Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware zero-overwrite files


  • Please log in to reply
6 replies to this topic

#1 daveaust

daveaust

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 22 July 2017 - 10:12 PM

Windows 7: My mom downloaded a loaded "invoice" email attachment (.doc she thinks) which converted some desktop shortcuts to .hta files which in turn delivered the your-files-are-encrypted with 2048 etc and send bitcoins to us to decrypt with the usual links. All of her various document data files were overwritten with zeros (binary or ascii I don't remember) instead of encrypted. I looked at busted files with hexviewer and they were solid zeros.The .hta files delivered a text screen that matched nemucod messaging when I sent it thru the ID utility. Malwarebytes scan was clean. I guess theres no running processes left with this. Did a VSS restore on her data etc and removed all .hta icons on desktop. Is there anything else to watch?

thanks...



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,473 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:13 PM

Posted 23 July 2017 - 08:09 AM

More information is needed to determine specifically what infection you are dealing with since there are many variants of crypto malware (file encrypting ransomware). RSA-4096 / RSA-2048 / RSA-1024 / AES-256 / AES-128 are encryption algorithms and not an explicit way of identifying a particular ransomware infection.

What was the actual name of the ransome note? The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses used by the cyber-criminals to request payment and the malware file responsible for the infection. You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:13 PM

Posted 23 July 2017 - 10:46 AM

Windows 7: My mom downloaded a loaded "invoice" email attachment (.doc she thinks) which converted some desktop shortcuts to .hta files which in turn delivered the your-files-are-encrypted with 2048 etc and send bitcoins to us to decrypt with the usual links. All of her various document data files were overwritten with zeros (binary or ascii I don't remember) instead of encrypted. I looked at busted files with hexviewer and they were solid zeros.The .hta files delivered a text screen that matched nemucod messaging when I sent it thru the ID utility. Malwarebytes scan was clean. I guess theres no running processes left with this. Did a VSS restore on her data etc and removed all .hta icons on desktop. Is there anything else to watch?

thanks...

You should be fine, but I'd run another scan with another free AV scanner just to be secure (Emsisoft Emergency Kit, ESET's online scanner) for example. Does your mom have an AV on her system, is there a backup of her files? Next time you may not be so lucky and VSS snapshots may be deleted.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 daveaust

daveaust
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 23 July 2017 - 11:08 AM

@xXToffeeXx-

 

I will scan with ESET as well. She just has windows sec essentials running right now and I scanned few times with MWBytes.

She didn't have backups (seems like the norm out there) so VSS saved her by the skin of her teeth. I told her how lucky she was because she had a lot of docs that she had been hand formatting so it would have been a disaster. I'm going to research and find her a backup solution. I was quite surprised the infection didn't clear her VSS. Very surprised.

I just ran SFC and also chkdsk'ing just because I have her computer here at my house.

 

@quietman7-

There isn't any encryption samples to send for analysis. The files are not encrypted-- they are completely zeroed over. From one end to the other. I ran the ransom note thru the ID analyzer and it said it was nemucod (sp?) because it mentioned RSA-2048 and AES, but it wasn't dropping kovter or whatever the hell it usually does.

 

BTW, there were no extension changes at all.

 

Thank you all for chiming in!!


Edited by daveaust, 23 July 2017 - 11:09 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,473 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:13 PM

Posted 23 July 2017 - 01:50 PM

Yea ID Ransomware is not as accurate when submitting only one type of file. Submitting both encrypted files and ransom notes provides a more positive match and helps to avoid false detections but not every situation will allow for that. Sometimes the criminal's email address for ransom payment is useful and so is the malicious file responsible for the infection itself which is why we ask in order to cover all the bases.

Most crypto malware will typically delete (though not always) all shadow copy snapshots (created if System Restore was enabled) with vssadmin.exe so that you cannot restore your files from before they had been encrypted. However, it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for these infections to sometimes fail to delete the Shadow Volume Copies as what appears to have happened in your Mom's situation. But as xXToffeeXx notes, the next time you may not be as lucky so backing up data and prevention are your best defensive strategies.Although Microsoft Security Essentials combines the features of an anti-virus and anti-malware scanner to provide real-time protection against viruses, spyware, and other malicious software...it is weak, meaning it does not provide comprehensive protection especially from ransomware. To protect you Mom, you may want to have her consider replacing MSE with a better solution such as Emsisoft Anti-Malware which includes protection against ransomware.See my comments in Choosing an Anti-Virus Program for more specific details as to why I recommend Emsisoft Anti-Malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 daveaust

daveaust
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 23 July 2017 - 09:29 PM

quietman- I may put the Emsisoft package on her machine. I didn't know too much about it but I went to their site -and- if it is recommended by this forum's members then I know it will be good product. She got really lucky that the virus was "dumb" enough to leave the shadows lol. It really made the recovery easy for me. Glad there are a few absent minded malware coders out there. I for now just slapped Mozy on her machine to at least get copies of her data files off site daily.

thanks again for all the info on this...



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,473 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:13 PM

Posted 23 July 2017 - 09:35 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users