Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AES-Matrix Ransomware (no extension, ransom note) Support Topic


  • Please log in to reply
15 replies to this topic

#1 LexanTronix

LexanTronix

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 06 July 2017 - 07:02 PM

Hello,
 
we got hit by ransomware but I'm unable to determine which one it is, files appear corrupt. There are 6 copies of a text file on the C: drive which have the ransom note.
 Unable to determine ransomware.
Please make sure you are uploading a ransom note and encrypted sample file from the same infection.

This can happen if this is a new ransomware, or one that cannot be currently identified automatically.

You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.

Please reference this case SHA1: 7b425fbc846ec96bee463fcb991b5e0250511756
 
Ransom note:
 
Hello, 
Your all datas have been encrypted by AES-256 key,
If you want to decrypt by yourselft, It would take hundred years,
If you can pay some money, I will send you the decrypt key, you can get your data back immediately.
According to the CyberEdge Group's 2017 Cyberthreat Defense Report, 1/3 company paid a ransom.
So it is not shame to pay ransom,many company paid it before.
Your are so large Security Safes company.
Now would you like to see your business become like a startup or just pay to continue your business?
Contact my email: darkpart@tutanota.com or darkware@tutanota.com
If you do not contact me soon, you key will be deleted automaticly by system and you will lose your data 4ever.
Just take it as security consultant fee. They charge much more than me.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:12 PM

Posted 06 July 2017 - 07:50 PM

There are several ransomware infections that do not append an obvious extension to the end of encrypted filenames or add a known file pattern (filemarker) which helps to identify it to include CryptoWall, CrypMic, DMA Locker, Microsoft Decryptor (CryptXXX), PClock, Spora, Cryptofag, TeslaCrypt v4.0, CryptoHost, MotoxLocker, KawaiiLocker, Hermes, LoveServer and Power Worm. The newest variant of Nemucod (Nemucod-AES) does not change the file extension either and we have had a few reports of that one the last couple days.

Please be patient until Demonslay335 has a chance to review the case SHA1 you provided. BleepingComputer is inundated with support requests and he is not logged in at the moment.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 PM

Posted 06 July 2017 - 08:09 PM

Hmm, may be new, doesn't look familiar. Not too many ransomware drop an RTF file; we did discover a new one today that does, but it uses different text, and leaves an extension, also uses a block cipher whereas your files don't look to be encrypted by one.

 

I can tell it isn't Nemucod-AES, as the file is fully encrypted (instead of only 2048 bytes). No filemarkers either.

 

Afraid we will need the malware itself in order to analyze it. If you find anything suspicious, please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


Edited by Demonslay335, 06 July 2017 - 08:11 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 giselemd

giselemd

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 06 July 2017 - 10:57 PM

Hi, A neighbor brought over his infected PC. It appears to be NEMUCOD-AES - signature red background screen, no extensions, similar decrypt.hta, etc. He was infected on July 4. I have *many* files: encrypted data files; DECRYPT.HTA ransom note; secmod.db, key3.db, cert8.db - all created July 4 at noon when he was hit. If anyone would like the files to play with, I am happy to upload them anywhere. I can't find anyone who has cracked this one yet so any help would be great.

 

Thank you!!!



#5 LexanTronix

LexanTronix
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 06 July 2017 - 11:43 PM

Hi, A neighbor brought over his infected PC. It appears to be NEMUCOD-AES - signature red background screen, no extensions, similar decrypt.hta, etc. He was infected on July 4. I have *many* files: encrypted data files; DECRYPT.HTA ransom note; secmod.db, key3.db, cert8.db - all created July 4 at noon when he was hit. If anyone would like the files to play with, I am happy to upload them anywhere. I can't find anyone who has cracked this one yet so any help would be great.

 

Thank you!!!

Hi Gisele, this topic is not for Nemucod-AES, please start a new topic and upload file to http://www.bleepingcomputer.com/submit-malware.php?channel=168



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 PM

Posted 06 July 2017 - 11:43 PM

Hi, A neighbor brought over his infected PC. It appears to be NEMUCOD-AES - signature red background screen, no extensions, similar decrypt.hta, etc. He was infected on July 4. I have *many* files: encrypted data files; DECRYPT.HTA ransom note; secmod.db, key3.db, cert8.db - all created July 4 at noon when he was hit. If anyone would like the files to play with, I am happy to upload them anywhere. I can't find anyone who has cracked this one yet so any help would be great.

