Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown ransomware infection


  • Please log in to reply
3 replies to this topic

#1 bostonholly

bostonholly

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boston, MA
  • Local time:05:21 PM

Posted 07 July 2017 - 04:22 PM

I didn't know what hit me except that everything was normal on June 9, downloaded by bank files into my Quicken Home & Business 2015 register like I do every day, backed up in 3 places as always and NOLBU backs up 3 days a weeki.  On June 12 I was downloading bank files to Quicken and nothing happened.  they downloaded to my PC  but Quicken won't open. I reinstalled the Software. Nothing. Click, circle, nothing.  I've been unsuccessful making progressdownloading files from Norton OLBU to my PC , they download but won't open.  Interestingly,  I can see all my files on C , G, H, & D drive D=partition/Shadow and is inaccessible so what good is it ???? - it just eats up memory and gives me obnoxious messages about running out of memory in its drive.

TjBTW, I'm up to date.   I am always up to date , I obsessively update and perform 3 backups daily depending upon the project and as  soon as I receive any alert from a vendor or read about it online.   The admin(?) who chastised someone for not updating may be wrong.  That said,  *I*  did do something stupid on June 9 @  3:30AM - I opened up an email from Amazon with an Order Link canceling another order.  I receive at least 10x day from them, I'm an active participant on the site, I wasn't thinking, only aggravated that they "Canceled" [another] order,no notice or reason.  I clicked on the link to see which order it was.  I never click on links, not from anyone. So, in lieu of logging into my Amazon account I took the short way out which was stupid.  I didn't order that thing canceled & forwarded the email to Amazon.  Yes, you guessed it, the email was not send by Amazon . However they responded by advising me to:  (1) change all passwords to all financial files, credit cards (2) contact my banks (3) change Amazon pw's and to (4) contact Experian etc.and keep an eye on my Credit Reports.  But they said nothing else.  I'd read nothing about this ransomeware.  I've been searching for a month trying to find *any* information whatsoever about Quicken users being hacked and came up empty until 4PM today when I found it here on BleepingC.  Norton didn't catch it, Malwarebites didn't catch it.   I've not seen anything suspicious nor weired extensions nor the nomenclature such as  mole listed in any directories or files.    Obviously I've got this or something.  I've been putting off calling Intuit or Norton for a month and finally decided to contact Norton tonight - but haven't.  Found you first,  I'd rather pull out  my teeth out one by one than contact either one of  those tech lack of support sites.  Here I am. Having perused every post prior to mine, I don't understand most of it....It's extremely humbling and uncomfortable to report that " I have no idea what to do next".    



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 PM

Posted 07 July 2017 - 04:52 PM

More information is needed to determine specifically what infection you are dealing with since there are many variants of crypto malware (file encrypting ransomware).

Are there any obvious file extensions appended to or with your encrypted data files (i.e. several random hexadecimal characters, words or email addresses)? If so, is the extension the same for each encrypted file or is it different?

Did you find any ransom notes and if so, what is it's actual name? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data has been encrypted.

Did the cyber-criminals provide an email address to send payment to?

The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses used by the cyber-criminals to request payment and the malware file responsible for the infection.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 bostonholly

bostonholly
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boston, MA
  • Local time:05:21 PM

Posted 07 July 2017 - 05:19 PM

Thanks, new friend.  I understand the split up, I'll take any help I can get.  

As for not knowing and weird things...that's the thing. Nothing has happened. No email requests,  no note nothing. Nothing looks whacked w/weird w/extentions nor are my Q files looking suspicious.  I've checked all of my drives and the folders withing folders (from crashes and C drive backups Norton created I've got too much in my C Drive).     I just cannot open any of them.

 

W/regard to a note,  I get a ton of junk mail which I sort thru as often as time permits, but I delete most of it, I never open links obviously.  not from family or friends. Except that one damn email from Not-Amazon.  The only big change is I had a lot of trouble with Verizon DSL this year , have been piggybacking off of my friend's Comcast until Verizon can fix DSL (I'm stuck with it) .   That and the sale of Verizon's Email Division to AOL (eyebrow raising skin crawling news to receive in December) .

Since I found your site so far I've attempted to find out which "disease" I have by trying ID Ransomeware  program,  submitted the last Q. file I could find but it's still searching, after 20 min. I stopped the search - I  don't have a Ransome  Note so I must not qualify.  It may be a virus or a worm or whatever except it sounds like others are having the same thing.  Luckily I don't use my SS number in Quickien and I file thru an accountant, I don't pay bills thru Quicken and I type in my banking login info, it's not automatic.  I got rid of my UBS brokerage info. but it may be lingering somewhere in the recessess but I do nothing online with my IRA's.  What they got is a look into how broke I am and that I am on Social Security Disability and Medicare. 



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 PM

Posted 07 July 2017 - 05:43 PM

Submit (uploaded) samples of your affected files here for our experts to take a look at what you have.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users