Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All files were encrypted with postfix of id-xxxx_[mk.stryker@aol.com].i05fp


  • This topic is locked This topic is locked
2 replies to this topic

#1 idle

idle

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 27 June 2017 - 08:43 PM

The dropped file is '### DECRYPT MY FILEs ###'.txt'.

 

All the time I mentioned is HongKong time. On about 23 o'clock June 25th, windows defender of my computer (OS is windows 10, always auto-updated) reported two threaten: 'Ransom:Win32/CryptoLemPiz.A' (several times) and 'Trojan:Win64/SvcMiner.A' (one time). I was not there and when I get my computer on 9o'clock the next day(June 26th), I found that all the files on the desktop is missed and there are some software like '???unlocker' (sorry, I cannot clearly remember that name). I found the alert message of windows defender and then decide to install a antivirus software 'ESET NOD32 5.0.2126.3'  with the newest virus database. Everything seems normal before 5 o'clock that day( I left after that time with the computer not shutting down). 

 

Then on 10o'clock the next day( June 27th), I came to my computer to find that most file is encrypted with a post-fix of ‘id-xxxx_[mk.stryker@aol.com].i05fp’ and the hacker dropped a file name of '### DECRYPT MY FILEs ###'.txt'. I think when I get to my computer the hacking process was still going on. Because at that time I can still open some file and I found a software named ’processhacker'  and then I delete it. After a while, nearly all files are encrypted. I wrote to the email address in the postfix and get a return mail asking 2 BTC for ransom. Now I de-internet the computer and don't know what to do next.

The dropped file cannot open on mu computer now because the Nod32 clean it every time I open it.

 

If anyone can help me or just want to analyze the hacker, I will be glad to provide further information as he ask.

 



BC AdBot (Login to Remove)

 


#2 Glib

Glib

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 28 June 2017 - 04:33 AM

I did a quick search on that email address and it appears to be the Dharma Ransomware.  The software required for removal is detailed here.  If you need assistance with the process, they advise posting on the Dharma support topic.

 

Good luck with this.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:50 PM

Posted 28 June 2017 - 05:52 AM

Any files that are encrypted with Cry9, Cry36, the newest variants of CryptON will have a random 5 character hexadecimal extension appended to the end of the encrypted filename (i.e. .id-1163283255_[liukang@mortalkombat.su].08c85, .id-1163283255_[mk.baraka@aol.com].830s7, .id-1163283255_[mk.stryker@aol.com].i05fp) and leave files (ransom notes) named ### DECRYPT MY FILES ###.txt.

Any files that are encrypted with Dharma Ransomware will have an .dharma, .wallet, .onion or .zzzzz extension followed by an id-<8 random hexadecimal characters>.[email address] appended to the end of the encrypted data filename (i.e. .id-A04EBFC2.[bitcoin143@india.com].dharma, .id-480EB957.[legionfromheaven@india.com].wallet, .id-5FF23AFB.[Asmodeum_daemonium@aol.com].onion, .id-EB214036.[amagnus@india.com].zzzzz) and leave files (ransom notes) named README.txt, README.jpg, Hello my vichtim.txt, Your personal data are encrypted!.txt.

ID Ransomware was providing detection results for both....Dharma due to the email address triggering FP's. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users