Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help me to identify ransomware


  • This topic is locked This topic is locked
15 replies to this topic

#1 Dubak

Dubak

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 20 July 2017 - 07:26 AM

Please help me to identify ransomware for deencryption

file

 

http://leteckaposta.cz/394793112

 

Thank you


Edited by Dubak, 20 July 2017 - 08:25 AM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:49 AM

Posted 20 July 2017 - 09:22 AM

Please upload the ransom note and encrypted file together to ID Ransomware for identification. We won't be able to identify by the file alone since the extension may just be random, and I see no filemarkers in it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 278 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:10:49 AM

Posted 21 July 2017 - 03:11 AM

Hello Demonslay335,

 

Unknown Ransomware

case SHA1: 53aa367d26bbca15d68aec8b2583f85b7751be8e

 

Do you need samples ? Best regards

Emmanuel



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:49 AM

Posted 21 July 2017 - 07:59 AM

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse.

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:49 AM

Posted 21 July 2017 - 08:23 AM

As stated, you need to also submit the ransom note. There are no filemarkers or extension added to the file, so it can only be identified by the ransom note, or if you have the malware itself.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 278 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:10:49 AM

Posted 21 July 2017 - 10:27 AM

Hello,

 

Thank you. I submited as requested the malicious executable suspected to be involved in causing the infection.

No ransomnote unfortunatly but other samples of encrypted files.

 

Thank you, best regards

 

Emmanuel



#7 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 278 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:10:49 AM

Posted 21 July 2017 - 11:12 AM

Hello,

 

The size of the file is greater than maximum file size of 10 MBs.

It can be download directly here URL : http://www67.zippyshare.com/v/ZC9fqV6t/file.html

case SHA1: 53aa367d26bbca15d68aec8b2583f85b7751be8e

 

Thank you, best regards

 

Emmanuel



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:49 AM

Posted 21 July 2017 - 06:25 PM

...No ransomnote unfortunatly but other samples of encrypted files.

Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data has been encrypted.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Dubak

Dubak
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 26 July 2017 - 08:40 AM

Please, is the ransom note file safe?



#10 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 278 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:10:49 AM

Posted 26 July 2017 - 08:52 AM

Hello,

 

Yes ransom note are safe.

Anyway sometime they are blocked by antivirus.

 

Emmanuel



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:49 AM

Posted 26 July 2017 - 09:02 AM

Encrypted files and ransom notes do not contain malicious code so they are safe.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Dubak

Dubak
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 11 August 2017 - 02:08 AM

Is it possible to decrypt Crypt0L0cker ??

 

http://leteckaposta.cz/529621811



#13 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 278 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:10:49 AM

Posted 11 August 2017 - 02:54 AM

Hello Dubak,

 

Most of the time Doctor Web is able to decrypt Crypt0l0cker. Unfortunatly there is no free decryption solutions for Crypt0l0cker ransomware unless you were using a Doctor Web antivirus when you files have been crypted. Fees for other antivirus users are 150 € exc. VAT and their antivirus for 1 PC 2 years.

You only have to pay if Doctor Web is able to decrypt your files.

 

To see if it is possible, you can send the ransom note and 2-3 crypted doc/pdf/xls files using this form https://www.pixad.fr/drweb_ransomware/index.php#formulaire

Support is in French, Russian and English but also in all langagues (using web translator :-) ).

 

Kind regards

Emmanuel



#14 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 278 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:10:49 AM

Posted 11 August 2017 - 03:22 AM

@Dubak,

 

I received your request and sent your files to Doctor Web. I will tell you if they can decrypt them.

Kind regards,

 

Emmanuel



#15 Dubak

Dubak
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 11 August 2017 - 03:37 AM

@Dubak,

 

I received your request and sent your files to Doctor Web. I will tell you if they can decrypt them.

Kind regards,

 

Emmanuel

Thank you






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users