Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SynAck Ransomware Support & Help topic - RESTORE_INFO-*id*.txt & .*10randomchars


  • Please log in to reply
21 replies to this topic

#1 jesperth

jesperth

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 03 August 2017 - 06:00 AM

An old web server has fallen to a ransomware attack. Can you help ID which ransomware it is:

 

All data files (php, htm, txt, zip) are encrypted and have been renamed by adding a 10-letter file extension that looks random - like this: 

 

snips.txt.wxdrJbgSDa

Web.config.nUZPveYgIp

 

The ransom note left in every folder reads like this: 

 

-------------------------------------------------------------------------

Files on your computer are encrypted.
Algorithm: ecc-secp192r1 & aes-ecb-256
To decrypt your files, please contact us using one of these e-mail addresses:
synack@secmail.pro
synack@scryptmail.com
synack@countermail.com
Please include the following text in your message:
zMp9IPExgXlvg27MFOlQrOIssoqd/gUr5SiB5zhpbDt8TmZhBwkxrfJE6pI4eBWbQF27lVL9XlCbfSqA
.... and 5 more lines of random text/key like that

--------------------------

 

Can you help ID and point to any measures I can take ?



BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 03 August 2017 - 07:03 AM

There are several different ransomware infections which append a random 4, 5, 6, 7, 8, etc character extension to the end of all affected filenames (i.e. CTB-Locker, Crypt0L0cker, CryptON (Cry9, Cry36, Cry128, Nemesis), Maktub Locker, Alma Locker, Princess Locker, Locked-In, Mischa, Goldeneye, Al-Namrood 2.0, Cerber v4x/v5x and some Xorist variants).

Did you find any ransom notes and if so, what is it's actual name? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Most ransomware will drop a ransom note in every directory/affected folder where data has been encrypted. These notes are often created in multiple file formats (.txt, .html, .png) to ensure that the victim can open them. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

The best way to identify the different ransomwares that use "random character extensions" is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses used by the cyber-criminals to request payment and the malware file responsible for the infection.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jesperth

jesperth
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 03 August 2017 - 07:08 AM

Hi Quietman7, thanks for your reply. I did paste in the full contents of the ransomnote. It is below the dotted line in my post.

This note is in files named RESTORE_INFO-C3E2xxxxxx.txt in every folder with encrypted files.

I did run ID Ransomware, it was unable to detect it. Will post the SHA1 result asap.

/Jesper

Edited by jesperth, 03 August 2017 - 07:11 AM.


#4 jesperth

jesperth
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 03 August 2017 - 07:30 AM

For Demonslay335 This is the SHA1 key I get from ID Ransomware: 7aedd4063107ce73cc926e46b1d7162fe10b816c



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:29 PM

Posted 03 August 2017 - 08:17 AM

I did see this come through the alerts this morning and set out a hunt. It looks new, haven't seen a ransom note claim to use ECDH crypto before.

 

So the extension is random 10 characters for each file? Is the name of the ransom note consistent, or random for each note?

 

We'll need a sample of the malware itself to analyze since it's something new. What OS is the web server? Chances of it being Windows and compromised via RDP (assuming it's Windows based on Web.config file, that's only used on ASP/ASP.NET sites)? Is it just the website files that are encrypted, or more on the server?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 jesperth

jesperth
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 03 August 2017 - 08:31 AM

I did see this come through the alerts this morning and set out a hunt. It looks new, haven't seen a ransom note claim to use ECDH crypto before.

 

So the extension is random 10 characters for each file? Is the name of the ransom note consistent, or random for each note?

 

We'll need a sample of the malware itself to analyze since it's something new. What OS is the web server? Chances of it being Windows and compromised via RDP (assuming it's Windows based on Web.config file, that's only used on ASP/ASP.NET sites)? Is it just the website files that are encrypted, or more on the server?

 

 

The extension is random 10 characters for each file. Here are some examples:

 

libmysql.zip.SMGfqOEIwE
PWC notes.txt.YvToPloxof
storefront-elegance-1-5-8.zip.feuzvTuPSp
 

All the ransomnote files (one in every folder) are called: RESTORE_INFO-C3E24FCE.txt

 

The machine runs Windows Web Server 2008 R2

 

It looks like pretty much all files except .exe are encrypted. 



#7 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:04:29 PM

Posted 03 August 2017 - 08:49 AM

The web.config file along with PHP files could mean a few things; either PHP on the .net platform (Phalanger), or Wordpress on SQL Server/Windows (ProjectNami).


