Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.aac Ransomware (Learn how to recover your files.txt)


  • Please log in to reply
24 replies to this topic

#1 phxftw

phxftw

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 12 July 2017 - 11:49 AM

Someone has been infected with new .aac extension virus like ransomware.
 
I can not retrieve my information
 
please help me

Edited by quietman7, 25 July 2017 - 05:50 PM.
Moved from Encryption Methods to Ransomware - Hamluis.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,925 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:33 AM

Posted 12 July 2017 - 02:42 PM

Did you find any ransom notes and if so, what is the actual name of the note?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:33 AM

Posted 12 July 2017 - 05:42 PM

I put out a hunt for this the other day based on submissions to ID Ransomware, it looks new.

 

https://twitter.com/demonslay335/status/884401948404961281

 

We will need a sample of the malware itself in order to analyze. If you can find how you were infected, and find anything suspicious, please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


Edited by Demonslay335, 12 July 2017 - 05:43 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 ytrons

ytrons

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 13 July 2017 - 07:04 AM

I have also had a load of files encrypted by this with this extension.

 

'It looks like your files have been encrypted.

If you are interested in your recovery, please contact us by email: contatoaac@vpn.tg
Send your code to: aac6ab009be90599cbd2f9c0d61122978b834756356caccb75b5a8c1a567d4e5904
 
Your request will be answered as soon as possible, and if necessary to guarantee recovery.'
 
All the files types are associated with command prompt, and bring up a popup message with the ransom message above.
 
There is also a note in each directory with encrypted files.
 
Ransom note is called 'Learn how to recover your files.txt'
 
 


#5 celoownz

celoownz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 25 July 2017 - 05:56 PM

I guys, someone found the solution ???

 

All my files was encrypted .aac

 

 

I used malwarebytes and i has the log

 

Chave de registro: 2
PUP.Optional.InstallCore, HKU\S-1-5-21-2570794179-3168083979-416921674-500\SOFTWARE\InstallCore, Quarentena, [3], [239563],1.0.2425
PUP.Optional.Lyrics, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\epojlgbehpaeekopencdagbdamnkppci, Quarentena, [7413], [240022],1.0.2425

Valor de registro: 4
Ransom.FileCryptor, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKU\S-1-5-21-2570794179-3168083979-416921674-1357\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKU\S-1-5-21-2570794179-3168083979-416921674-1357\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update, Quarentena, [23], [401398],1.0.2425

Dados de registro: 0
(Nenhum item malicioso detectado)

Fluxo de dados: 0
(Nenhum item malicioso detectado)

Pasta: 0
(Nenhum item malicioso detectado)

Arquivo: 3
Ransom.FileCryptor, C:\TMP\SVCHOST.EXE, Quarentena, [23], [401398],1.0.2425
PUP.Optional.RAAmmyy, C:\USERS\ADMINISTRATOR\DOWNLOADS\AA_V3.EXE, Quarentena, [350], [153896],1.0.2425
PUP.Optional.InstallCore, C:\USERS\ADMINISTRATOR\DOWNLOADS\COBIAN-BACKUP-1120582-32-BITS.EXE, Quarentena, [3], [301082],1.0.2425
 

Please help me



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,925 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:33 AM

Posted 25 July 2017 - 06:01 PM


As I noted here, I'm not sure if Demonslay335 was ever able to find a sample of the malware file itself. If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here.

Please be patient until Demonslay335 has a chance to review the information you provided.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 cpaixao

cpaixao

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 26 July 2017 - 04:56 AM

I guys, someone found the solution ???
 
All my files was encrypted .aac
 
 
I used malwarebytes and i has the log
 
Chave de registro: 2
PUP.Optional.InstallCore, HKU\S-1-5-21-2570794179-3168083979-416921674-500\SOFTWARE\InstallCore, Quarentena, [3], [239563],1.0.2425
PUP.Optional.Lyrics, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\epojlgbehpaeekopencdagbdamnkppci, Quarentena, [7413], [240022],1.0.2425
Valor de registro: 4
Ransom.FileCryptor, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKU\S-1-5-21-2570794179-3168083979-416921674-1357\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKU\S-1-5-21-2570794179-3168083979-416921674-1357\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update, Quarentena, [23], [401398],1.0.2425
Dados de registro: 0
(Nenhum item malicioso detectado)
Fluxo de dados: 0
(Nenhum item malicioso detectado)
Pasta: 0
(Nenhum item malicioso detectado)
Arquivo: 3
Ransom.FileCryptor, C:\TMP\SVCHOST.EXE, Quarentena, [23], [401398],1.0.2425
PUP.Optional.RAAmmyy, C:\USERS\ADMINISTRATOR\DOWNLOADS\AA_V3.EXE, Quarentena, [350], [153896],1.0.2425
PUP.Optional.InstallCore, C:\USERS\ADMINISTRATOR\DOWNLOADS\COBIAN-BACKUP-1120582-32-BITS.EXE, Quarentena, [3], [301082],1.0.2425
 
