Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware with .cesar extension


  • This topic is locked This topic is locked
2 replies to this topic

#1 helping hands

helping hands

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 17 August 2017 - 09:04 AM

Hello all, ran into a new situation for someone with ransomware.

 

The extension is .cesar and at first glance it appeared to be a Dharma Variant, however later

it was reported as crysis.6 ( B) by EmsiSoft AntiMalware (which was installed after the fact).

 

AVG Free Anti Virus (SMH, I know... I know...) Completely missed it, even after it was located

and pointed right at it.... 

Anyhow, it was a little different in the sense that there was no RansomWare exchange page,

where you can visit, enter your code, discover the payment amount and wallet address, they are

only using an AOL based email address to communicate.

I don't want to disclose the address at this time, as I don't want AOL to interrupt the flow of emails

to/from that address.

The infection did NOT come from the email address, the email address is included int he INFECTED FILES/Ransom Note.

This was a new contact for me, and of course 'they thought they had a backup' and the fact is they did... but of course no one

has checked it, and no it wasn't working, so they are in some trouble right now.

Shadow Copies were blitzed, on a Windows 7 Pro Box, and it was setup for 'file sharing' to other computers.

The computer seems to have been infected, by unauthorized access over RDP.... In doing some research on RansomWare,
i've been seeing notes about RDP being targeted or compromised in someway, but haven't seen the details of that yet.

to the best of my knowledge this was purely due to 'poor user name/password' strength, and 'they got in' and downloaded/ran

the RansomWare in that way.

The trigger was a file called bars.exe and then a info.hta file is created, placed into the startup/desktop folders with the Ransom Note.

Another difference, in my direct experience with this RansomWare is they targeted more than document/object based files, and they

actually fouled up program executable and other objects causing a little more drama.

I've tried a few Decrypters, Eset, Kapersky, and EmisSoft thus far, no dice, they were the Dharma and Crysis based ones.

I've done what needs to be done POST Infection, there is communication going on with the Bad Guys, they came right out and asked

for 2 BitCoins, which the Infected user does not have, so it's going to be bad.....

Yes, it's the End User's fault, shoulda-coulda-done' better, and actually DID knew better, which makes this so much worse.

Please advise of any suggestions or thoughts,

 

Many thanks in advance!

 

 



BC AdBot (Login to Remove)

 


#2 Nvious1

Nvious1

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 17 August 2017 - 04:24 PM

I have a machine that just got hit with this cesar variant as well at it appears through the same delivery mechanism which was RDP.  I also saw bars.exe and also looking for help.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,907 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:12 AM

Posted 17 August 2017 - 05:18 PM

Demonslay335 (aka Michael Gillespie) tweeted about this new extension here the other day.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users