The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#8 sandeepvkurup

sandeepvkurup

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 16 August 2017 - 08:04 AM

Our server also having a same ransomware attack. The spyhunter4 identified the ransom as Globe.A
All data files ( htm, txt, zip) are encrypted and have been renamed by adding a 10-letter file extension that looks random - like this: 
 
file.pdf.GmWxyszODp
file.doc.dDhwQAjNWd
 
The ransom note left in every folder reads like this: 
 
-------------------------------------------------------------------------
Files are encrypted, algorithm used: ecies-secp192r1 & aes-ecb-256.
To decrypt your files, please contact us using this e-mail address:
 
       tyughjvbn13@scryptmail.com
 
If for unknown reasons you did not receive any answer on e-mail,
write to BitMessage (using site https://bitmsg.me/):
 
BM-2cStoatQC4mDNWDHAoo2C1nYZJXhDsjCLj
 
Please do not perform any manipulations with encrypted files.
If you want to try to restore your files manually, do backups first.
And please do not remove files with text notes
Please include the following text in your message:
zMp9IPExgXlvg27MFOlQrOIssoqd/gUr5SiB5zhpbDt8TmZhBwkxrfJE6pI4eBWbQF27lVL9XlCbfSqA
.... and 5 more lines of random text/key like that
 
Could you help us to decrypt the files


#9 ransomware_new

ransomware_new

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 16 August 2017 - 09:04 AM

 

Our server also having a same ransomware attack. The spyhunter4 identified the ransom as Globe.A
All data files ( htm, txt, zip) are encrypted and have been renamed by adding a 10-letter file extension that looks random - like this: 
 
file.pdf.GmWxyszODp
file.doc.dDhwQAjNWd
 
The ransom note left in every folder reads like this: 
 
-------------------------------------------------------------------------
Files are encrypted, algorithm used: ecies-secp192r1 & aes-ecb-256.
To decrypt your files, please contact us using this e-mail address:
 
       tyughjvbn13@scryptmail.com
 
If for unknown reasons you did not receive any answer on e-mail,
write to BitMessage (using site https://bitmsg.me/):
 
BM-2cStoatQC4mDNWDHAoo2C1nYZJXhDsjCLj
 
Please do not perform any manipulations with encrypted files.
If you want to try to restore your files manually, do backups first.
And please do not remove files with text notes
Please include the following text in your message:
zMp9IPExgXlvg27MFOlQrOIssoqd/gUr5SiB5zhpbDt8TmZhBwkxrfJE6pI4eBWbQF27lVL9XlCbfSqA
.... and 5 more lines of random text/key like that
 
Could you help us to decrypt the files

 

Unfortunately, this ransomvar can not be deciphered.
There are no public decoders. The only way to decipher is to pay it


#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:29 PM

Posted 16 August 2017 - 09:11 AM

It isn't Globe. I have not seen a sample of the malware to fully identify it yet, but we've been seeing a steady stream of notes coming through.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 sandeepvkurup

sandeepvkurup

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 16 August 2017 - 09:17 AM

ID Ransomware is unable to determine the variant and gave the reference ID

Please reference this case SHA1: 72937f8233a405a985edaf93672acb6fb4c36c52

The Cryptosearch was also executed for entire variants but no luck.



#12 ransomware_new

ransomware_new

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 16 August 2017 - 09:17 AM

It isn't Globe. I have not seen a sample of the malware to fully identify it yet, but we've been seeing a steady stream of notes coming through.

Yes this is a new software, alas, to find a sample you need to make a complete memory dump if you're lucky ^_^



#13 sandeepvkurup

sandeepvkurup

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 16 August 2017 - 09:18 AM

ID Ransomware is unable to determine the variant and gave the reference ID

Please reference this case SHA1: 72937f8233a405a985edaf93672acb6fb4c36c52

The Cryptosearch was also executed for entire variants but no luck.



#14 ransomware_new

ransomware_new

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 16 August 2017 - 09:27 AM

ID Ransomware is unable to determine the variant and gave the reference ID

Please reference this case SHA1: 72937f8233a405a985edaf93672acb6fb4c36c52

The Cryptosearch was also executed for entire variants but no luck.

Write on mail now and for you will make a discount. The public decoder does not exist and will never be. This software uses very powerful encryption algorithms.



#15 maptan

maptan

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 30 August 2017 - 08:05 AM

Got a client hit by this, it seems. Any news? I still have access to the infected machine, but it seems by what user "ramsomware_new" stated above that it useless, so I imagine that the code self destructs after doing its work.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users