Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lalabit*h Ransomware Support Topic


  • Please log in to reply
6 replies to this topic

#1 andyebbo

andyebbo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 30 June 2017 - 04:34 PM

This has not happened on my local PC but my web server has been hit with this. All files have been infected with a .lalableep encrypted extension - see message below. Machine was hacked and infected.
 
Your site is locked with Lalableep Custom encryption method,
Please pay 0.5 btc to 18LbTxonanfMoh43t47Pjvdox7z2HFaiM9 for the Decryption key. Or else,
in 12 hours all of your files in this website will be deleted
-[ lalableep2017[at]yandex.com ]-
----------------------------------------------
This is a notice of ransomware.

How to restore the beginning?
Please contact us via email listed
 
Anyone seen anything like this before? Cannot seem to find any decryption tool to cover this one?
 
note the bleep = b i t c h
 
I would upload a file but cannot seem to see how you do this.

Edited by quietman7, 15 August 2017 - 02:41 PM.


BC AdBot (Login to Remove)

 


#2 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:06:39 PM

Posted 30 June 2017 - 04:42 PM

Upload the ransom note AND an ecrypted file to ID-Ransomware for identification of the ransomware. If the site cannot identify the ransomware, it will give you a SHA-1 hash to post here for the  analysts.

 

Upload a few encrypted files to Sendspace and post the download link here.;


We are drowning in information - and starving for wisdom.


#3 andyebbo

andyebbo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 30 June 2017 - 04:49 PM

It does not recognize the ransomeware so the SHA-1 hash is e57a76db1aebedf3bcb2731b5ecb6a4dc95e6e5b

 

https://www.sendspace.com/filegroup/YtTeQLZGTCIweAwovanTPFVVC3dN7ujx

 

some files at the link



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:39 PM

Posted 30 June 2017 - 07:20 PM

Demonslay335 will manually inspect the files when he gets a chance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:39 PM

Posted 30 June 2017 - 11:27 PM

Definitely new, saw alerts come through on your submission earlier.

 

Any chance you can find the malware? Are there any other PHP or executable files on the site? The encrypted files are base64-encoded plus encrypted, haven't seen that with many ransomware. I believe it looks like weak encryption at that based on patterns I see.

 

Could you provide a few files and their originals? Since its a web server, I hope you'd have backups available.

 

You may submit the file pairs and anything malicious here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

I've setup a rule on ID Ransomware to point victims here.


Edited by Demonslay335, 30 June 2017 - 11:32 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 andyebbo

andyebbo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 04 July 2017 - 12:52 PM

Thanks will upload now. 



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:39 PM

Posted 15 August 2017 - 12:57 PM

WordFence has an excellent article on this ransomware. It comes through not having your WordPress site locked down properly.

 

https://www.wordfence.com/blog/2017/08/ransomware-wordpress/

 

Unfortunately, it is not decryptable without getting a key from the criminals.

 

If someone does pay for a key (and receives it), I can create a decrypter since theirs is broken. I still don't ever recommend paying criminals.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users