Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Black mamba

  • This topic is locked This topic is locked
5 replies to this topic

#1 Anton_789


  • Members
  • 4 posts
  • Local time:12:41 AM

Posted 26 June 2017 - 03:17 AM

Hi, we were hit by this today.

Here is a sample.

Is there any chance?

All your important files were encrypted on this computer.
You can verify this by click on see files an try open them. 

Encrtyption was produced using unique KEY generated for this computer. 

To decrypted files, you need to otbtain private key. 
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet;
The server will destroy the key within 24 hours after encryption completed.
To retrieve the private key, you need to pay 4 bitcoins

Bitcoins have to be sent to this address: 1JjKYDsYrJGPCzLGGmFL8nM7AvUncd2wYW

After you've sent the payment send us an email to : BLACK_MAMBA_Files@QQ.COM with subject : ERROR-ID-63100666(4BTC)
If you are  not familiar with bitcoin you can buy it from here :

SITE : www.localbitcoin.com

After we confirm the payment , we send the private key so you can decrypt your system.

BC AdBot (Login to Remove)


#2 thyrex


  • Members
  • 597 posts
  • Gender:Male
  • Location:Belarus
  • Local time:01:41 AM

Posted 26 June 2017 - 06:35 AM

I think that's Xorist. If you understand Russian please go to https://virusinfo.info/forumdisplay.php?f=46 or https://forum.kasperskyclub.ru/index.php?showforum=26

Edited by thyrex, 26 June 2017 - 07:30 AM.

Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016

#3 Anton_789

  • Topic Starter

  • Members
  • 4 posts
  • Local time:12:41 AM

Posted 26 June 2017 - 09:59 AM

Thank you very much. I downloaded Emsisoft Decrypter for Xorist and its worked.

Edited by Anton_789, 26 June 2017 - 10:00 AM.

#4 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,579 posts
  • Gender:Male
  • Location:USA
  • Local time:04:41 PM

Posted 26 June 2017 - 11:59 AM

Thanks for confirming the Xorist decrypter worked. I've added rules to ID Ransomware to identify this variant of it.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#5 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,918 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:41 PM

Posted 26 June 2017 - 02:58 PM

Since the infection has been confirmed, rather than have everyone with individual topics, it would be best (and more manageable for staff) if you (or other victims) posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 xXToffeeXx


    Bleepin' Polar Bear

  • Malware Response Instructor
  • 6,086 posts
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:41 PM

Posted 26 June 2017 - 03:16 PM

One thing to note Anton_789, you need to secure RDP either by disabling it or securing all accounts with a strong password (not just using something like 'password'). Also, please create a backup of your important files.



~If I am helping you and you have not had a reply from me in two days, please send me a PM~


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here


 ~Twitter~ | ~Malware Analyst at Emsisoft~

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users