Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

[black.mirror@qq.com].aleta a new Ransomeware varient can't identify


  • This topic is locked This topic is locked
10 replies to this topic

#1 Raptordin

Raptordin

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 02 July 2017 - 09:13 AM

Hello every one.

 

I was hit on the 1st of July 2017 (Yesterday) with an unknown ransomware attack.

 

It hit my home server, thus infecting my 4 TBs of Home Videos of my Kids and Home pictures on a Raid 10 Array.

 

I tried to ID it but all attempts failed and I emailed the attackers on their email black.mirror@qq.com and the requested 2 Bit Coins which is equal to 100 000 Egyptian Pounds which in no way I am able to pay. (Pays for my 2 kids schools for 3 years).

 

 

I already submitted a sample file on its own and another zip file with the sample and the original file. (Before I create this post)

Sample file is called Big Raptor copy.jpg.[black.mirror@qq.com].aleta

 

and the zip file is called New Ransomeware aleta

 

If any one can help me please do as it is all the memories of my kids childhood and ofcourse all my work and educational data.

 

Please help me with identifying this Ransomeware and if there is a tool to decrypt the files.

 

Thanks.

 



BC AdBot (Login to Remove)

 


#2 Raptordin

Raptordin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 02 July 2017 - 09:21 AM

For get to mention that the note file is called  !#_READ_ME_#!.inf

 

 

and the contents are

 

[WHAT HAPPENED]
Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail: black.mirror@qq.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

[FREE DECRYPTION AS GUARANTEE]
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb

[HOW TO OBTAIN BITCOINS]
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller
by payment method and price
https://localbitcoins.com/buy_bitcoins

[ATTENTION]
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files

Your ID:

bv/T6B2JQtWhZfgoT517sxu76dUOzjz7pw7slt3SWh9r8P1/FiHb1ONR7vhJ7mzWAr7GkijLUoFJkliCBLrT7605y6S2nSiQtz3Yz2J5NlOTZJBbI2drLUltZAMO+0LHOHHSfofVZK/NMBo0mkceyili2Yo/SJ4TrTtUlBE3hYE=
 



#3 Raptordin

Raptordin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 02 July 2017 - 09:35 AM

One more and last information,

 

ID Ransomware identified it as Amnesia2 but when I tried decrypt_Amnesia2 it only show finished without decryption anything.



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:03 PM

Posted 02 July 2017 - 10:40 AM

Looks like BTCWare moved to a new extension. We figured this would happen since someone announced they would be releasing the private key for the previous version the other day.

Afraid it won't be decryptable if it's based on the latest version of that ransomware family.

They come in via RDP hacking. You should not have RDP open to the world. Lock it down with strong passwords and put it behind a firewall with VPN. Also review your backup plans, you should have revisions and off-site (cloud) backup as an integral part of your strategy.

If you happen to find the malware though, it would be useful for confirming. You may upload it to VirusTotal and share the link here if you do.

BTW the Amnesia2 identification was a false-positives due to the email address. Seems one of the same actors jumped ship from that when the decrypter was released, malware author tend to do that.

Edited by Demonslay335, 02 July 2017 - 10:40 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Raptordin

Raptordin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 02 July 2017 - 10:56 AM

Some of my pictures are on the cloud yes but not all, but home videos are not.

 

And this is my home server with Raid 10 for storage and backup of everything that is important.

 

I should start thinking of other solutions.

 

Kaspersky identified a file named services.exe and deleted it. Will try to find it and post it.



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:03 PM

Posted 02 July 2017 - 11:45 AM

The Kaspersky log might also list hashes of the files it quarantined/deleted, that would be helpful.

 

And before you ask, because everyone who gets hacked by RDP does, no, no antivirus in the world would have protected you from this. If someone gains access the literally control your computer, nothing can stop them from doing anything really (unless you pulled the plug).

 

Also just a reminder that RAID != Backup. It's for redundancy, yes, but more so in the fact of tolerating a disk failure. The data needs to be mirrored to a completely different source for backups. I'd recommend Carbonite or CrashPlan, they have cheap options for backing up one system with unlimited storage.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 andrecampana_

andrecampana_

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 02 July 2017 - 12:33 PM

My NAS was attacked by the same .aleta ransomware. Thing is, it doesn't actually encrypt anything, i just renames stuff. It attacked one of my hard drives of movies, by using 7zip File Manager and removing "[black.mirror@qq.com].aleta" from the end of the extension ("movie.mkv.[black.mirror@qq.com].aleta" became "movie.mkv" again) i was able to play back my movies with no corruption, trying the same process with windows explorer resulted in broken files. It works with video files and image files.

 

#8 Raptordin

Raptordin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 02 July 2017 - 12:45 PM

 

My NAS was attacked by the same .aleta ransomware. Thing is, it doesn't actually encrypt anything, i just renames stuff. It attacked one of my hard drives of movies, by using 7zip File Manager and removing "[black.mirror@qq.com].aleta" from the end of the extension ("movie.mkv.[black.mirror@qq.com].aleta" became "movie.mkv" again) i was able to play back my movies with no corruption, trying the same process with windows explorer resulted in broken files. It works with video files and image files.

 

 

You were just lucky as for whatever reason the encryption process did not start, as for me it started and finished as i already tried this from my Linux box and it did not work, the file are encrypted.

 

So thanks for your reply but for me the damage was done. :(



#9 andrecampana_

andrecampana_

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 02 July 2017 - 01:05 PM

Looks like BTCWare moved to a new extension. We figured this would happen since someone announced they would be releasing the private key for the previous version the other day.

Afraid it won't be decryptable if it's based on the latest version of that ransomware family.

They come in via RDP hacking. You should not have RDP open to the world. Lock it down with strong passwords and put it behind a firewall with VPN. Also review your backup plans, you should have revisions and off-site (cloud) backup as an integral part of your strategy.

If you happen to find the malware though, it would be useful for confirming. You may upload it to VirusTotal and share the link here if you do.

BTW the Amnesia2 identification was a false-positives due to the email address. Seems one of the same actors jumped ship from that when the decrypter was released, malware author tend to do that.

That's exactly how they got into my NAS, weak password and open RDP. I formatted the machine, and i'm now using a randomly generated 18 character password. The username is also part random part normal. I'm pretty much secured against brute force attacks (if that is how it works). Any other security tips?



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:03 PM

Posted 02 July 2017 - 01:13 PM

That's exactly how they got into my NAS, weak password and open RDP. I formatted the machine, and i'm now using a randomly generated 18 character password. The username is also part random part normal. I'm pretty much secured against brute force attacks (if that is how it works). Any other security tips?


Don't expose RDP to the world. Period. I'm pretty sure there's other ways of hacking RDP, weak passwords is just the easiest typically. Put it behind a firewall and use VPN.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 02 July 2017 - 03:53 PM

Since the infection has been identified, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users