Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Identify Ransomware


  • This topic is locked This topic is locked
12 replies to this topic

#1 diireno

diireno

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 01 July 2017 - 11:30 PM

The note was DECRYPT.hta and only placed on the desktop. The ransomware did not change the file extensions. It also left a nice little note on the desktop background. Unfortunately the DECRYPT.hta was removed by the user shortly after infection. The infection however was able to encrypt files in the background.

 

I have two comparison files. The encrypted one was uploaded as a sample. Help would greatly be appreciated.

 

Dx4v8A2.jpg


Edited by diireno, 01 July 2017 - 11:54 PM.


BC AdBot (Login to Remove)

 


#2 diireno

diireno
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 01 July 2017 - 11:37 PM

I have uploaded a sample file. Here is the reference. I believe i have the actual deployment virus caught by webroot. I can give provide that as well.

 

Please reference this case SHA1: 369d5d4a121658c52b48599a79764820f148756d



#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:01 AM

Posted 02 July 2017 - 01:16 AM

I'm not finding any file markers or anything in the files you uploaded, so the note would have really been helpful.

 

If you can safely quarantine and extract the malware that caused the encryption, you may upload it here for anaysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 diireno

diireno
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 02 July 2017 - 01:51 AM

I have added the js file here. This was the attachment copied directly from his email. I have also added the zipped exe located in the temp directory by webroot the day of the infection. I believe it is the payload but I am not sure.


Edited by diireno, 02 July 2017 - 01:58 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,081 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:01 PM

Posted 02 July 2017 - 07:21 AM

There are several ransomware infections that do not append an obvious extension to the end of encrypted filenames or add a known file pattern (filemarker) which helps to identify it. CryptoWall, CrypMic, DMA Locker, Microsoft Decryptor (CryptXXX), PClock, Spora, Cryptofag, TeslaCrypt v4.0, CryptoHost, MotoxLocker, KawaiiLocker, Hermes, LoveServer and Power Worm do not append or change file extensions.

Some ransomware variants (i.e. DMA Locker, TeslaCrypt, CrypMic) will add a unique hex pattern (filemarker) identifier in the header of every encrypted file so the ransomware can identify the file as one it encrypted. Spora-encrypted files utilize a 4 byte long Crc32 file marker. CryptoWall is identified by how the files are renamed. CryptoWall 3.0 and 4.0 encrypted files typically will have the same 16 byte header which is different for each victim. PClock and Cryptofag do not use a filemarker.

The best way to identify the different ransomwares that do not append an extension is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses used by the cyber-criminals to request payment and the malware file responsible for the infection. Without any of that information or a file marker/unique hex pattern identifier, it is difficult to determine what you are dealing with.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:01 PM

Posted 02 July 2017 - 09:02 AM

This should be the new version of Nemucod, we're currently looking into this variant so please be patient.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:01 AM

Posted 02 July 2017 - 11:57 AM

With that, also be warned that Nemucod comes dropped with a Kovter banking Trojan in addition to its own ransomware module. I would clean your system, then change all of your passwords for any web services you have ever accessed on that computer. MalwareBytes and HitmanPro are good cleaners in addition to your antivirus.

 

It's a new variant of Nemucod that the current decrypters won't be able to handle at the present time by the way, but we're looking into it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 diireno

diireno
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 05 July 2017 - 09:40 AM

We have been able to recover most of the data stored on the customer's server encrypted by this infection, thanks to cloud backup. However, the user with the infection has lost access to most of his files stored locally. As expected he is chomping at the bit to get his important files back. Is the community having any luck with this one?


Edited by diireno, 05 July 2017 - 09:43 AM.


#9 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:10:31 PM

Posted 05 July 2017 - 12:02 PM

@Demonslay335, I had uploaded a copy of the DECRYPT.hta file to ID-Ransomeware site on 04/07/2017. (Multiple times, I think).

The hit was Nemucod-AES, as Toffee mentioned.

 

The user got infected via spam email attachment AFAIK.

Any update on this?

 

There was no other threats that could be detected.


Edited by Nikhil_CV, 05 July 2017 - 12:05 PM.

Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:01 AM

Posted 05 July 2017 - 12:25 PM

It would have been spam attachment, Nemucod variants usually come through a fake Fedex letter, etc.

 

We're still looking into this newer one, but there's some hope for it. There's a ".db" file it stores that you have to hold onto for even them to be able to decrypt it if you paid. I'm not clear where that file is stored, but it will have a list of files encrypted along with the encrypted bytes of each file (it writes garbage to the encrypted file, it's a weird scheme).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:10:31 PM

Posted 05 July 2017 - 12:50 PM

Looks like crooks are "innovative".... :mellow:

 

Thank you for the tip. Let me see if I can reach the user.


Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#12 diireno

diireno
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 05 July 2017 - 01:08 PM

Thank you guys for working on this. I hope the db file wasn't stored in a temp directory :/



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,081 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:01 PM

Posted 05 July 2017 - 01:53 PM

Since the infection has been identified, rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users