Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need help identifying ransomware

  • Please log in to reply
4 replies to this topic

#1 kstr


  • Members
  • 2 posts
  • Local time:07:25 PM

Posted 27 August 2017 - 12:52 PM

Some of my files were infected by ransomware a couple of years ago and I gave up trying to decrypt the infected files at that time, but I'm going to give it another try. (I did not have a local backup of my system to recover files from.)


At the time, I was not aware of ransomware, so I deleted the ransom note, not knowing what it was. I believe there may have also been an html or txt note for each infected file (in the same directory as the file), but I may be remembering this incorrectly.


The "ID Ransomware" site does not help me, because I no longer have the ransom note.


I do have some examples of infected files and the original *uninfected* files (which were backed up on a flash drive), but I don't have backups for all files obviously. Is there a site where I can upload an infected and uninfected file to determine the ransomware involved? If it can be identified, I want to try to find a decryptor for the files I don't have backed up (which is most of them, unfortunately).


Thank you.

BC AdBot (Login to Remove)


#2 RolandJS


  • Members
  • 4,539 posts
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:06:25 PM

Posted 27 August 2017 - 01:02 PM

I think this is the forum in which you can upload a sample file.  A ransomware regular will take it from there; be patient, it could take a while to report back to you.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.


Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)

#3 kstr

  • Topic Starter

  • Members
  • 2 posts
  • Local time:07:25 PM

Posted 27 August 2017 - 01:22 PM

Additional information...


The file names were not changed by the ransomware. I remember once concluding that is was probably CryptoWall, but I ran something that was supposed to detect it (ListCWall) and the log file says "0 encrypted files found." and "No CryptoWall encrypted file list found." I'm not sure if that tool was affected by the fact that I deleted the ransom note (along with any other files that were inserted in the directories of the infected files).

#4 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,579 posts
  • Gender:Male
  • Location:USA
  • Local time:06:25 PM

Posted 27 August 2017 - 02:35 PM

ListCWall reads from a temporary file or registry value that the malware used to leave in early versions I believe, it cannot actually detect the files themselves because CryptoWall does not leave an actual filemarker; if it did, ID Ransomware would be able to identify it.


If ID Ransomware cannot identify the files, you need to post the Case SHA1 it gives you, as it instructs. It allows me to lookup the files you uploaded (everything is anonymous otherwise).


If you open multiple files in a hex editor (e.g. HxD), and each file has the same first 16 bytes, it is most likely CryptoWall 3.0 (4.0 renamed files to something random). It was the most prevalent ransomware in 2014-ish.

Edited by Demonslay335, 27 August 2017 - 02:35 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#5 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,889 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:25 PM

Posted 28 August 2017 - 08:50 AM

ListCWall is a tool created by Grinler, the site owner of Bleeping Computer, that exports into Notepad a list of the registry entries created by CryptoWall for all files it encrypted. If ListCWall shows "0 encrypted files found"...it means that either the database generated by CryptoWall during the encryption process was deleted by your anti-virus or the files were not actually encrypted by CryptoWall.

With that said....

ListCwall is no longer working anymore unfortunately. I will get that pulled, so please do not rely on that...

Post #4
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users