Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.crypto extension files created. Ransomware?


  • Please log in to reply
4 replies to this topic

#1 lkjhgfdsa

lkjhgfdsa

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 10 August 2017 - 06:04 AM

Hi,

My C Drive AppData\Local\Temp folder suddenly started filling up with 'crypto' extension files like this:

MVI_6420.MOV-beb1eaad-2f4c-478d-8725-1611c9fa72df.crypto

These are copies of some of the largest files in my D drive pictures folder, in this case MVI_6420.MOV

20GB worth of such files were created before I noticed because my system became unstable (it was the last 20GB on my C drive).

 

In ignorance I used Wise Disk Cleaner in the first instance and it junked the files. But it happened quickly again.

The weird thing is the originals of crypto files are still accessible and there is no ransom note that I can find (.txt or .html - tho maybe was junked). However I only have a record of a minority of which files were duplicated as .crypto that I can check (otherwise I have 17000 pictures and images that I can only do spot checks on, with no idea about what might be missing).

I have Malwarebytes and Eset antivirus enabled, neither of which noticed anything and neither of which show anything in a scan. The smallest example .crypto file I have is too large for ID Ransomware. No new programmes were running that would do this.

What the heck is it?!

I have a Samsung laptop running up to date Windows 7. 

 

Thanks!



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:26 AM

Posted 11 August 2017 - 05:33 AM

The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses used by the cyber-criminals to request payment and the malware file responsible for the infection.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 lkjhgfdsa

lkjhgfdsa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 11 August 2017 - 09:09 AM

Hi and thanks. Unfortunately no note (that I can find) and the example file is too big for ID Ransomware. Demonslay335 took a look a couple of weeks ago and thought the random numbers followed by the .crypto extension was unusual but has probably been overwhelmed by other stuff so I'm putting it out more widely. I have now submitted a sample however. Thanks



#4 lkjhgfdsa

lkjhgfdsa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 11 August 2017 - 09:17 AM

Ah, so the submit Malware page 

 

https://www.bleepingcomputer.com/submit-malware.php?channel=168

 

has a 10mb limit and my file is 160Mb

 

Foiled again...



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:26 AM

Posted 11 August 2017 - 03:09 PM

You can upload sample files to SendSpace. When the file has been uploaded, you will see a screen stating that the upload was successful. Right-click on the filename link, select Copy Shortcut and paste it in your next reply.

Files uploaded to Dropbox can be up to be 20 GB.
Filehosting has no size limitations.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users