Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Extension, No Ransom


  • Please log in to reply
8 replies to this topic

#1 slim_jimmy7

slim_jimmy7

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 05 July 2017 - 12:27 PM

Extensions and file names have not been changed, but opening them says they are corrupt.

 

No ransom note to be found, tried to ID it using the ID ransomware site, but it won't let me ID it without the ransom note or an email address?

 

Is there any other way I can check to see what the ransomware is?

 

I am hoping the ransomware is simple and I can just remove a setting or something, but without identification I am at a loss.

 

Thank you for your help!



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 AM

Posted 05 July 2017 - 12:33 PM

If ID Ransomware couldn't identify, you need to post the SHA1 it gave you for me to pull up your files.

 

It'll be difficult if there is no filemarker or extension, and you don't have the ransom note or anything. Only way then really is to get a hold of the malware that encrypted the files to analyze it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 slim_jimmy7

slim_jimmy7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 05 July 2017 - 12:44 PM

sha1: 791f2dcbd755a11f34fa4203af1e2669ca56b755, and I do have the zip file from the email if anyone wants it



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 AM

Posted 05 July 2017 - 02:05 PM

Please be patient until Demonslay335 has a chance to review the information you provided. BleepingComputer is inundated with support requests and he is not logged in at the moment.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 AM

Posted 05 July 2017 - 02:28 PM

Not seeing anything useful with the file, other than it may not be a block cipher. My best guess would be PClock, but can't confirm without more info.

 

If you could submit that zip attachment here, we can take a look at it: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 slim_jimmy7

slim_jimmy7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 05 July 2017 - 06:28 PM

Submitted, thank you!



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 AM

Posted 05 July 2017 - 08:15 PM

Ah, it's the latest version of Nemucod (Nemucod-AES is what we're calling it).

 

We're currently looking into it, but there might be some hope with it. Please search for a file with the extension ".db" that has a list of encrypted files in it, and be sure to keep a hold of it.

 

Also, since it was Nemucod, it usually also drops Kovter, a banking Trojan and password stealer. I would do cleanup on the system and then change any passwords for any websites you've ever visited on that computer.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 slim_jimmy7

slim_jimmy7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 05 July 2017 - 08:21 PM

I won't have access to the computer until tomorrow morning, I will do a search for that file type and let you know!

#9 slim_jimmy7

slim_jimmy7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 06 July 2017 - 12:39 PM

Grabbed every file with a .db extension, I didn't look through it really hard, but I wasn't able to see any legible lists, is that what I am looking for?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users