Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mich78 / Scarab Ransomware (recovery.txt , [mich78@usa.com]) Support Topic


  • Please log in to reply
32 replies to this topic

#1 glenn_ITP

glenn_ITP

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 18 July 2017 - 09:01 AM

Hello all,
 
New on this forum so please let me know if something I post is not allowed :)
 
I can't find any info regarding this particular ransomware... any ideas?
 
Thanks!

BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:09 PM

Posted 18 July 2017 - 09:47 AM

Have you submitted a ransom note and encrypted file to ID Ransomware for identification? If it could not identify, you need to post the SHA1 it gives you for us to manually inspect your files.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 kevinmicroirelandcom

kevinmicroirelandcom

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 18 July 2017 - 02:18 PM

I have a pc infected with this , mich98@usa.com at end of each file and file type is com], cannot find anything online related to it



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:09 PM

Posted 18 July 2017 - 02:35 PM

As reference for searches, these were submitted to ID Ransomware with that email address:

 

Example encrypted file: c=vvHjlEKjmvod=e8dnDpqhAo677=wpWVbmjBNEjSsNcT8c4LZ1GHlWWtnWZKNTSFXKWLvOB.[mich78@usa.com]

 

Instruction for file recovery.txt

Your files are now encrypted!

Your personal ID :

[redacted]

What happened?

Your important documents, databases, documents, network folders are encrypted for your PC security problems.
No data from your computer has been stolen or deleted.
Follow the instructions to restore the files.

How to get the automatic decryptor:

1) Contact us by e-mail: mich78@usa.com. In the letter, indicate your personal identifier (look at the beginning of this document)
   and the external ip-address of the computer on which the encrypted files are located.
2) After answering your request, our operator will give you further instructions that will show what to do next (the answer you will receive as soon as possible)
** Second email address michael78@india.com 

Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10 Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).

 __________________________________________________________________________________________________
|                                                                                                  |
|  How to obtain Bitcoins?                                                                         |
|                                                                                                  |
| * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click             |
|   'Buy bitcoins', and select the seller by payment method and price:                             |
|   https://localbitcoins.com/buy_bitcoins                                                         |
| * Also you can find other places to buy Bitcoins and beginners guide here:                       |
|   http://www.coindesk.com/information/how-can-i-buy-bitcoins                                     |
|                                                                                                  |
|__________________________________________________________________________________________________|

 __________________________________________________________________________________________________
|                                                                                                  |
| Attention!                                                                                       |
|                                                                                                  |
| * Do not rename encrypted files.                                                                 |
| * Do not try to decrypt your data using third party software, it may cause permanent data loss.  |
| * Decryption of your files with the help of third parties may cause increased price              |
|   (they add their fee to our) or you can become a victim of a scam.                              |
|                                                                                                  |
|__________________________________________________________________________________________________|

I am seeing the files look to have a filemarker with the original size of the file as the first 4 bytes, followed by four 0x00 bytes.

 

We will need a sample of the malware to analyze. Please submit suspicious executables here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 kevinmicroirelandcom

kevinmicroirelandcom

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 18 July 2017 - 02:51 PM

cannot identify this ransomeware, tried the id ransomware site

 

ref SHA1: e10141d5cf84a8545c9d1b9abb9e952fc1fe8875

 

any help appreciated



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:09 PM

Posted 18 July 2017 - 02:58 PM

I have temporarily called this one "Mich78" and setup rules to point victims to this support topic.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:09 PM

Posted 18 July 2017 - 04:06 PM

Topic title changed to reflect temp assigned name which will also help lead other victims here.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:09 PM

Posted 19 July 2017 - 10:46 AM

Based on comparing filemarker formats between encrypted files, I believe this ransomware is a variant of Scarab, which also seems to be a variant of another ransomware. I have merged them together on ID Ransomware.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 glenn_ITP

glenn_ITP
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 19 July 2017 - 11:50 AM

Allright, thank you!

#10 Amigo-A

Amigo-A

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:07:09 AM

Posted 20 July 2017 - 02:18 AM

glenn_ITP
kevinmicroirelandcom
 
Tell exactly what the extension looks like at the end of the encrypted files.
Or make a screenshot inside one of the folders with the encrypted files.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#11 kevinmicroirelandcom

kevinmicroirelandcom

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 20 July 2017 - 02:52 AM

sample list from directory   

 

20/07/2017  08:47    <DIR>          ..

22/06/2016  10:57            15,709 +29XnHyq820v7SFjNBu44yFizNkoV1RUh8l5yQbpZhMAGlyAax=kUOW7gpJWHJ8yLqO38QUzLbMG0KTLXUm6cMcqfZL=tbLpKPdFohrLKa=fzKK+TwXp24Wy8rpDLV9VHR2L5EkoSxfhbVsoKUxyO8yeLEb3+r4sbLEfPyMb16XlDV7Bts35lHsWlU2gVk.[mich78@usa.com]
05/12/2012  11:13            21,693 0aeq3TWP9ye2fja1qjhLuj=fn3PGpQQIYbKesaRtyOAXaGp9Dr1xCYkdTm1nTNCU2Orbq1IUDb4aFofEqYspR7Ek.[mich78@usa.com]
13/06/2013  17:34            19,133 2culANew=cPtlJPVOnCG9eWf=bcpkWr1Iikqjny80LYtWG3UH84176X8D75=TQUZBnZpOq7McMoVh3RGV+h0VHCMpzCjy6hBKm40IwF2c5c.[mich78@usa.com]
06/12/2011  12:54           256,701 2juC0rfKXIVg303pDLKVdib5FSQB8B87LuCS7brxD=8NOr9R+Rd1xh3B55RPoBHY7ZGJghVbMBD+qnRgVMWj63+14O7lYfgA1p8lNqaU=lSwgbgNJbyfdpvnZcekGgsOhFY2WaRMGUX92B=ttR1uZPLmoU3=6D0Fn7tQ9m7C.[mich78@usa.com]


#12 Amigo-A

Amigo-A

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:07:09 AM

Posted 20 July 2017 - 03:42 AM

kevinmicroirelandcom
Thanks, I got it.
 
.[mich78@usa.com]

Edited by Amigo-A, 20 July 2017 - 03:45 AM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#13 kevinmicroirelandcom

kevinmicroirelandcom

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 01 August 2017 - 02:10 PM

Does anyone know of a decrypter for the mich78 virus as of yet



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:09 PM

Posted 01 August 2017 - 03:22 PM

There is no decrypter that I am aware of. When we have information about decrypters, it will be posted in this support topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:09 PM

Posted 01 August 2017 - 05:21 PM

We've analyzed this one and it is not decryptable unfortunately.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users