 

Thank you!!!

 

It's still being looked at. If one of those *.db files is a list of encrypted files plus some base64-encoded strings, we'd be interested in it (it's needed for decryption even if you paid the criminals).


Edited by Demonslay335, 07 July 2017 - 06:02 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 PM

Posted 06 July 2017 - 11:45 PM

*Multi-post due to lag. 


Edited by Demonslay335, 07 July 2017 - 06:02 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 PM

Posted 07 July 2017 - 06:06 PM

I've been told based on the ransom note, it sound you may have been hacked through RDP by a group using a ransomware I've dubbed "AESMatrix". It's extremely generic and I have not seen a sample, just the criminal's decrypter for it. It also does not use a filemarker or extension, and was a real mess.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 giselemd

giselemd

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 07 July 2017 - 11:32 PM

I have samples of the .db, .hta, encrypted and non-encrypted versions of the same files. Where would you like me to put them?



#10 giselemd

giselemd

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 07 July 2017 - 11:42 PM

Oops - sorry - per above - I have created a new topic under Ransomware help:

Nemucod-AES or AESMatrix



#11 LexanTronix

LexanTronix
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 21 July 2017 - 11:56 AM

Hmm, may be new, doesn't look familiar. Not too many ransomware drop an RTF file; we did discover a new one today that does, but it uses different text, and leaves an extension, also uses a block cipher whereas your files don't look to be encrypted by one.

 

I can tell it isn't Nemucod-AES, as the file is fully encrypted (instead of only 2048 bytes). No filemarkers either.

 

Afraid we will need the malware itself in order to analyze it. If you find anything suspicious, please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

Hi Demonslay335,

 

The company that we are helping recover from the ransomware attack decided to pay the fee to get the decryptor.

 

We now have the decryptor which contains a file called AES-256.exe and a folder with keys which inside has a key in a plain text file for every drive.

 

The instructions seems simple: Run from CMD the AES-256.exe "filename" and then you get a new file with the unlock word appended but the file still does not work.

 

We've been going back and fourth with the criminal and he swears that this are the correct keys.

 

You were right, they got in through RDP in to one of the server and then encrypted the data stores that contains the vhd files for the working VM's as well as the company share drives.



#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 PM

Posted 21 July 2017 - 12:01 PM

It sounds like AES-Matrix. Could you zip up all they gave you and a few encrypted files, and PM me? I can take a look; if it's the same group, they have a buggy decrypter that is a bit of a pain to work with.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 LexanTronix

LexanTronix
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 21 July 2017 - 12:13 PM

PM Sent, I appreciate you quick response.



#14 Wireshark

Wireshark

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 21 August 2017 - 03:43 PM

I've been told based on the ransom note, it sound you may have been hacked through RDP by a group using a ransomware I've dubbed "AESMatrix". It's extremely generic and I have not seen a sample, just the criminal's decrypter for it. It also does not use a filemarker or extension, and was a real mess.

 

Hey Demonslay,

 

Have you seen any further activity from this group/strain?

I am hoping to formally identify this strain..

 

Thanks!



#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 PM

Posted 21 August 2017 - 04:34 PM

 

I've been told based on the ransom note, it sound you may have been hacked through RDP by a group using a ransomware I've dubbed "AESMatrix". It's extremely generic and I have not seen a sample, just the criminal's decrypter for it. It also does not use a filemarker or extension, and was a real mess.

 

Hey Demonslay,

 

Have you seen any further activity from this group/strain?

I am hoping to formally identify this strain..

 

Thanks!

 

 

I can only really 100% identify AESMatrix by their decrypter executable. I'm not sure if they give it to you before or after paying (I'd imagine after, but the key is separate, so could go either way). The one case I had gave the victim a "matrix-AES-128.exe" executable that was super buggy, plus a text file with a 16-character password.

 

Aside from that, if the note contents matches that of the OP, then it is most likely AESMatrix. I haven't seen that same wording with any other ransomware notes so far.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users