Please help me


Hello, could you provide more details on that? I'm also affected, ran malwarebytes on my machine but wasn't able to find the ransomware file cryptor. I am from Brazil just like you.

#8 celoownz

celoownz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 26 July 2017 - 07:25 AM

 

I guys, someone found the solution ???
 
All my files was encrypted .aac
 
 
I used malwarebytes and i has the log
 
Chave de registro: 2
PUP.Optional.InstallCore, HKU\S-1-5-21-2570794179-3168083979-416921674-500\SOFTWARE\InstallCore, Quarentena, [3], [239563],1.0.2425
PUP.Optional.Lyrics, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\epojlgbehpaeekopencdagbdamnkppci, Quarentena, [7413], [240022],1.0.2425
Valor de registro: 4
Ransom.FileCryptor, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKU\S-1-5-21-2570794179-3168083979-416921674-1357\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKU\S-1-5-21-2570794179-3168083979-416921674-1357\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update, Quarentena, [23], [401398],1.0.2425
Dados de registro: 0
(Nenhum item malicioso detectado)
Fluxo de dados: 0
(Nenhum item malicioso detectado)
Pasta: 0
(Nenhum item malicioso detectado)
Arquivo: 3
Ransom.FileCryptor, C:\TMP\SVCHOST.EXE, Quarentena, [23], [401398],1.0.2425
PUP.Optional.RAAmmyy, C:\USERS\ADMINISTRATOR\DOWNLOADS\AA_V3.EXE, Quarentena, [350], [153896],1.0.2425
PUP.Optional.InstallCore, C:\USERS\ADMINISTRATOR\DOWNLOADS\COBIAN-BACKUP-1120582-32-BITS.EXE, Quarentena, [3], [301082],1.0.2425
 
Please help me


Hello, could you provide more details on that? I'm also affected, ran malwarebytes on my machine but wasn't able to find the ransomware file cryptor. I am from Brazil just like you.

 

Hi friend,

 

 

Im trying find the file SVCHOST.EXE but i'm not having success



#9 thyrex

thyrex

  • Members
  • 597 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:04:33 PM

Posted 26 July 2017 - 08:32 AM

Because file was removed to quarantine


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#10 celoownz

celoownz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 26 July 2017 - 08:59 AM

Because file was removed to quarantine

Exactly and i don't find the folder quarantine, because someone uninstalled malwarebytes.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,925 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:33 AM

Posted 26 July 2017 - 09:06 AM

When security products are uninstalled, the uninstall typically removes everything related to that product. If the quarantine folder was removed, then everything contained within it will have been removed as well. When that occurs, there is no way to restore files which were removed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:33 AM

Posted 26 July 2017 - 10:34 AM

Any chance of trying Recuva to restore that quarantined file? I'll reach out to our contacts at MalwareBytes to see if that log can be of any use, I think the numbers match to an exact signature they might be able to use to help us find another sample.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 celoownz

celoownz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 26 July 2017 - 10:37 AM

Any chance of trying Recuva to restore that quarantined file? I'll reach out to our contacts at MalwareBytes to see if that log can be of any use, I think the numbers match to an exact signature they might be able to use to help us find another sample.

Dear Friend, i will try use Recuva.

 

Tks for help.



#14 thyrex

thyrex

  • Members
  • 597 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:04:33 PM

Posted 26 July 2017 - 10:53 AM

MalwareBytes quarantine place by default in profile AppData folder


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#15 cavalcrod

cavalcrod

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 27 July 2017 - 12:54 PM

I also have this problem .. the extent of my files had been changed to .aac


Edited by cavalcrod, 27 July 2017 - 12:54 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users