Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Arena Ransomware by m.heisenberg@aol.com


  • This topic is locked This topic is locked
5 replies to this topic

#1 MarkInBucks

MarkInBucks

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 25 August 2017 - 04:01 PM

One of my clients was hit by this newest variant of the CrYsis encryption attack.
I have tried using several older tools but so far nothing has succeeded. And this attack deleted shadow copies from my drives as well.
Does anyone have any guidance on newer decryption tools that might work?

This is the naming convention added to the encrypted files: ".id-########.[m.heisenberg@aol.com].arena"
There is also the html file stating:
"All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail m.heisenberg@aol.com
Write this ID in the title of your message ########
In case of no answer in 24 hours write us to theese e-mails:m.heisenberg@aol.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. 
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) 
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. 
Also you can find other places to buy Bitcoins and beginners guide here: 
Attention!
Do not rename encrypted files. 
Do not try to decrypt your data using third party software, it may cause permanent data loss. 
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. "

Edited by MarkInBucks, 25 August 2017 - 05:50 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 25 August 2017 - 06:00 PM

Is .arena the extension appended to encrypted data files?
Did you find any ransom notes and if so, what is the actual name of the note?

Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 MarkInBucks

MarkInBucks
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 25 August 2017 - 06:26 PM

Yes. 
".arena" is the extension appended to the encrypted file as well as the preceding identifiers detailed above, in the fourth line of my original post. The hashtags were assigned identification numbers, I assume to identify the files to be decrypted once the "ransom" is paid and decryption package delivered.
There is an additional text file called "FILES ENCRYPTED" that states:
"all your data has been locked us
you want to return?

write email m.heisenberg@aol.com"

 

I also isolated and copied the html file and one of the executable files that was planted under the startup routine to kick everything off with each reboot.
The executable was named "MSHTA.EXE-A970B441.pf"
Each individual executable has a unique alphanumeric following the "dash" and followed by the ".pf".
I will submit what I have to ID Ransomware now. I wasn't aware of that group prior to your reference.
Thanks!



#4 MarkInBucks

MarkInBucks
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 25 August 2017 - 06:28 PM

And that sucks.
Uploaded the files to ID Ransomware and the results are:
 

Dharma (.cezar)
 This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • ransomnote_email: m.heisenberg@aol.com
  • sample_extension: .id-<id>.[<email>].arena
  • sample_bytes: [0xB00 - 0xB40] 0x00000000020000000CFE7A410000000000000000000000002000000000000000
  • custom_rule: Original filename "New Text Document.txt" after filemarker

 

Click here for more information about Dharma (.cezar)


#5 al1963

al1963

  • Members
  • 886 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 25 August 2017 - 06:59 PM

@MarkInBucks

 

execute, please, check on the encrypted system using FRST
Scan logs are added to http://sendspace.com and give us a link to your message.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 25 August 2017 - 07:09 PM

Since the infection has been identified, rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.al1963 and others willing to help can continue from there.

To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users