Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Encrypted files! [tramkal@protonmail.ch]cryptall


  • This topic is locked This topic is locked
2 replies to this topic

#1 Cokey

Cokey

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 26 July 2017 - 12:51 PM

Hi guys 

 

We been "hacked" with a ransomware. 

The files extension has been added with following after the file: [tramkal@protonmail.ch]cryptall 

for example: IMG_5643.JPG is now named IMG_5643.JPG.[tramkal@protonmail.ch]cryptall

 

There is also a file in every folder that have been encrypted called: how_to_back_files.html 

In this file it says:

Your files are encrypted!
Your personal ID

*Removed by me*

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: tramkal@protonmail.ch
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. 
If you can't contact us by mail:tramkal@protonmail.ch You can write to us on this mail: tramkal@india.com
Free decryption as guarantee
Before paying you can send to us up to 1 file for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 10Mb.
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. 
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:: 
http://www.coindesk.com/information/how-can-i-buy-bitcoins
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decoders of other users are incompatible with your data, as each user has a unique encryption key

I've mailed the guy to see what he wanted and his answer is this:

Hello. I will send the test file later.
We can decrypt your data, here is price:
- 2 Bitcoins in 72 hours without any stupid questions and test decryption.
- 4 Bitcoins if you need more than 72 hours to pay us, but less than 100 hours.
- 6 Bitcoins if you need more than 100 hours to pay us. Pay us and send payment's screenshot in attachment.
In this way after you pay we will send you decryptor tool with instructions.
TIME = MONEY.
If you don't believe in our service and you want to see a proof, you can ask about test decryption.
About test decryption:You have to send us 1 crypted file.
Use dropfile . to and Win-Rar to send file for test decryptions.
File have to be less than 10 MB.
We will decrypt and send you your decrypted files back.
Answer us with your decision.
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Time limit starts from this email.
Here is our bitcoin wallet:
1EBZtXoDALx3pPHkC1ASwQ4zq4z3SHe6HJ
Can recommend easy bitcoin exchange service localbitcoins.com (HOW TO BUY BITCOINS: https://localbitcoins.com/guides/how-to-buy-bitcoins)
or https://www.coinbase.com/buy-bitcoin
or https://paxful.com/buy-bitcoin
or https://blockchain.info/
or you can google any service you want.
Sent with ProtonMail Secure Email.

I've googled everything that is relevant with this, cant find any results. 

 

Do you have any tips or any tool that might do the job?

 

Thank you very much!

 

/ Stefan



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:01 PM

Posted 26 July 2017 - 01:52 PM

It looks like you're dealing with GlobeImpostor 2, it's unfortunately not decryptable. If you have RDP enabled, then that's usually how the criminals enter the system because of the weak passwords set.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:01 AM

Posted 26 July 2017 - 04:00 PM

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users