Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.ZERO : what ransomware ?


  • This topic is locked This topic is locked
3 replies to this topic

#1 Hellomorld

Hellomorld

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 27 July 2017 - 11:57 PM

Hello (sorry for english),

Yesterday morning i saw that a little server 2008r2 was attacked in the night and all files are encrypted with an .ZERO extension.
A small HELP note ""_HELP_INSTRUCTION.txt" tell me to wrote to zero@hook.work. No background image or alert with instructions.
As nobody use the server, it seems the attack was possible by RDP. The system is uptodate (except the last monthly security patch) but the smbv1 is on (is needed) (but no 445 port open on the net).

Probably with no rapport but a month ago i've noticed an infection by a bitcoin miner (minergate) (probably infected by an hacked website where i downloaded 7zip) but i disinfected it with Bitdefender and malwarebytes.
Few hours before the attack i've analyzed the computer with Malwarebyte which only noticed 2 files about the bitcoin malware that i'ved put in the trash.
The computer is protected by Bitdefender endpoint security.

IDransomware identify the ransomware like "Cryptomix revenge" (but when i read this description is not him).
As i rebooted the server Bitdefender found nothing after an complete analysis.

As the server is used only to turn an app that not affected by the ransomware and i've backups, these not really bad but before i reintroduce the server in the network i want to be sure there is no more menace. If i know what ransomware attacked me i could disinfect the server (or verify that is really disinfected) and verify there is no more security break.

I found the guilty in allusers : here the link to the analysis in virustotal : https://www.virustotal.com/fr/file/36b7f06afc92dbbb9ae973c0ce7ae69c6c49a62df9d1d42c64fe9266f560d539/analysis/1501232977/


Thank in advance for any info !

Edited by Hellomorld, 28 July 2017 - 04:59 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:24 AM

Posted 28 July 2017 - 05:34 AM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:24 PM

Posted 28 July 2017 - 08:12 AM

Hi Hellomord,

 

I unpacked the sample you gave us.

The unpacked version is here: https://virustotal.com/de/file/263592ad653a5a0294bbc582799d6fae6c9ec34ea2919b420850b8c4673d6b4b/analysis/1501246810/

I asked my colleagues whether they have seen it before and xxToffeexx confirmed that this is CryptoMix ransomware.

 

Best regards

Karsten



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:24 AM

Posted 28 July 2017 - 08:26 AM

Since the infection has been identified, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users