemarker.

The best way to identify the different ransomwares that do not append an extension is the ransom note (including it's name), samples of the encrypted files, the malware file itself or at least information related to the email address used by the cyber-criminals to request payment. Without any of that information or a file marker/unique hex pattern identifier, it is difficult to determine what you are dealing with.

Based on current infection rates and statistics, PClock (a CryptoLocker copycat) is the most prevalent ransomware variant that does not change the extension, use a filemarker or always leave a ransom note. Unfortunately, newer PClock variants are not decryptable...there is no longer any way to provide decryption without paying the ransom. If possible, your best option is to restore from backups.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 McDano

McDano
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 23 June 2017 - 03:07 PM

But I have no ransom note...I have got just Malwarebytes log file and more than 500GB of encrypted files..and some original copies to compare with. What should I do now?



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 PM

Posted 23 June 2017 - 03:29 PM

You can submit samples of encrypted files to ID Ransomware for assistance with identification but without a ransom note, you most likely will not get a positive identification.

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 McDano

McDano
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 23 June 2017 - 03:56 PM

I uploaded one file detected as Trojan.Fileless.MTGen, C:\USERS\-\APPDATA\LOCAL\A4C1F465\9AACCC00.BAT

 

and one file detected as Ransom.CryptoLocker, C:\USERS\-\APPDATA\LOCAL\TEMP\BERTOLUCCI.DLL is missing...



#6 McDano

McDano
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 23 June 2017 - 04:47 PM

also uploaded .jpg files, one encrypted plus original for comparison



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 PM

Posted 23 June 2017 - 06:03 PM

After our experts have examined submitted files, they typically will only reply in a support topic if they can assist or need further information. If not, then the submitted files were not helpful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:09 PM

Posted 23 June 2017 - 10:09 PM

The batch file isn't really useful, it just starts a process. Does get tagged as part of Poweliks from AV though; I would make sure to scan your system thoroughly with antivirus and supplemental scanners. I'd recommend HitmanPro and MalwareBytes, both are free. I'd also run MalwareBytes Anti-Rootkit in this case, it tends to pickup on Poweliks and other rootkits well.

start "4PCW3e8NsEaHamFo2AeL" "%LOCALAPPDATA%\a4c1f465\ac9df4a0.e219d18ff"

If you can find that file, it might be useful.

 

From the file pair you provided, I don't think it is PClock, one of the most common that does not drop a note or leave any way of identifying a file. It definitely is not Spora or any of the others that ID Ransomware would have picked up on a filemarker. Since the encrypted file is the exact same size as the original file, and that size is not divisible by 16, it appears to be a stream cipher - meaning anything that uses AES (like PClock) is out of the picture.

 

Afraid we can only identify this one by the malware if you can secure it, or if you find any kind of contact info for the criminals left behind (e.g. ransom note, wallpaper, a window popup). If you have any idea how you go it (email attachment, download from website, etc.), that might help.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 McDano

McDano
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 24 June 2017 - 01:18 AM

Thanks for replyes, Im really stressed out...
 
I have uploaded file you wanted "ac9df4a0.e219d18ff", hope it helps... 

Edited by McDano, 24 June 2017 - 01:20 AM.


#10 McDano

McDano
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 24 June 2017 - 02:38 AM

is it possible that it did not manage to leave ransome note because it did not execute properly? because my decrypted files time and date range in 10+ hours. like it was encrypting the whole day and did not manage to finish properly??

 

and it also skipped all .mp3 files


Edited by McDano, 24 June 2017 - 04:29 AM.


#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:09 PM

Posted 24 June 2017 - 05:54 PM

I've been informed it actually IS PClock. I was wrong in my assumption that it uses AES. So my analysis of the files was correct, but my conclusion was backwards.

Afraid you can only restore from backup and better secure your system in the future.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 PM

Posted 24 June 2017 - 06:00 PM

Since the infection has been confirmed, rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users