Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Revolution Ransomware (.revolution ext, InfoFiles.txt) Support Topic


  • Please log in to reply
13 replies to this topic

#1 kevinmeyerza

kevinmeyerza

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 06 September 2017 - 02:12 AM

I've been hit on one of our servers with what appears to be an XORIST variant.
 
I've not found anything online regarding the Note or file extension, there is however a similar flaw in their grammar in the note which makes me believe that it is a Xorist variant.
 
The Xorist decrypter from Emsisoft(https://decrypter.emsisoft.com/xorist) actually allows me to succesfully decrypt the files but it breaks the file names completely for example renames dir/subdir/file.name.ext.REVOLUTION to dirsubdir etc.
 
I want to be able to decrypt the file back to it's original name if possible.
 
I've uploaded to indentify but no luck here: https://id-ransomware.malwarehunterteam.com/identify.php
 
I've attached The note, an encrypted file and an unencrypted file here: https://ufile.io/ok74d
 
I tried with the key I found online from Emsisoft, think maybe the key has just changed slightly.
 
The brute force does not successfully force the key.
 
Is there anyone that might have seen this variant, or at least maybe I can ask someone to have a look at it and identify for the rest of its potential victims.
 
Ideally I would really like if someome could assist me with the decryptor to fix the file rename issues so that I can save my server.
 
Thanks again.
 
