Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.enc extension - with ransom note (Linux)


  • Please log in to reply
7 replies to this topic

#1 crasheren

crasheren

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 08 July 2017 - 05:13 PM

Hi guys

 

I'm new here. I would like some help with this. Google doesn't give me much. Happened to my Fedora 22 server last night CET 23:39. Some files were encrypted 3 minutes earlier but 99% of all files at 23:39. From the looks of it it looks like a mutual friend of mines machine got hacked and they found my info from his SSH history/bookmarks. Sounds far fetched but logs indicate this. Also combining with the fact that another mutual friend of ours got hacked too and same thing happened to his data. In both cases same friend had access.

 

Ransom note can be seen here http://imgur.com/a/XtoWW

 

I have both a encrypted and unencrypted version of a file, where should I send that to if necessary ?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:00 AM

Posted 08 July 2017 - 07:42 PM

As Demonslay335 noted in the other topic, this looks new.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can also be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 crasheren

crasheren
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 09 July 2017 - 01:59 AM

Thank you. I've submitted a copy of a file both encrypted and unencrypted.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:00 AM

Posted 09 July 2017 - 06:25 AM

Ok. Please be patient until Demonslay335 has a chance to review the information you provided. BleepingComputer is inundated with support requests and he is not logged in at the moment.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 crasheren

crasheren
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 09 July 2017 - 08:39 AM

Got it. Thanks.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:00 AM

Posted 09 July 2017 - 09:06 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 crasheren

crasheren
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 09 July 2017 - 03:16 PM

I'm wondering if this could've come from my Windows machine via samba shares.. Just a thought. Had a friend by to look into the issue and he can't seem to find out how 'it' gained access to Fedora.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:00 AM

Posted 09 July 2017 - 05:08 PM

Crypto malware and other forms of ransomware spread via a variety of common vectors...web exploits, exploit kits, malvertising campaigns, drive-by downloads and RDP bruteforce attacks against servers especially by those involved with the development and spread of ransomware. Section :step2: in this topic explains in more detail the most common methods Crypto malware (file encrypting ransomware) and other forms of ransomware is typically delivered and spread.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users