 
The note(is saved as InfoFiles.txt):
 
~~~~
 
All your important files were encrypted on this PC.
 
All files with .revolution extension are encrypted.
 
Encryption was produced using unique private key RSA-1024 generated for this computer.
 
To decrypt your files, you need to obtain private key + decrypt software.
 
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet.
 
To retrieve the private key, you need to contact us by email getyourfilles@bigmir.net send us an email your InfoFiles.txt file and wait for further instructions.
 
For you to be sure, that we can decrypt your files - you can send us a 1-2 not very big encrypted files and we will send you back it in a decrypted form free.
 
To send files you can use http://dropmefiles.com/ 
 
Do not waste your time! After 72 hours the main server will double your price!
 
 
 
Your personal id:
 
wQWg6WdxLZ8nJhND9yOFgrvc2X5mdzak21V2gmu7
 
 
 
E-mail address to contact us:
 
getyourfilles@bigmir.net
 
 
 
Reserve email address to contact us:
 
getyourfilles@india.com

Edited by quietman7, 08 September 2017 - 05:47 AM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:31 PM

Posted 06 September 2017 - 05:44 AM


Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing.. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 kevinmeyerza

kevinmeyerza
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 06 September 2017 - 06:00 AM

Thanks, I have submitted as advised.


Edited by kevinmeyerza, 06 September 2017 - 06:01 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:31 PM

Posted 06 September 2017 - 06:06 AM

Also since you said ID Ransomware could not identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 kevinmeyerza

kevinmeyerza
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 06 September 2017 - 06:10 AM

Thanks so much, I just re uploaded to https://id-ransomware.malwarehunterteam.com/identify.php?case=c3d0d760fc01c101f482bc2612ae8e1e73808e3d

 

It says that it is Synack.

 

Over the past two days, there was an increase in activity from a relatively unknown ransomware strain named SynAck, according to victims who sought assistance in the Bleeping Computer ransomware support forums and from submissions to the ID-Ransomware service.

This particular ransomware strain — named SynAck or Syn Ack — was first spotted on August 3 and experts quickly determined that they were looking at a whole new ransomware strain altogether.



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:31 PM

Posted 06 September 2017 - 06:19 AM

This is not Synack or Xorist. It looks new to me. Do you have the file that caused the infection? (can scan with an antivirus or antimalware tool)

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 kevinmeyerza

kevinmeyerza
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 06 September 2017 - 06:30 AM

Hi xXToffeeXx, 

 

I''ve uploaded a zip with the note, encrypted and an original unencrypted file here: https://ufile.io/ok74d

 

I scanned with ESET with latest defs but doesn't detect a thing.

 

Much aprreciated.



#8 kevinmeyerza

kevinmeyerza
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 08 September 2017 - 02:28 AM

I've found a reference in Russian to this ransomware. It is called Revolution Ransomware.

 

Revolution Ransomware (encryptor-extortionist)

This crypto-extortion encrypts user data using XOR, and then requires a redemption in # BTC to return the files. Original name. The file is written.

cryptographer virus-encryptor trojan encryption crypto-extortion remove recover decryption decrypt decrypt decryption decryption algorithm crypto-ransomware virus-encoder key ransom decrypt decryption recovery remove recover decode files data public private

Genealogy: it turns out. To the encrypted files, the extension .revolution is added . The activity of this crypto-extortioner happened at the beginning of September 2017. It is aimed at English-speaking users, which does not prevent to spread it around the world. A note with the demand for redemption is called:  InfoFiles.txt





 

xorist-6-9-17.png

Contents of the note about the purchase: 
All your important files were encrypted on this PC. 
All files with .revolution extension are encrypted. 
RSA-1024 generated for this computer. 
To decrypt your files, you need to get a private key + decrypt software. 
The single copy of the private key, with will allow you to decrypt the files. 
To retrieve the private key, you need to contact us by email getyourfilles@bigmir.net send us an email your InfoFiles.txt file and wait for further instructions. 
For you to be sure, that we can decrypt your files.
To send files you can use xxxx: //dropmefiles.com/  
Do not waste your time! After 72 hours the main server will double your price! 
Your personal id: 
wQWg6WdxLZ8nJhND9yOFgrvc2X5mdzak21V2gmu7 
E-mail address to contact us: 
getyourfilles@bigmir.net 
Reserve your email address to contact us: 
getyourfilles@india.com Translation of the note into Russian: All your important files are encrypted on this PC. All files with the extension .revolution are encrypted. Encryption was done with a unique private key RSA-1024, created for this computer. To decrypt your files, you need to get a secret key + decryption program.






A separate copy of the private key, which will allow you to decrypt the files, is on a secret server on the Internet. 
To get a secret key, you need to contact us by email at getyourfilles@bigmir.net, send us your InfoFiles.txt file in the email and wait for further instructions. 
For you, we can decrypt your files - you can send us 1-2 small encrypted files, and we will send you it in decrypted form for free. 
To send files you can use xxxx: //dropmefiles.com/ 
Do not waste your time! After 72 hours, the main server will double your price! 
Your personal ID: 
wqwg6wdxlz8njhnd9yofgrvc2x5mdzak21v2gmu7 E- 
mail address to contact us: 
getyourfilles@bigmir.net
Reserve email address to contact us: 
getyourfilles@india.com

 

Technical details

It can be spread by hacking through an unprotected RDP configuration, with the help of email spam and malicious attachments, deceptive downloads, exploits, web injections, fake updates, repackaged and infected installers. See also "Basic methods for distributing crypto hackers" on the blog's introductory page . List of file extensions that are encrypted: These are MS Office documents, OpenOffice, PDF, text files, databases, photos, music, video, image files, archives, etc. Files associated with this Ransomware: InfoFiles.txt <random> .exe The registry entries associated with this Ransomware: See the results of the analyzes below. Network connections and connections: Email: getyourfilles@bigmir.net
 

 

 

Can someone tell me how to decrypt?


Edited by kevinmeyerza, 08 September 2017 - 02:29 AM.


#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:31 PM

Posted 08 September 2017 - 10:31 AM

That's Amigo-A's blog, and seems to be a base post with no further specifics since we have not secured a sample. He is assuming it is Xorist based on your topic here, but that is not the case. We cannot do anything further without a sample of the malware itself for analysis to see if it even is decryptable.


Edited by Demonslay335, 08 September 2017 - 10:31 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:31 AM

Posted 08 September 2017 - 11:22 AM

Yes, only on the basis of data of this topic. This is indicated in the "Read to links".

 

One thing is for sure - the e-mail provider bigmir.net - from Ukraine. 


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:31 PM

Posted 08 September 2017 - 02:57 PM

I removed the reference to XORIST in the topic title when I renamed it yesterday to help avoid confusion.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 kevinmeyerza

kevinmeyerza
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 11 September 2017 - 12:37 AM

Thanks for the reply, I can decrypt successfully with the xorist decrypter from emisoft, but the decrypter then renames the file to something else eg. archive.zip becomes archive. If I add the zip at the end then I can access the zip and all the data is intact. which is why I'm guessing it must be close to xorist.

 

Any idea how to get the decryption to not rename incorrectly as this would mean that I can save my server.

 

Thanks again.



#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:31 PM

Posted 11 September 2017 - 12:42 AM

You could try the -ae or -ce switch for TrID: http://mark0.net/soft-trid-e.html

 

Example is in the third screenshot.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 kevinmeyerza

kevinmeyerza
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 11 September 2017 - 03:27 AM

I see that the xorist decrypter is actually not working either, the files are in fact not functional after decryption.

 

Been going down a rabbit hole.

 

Comparing the note it is identical to the mole ransom note.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users