Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stroman Ransomware (.stroman, .protos, .fat32) Help & Support Topic


  • Please log in to reply
13 replies to this topic

#1 clf76

clf76

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 11 October 2017 - 08:45 AM

Hello all. I am posting as I was recently infected by ransomware and have been unable to indentify it. I had submitted files to ID Ransomware and it returned the reference case # SHA1: a8341fe6217a90240ed50038a1da3967f7dd0458.[/size]
If anyone would be able to help, it would be most appreciated.[/size]
 
Thank you.[/size]

BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:01 AM

Posted 12 October 2017 - 02:11 PM

I have not seen the extension ".stroman" before, may be new. The note looks familiar, so it may be a new variant of something.

We will need the malware itself to analyze.

For reference to others, this is the note "readinfo.txt".

All your data set are encrypted.

We can help decrypted files.

Price for full decrypt all files 500$

You will get decrypt soft + personal key + manual.



For recover your files - contact us email:

BM-2cUunjtSxYEd6Ase6hbhVyvMBVzXPUVdvu@bitmessage.ch



Please use public email for contact: gmail etc.



For you to be sure, that we can decrypt your files

You can send us 1-2 encrypted files and we will send back it in a decrypt format FREE.

For download files use only dropmefiles.com not more then 10 Mb



Send us an email:

1.your Personal ID 

2.link dropmefiles.com 

after wait decrypted files and further instructions.



Personal ID:

[redacted]



Do not rename encrypted files

Do not try to decrypt your data using third party software, it cause pernament data loss

Not use false encryption key, it cause pernament data loss



You must pay within 72 hours, or the price will be more.

Edited by Demonslay335, 12 October 2017 - 02:12 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 AM

Posted 14 October 2017 - 06:08 PM

Samples of suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:01 AM

Posted 19 October 2017 - 11:34 AM

We're seeing the same note submitted with files that have the extension ".protos" added. Still need a sample of the malware in order to analyze.

 

I've added this to ID Ransomware as "Stroman" for now, and have it pointing victims to this topic.


Edited by Demonslay335, 19 October 2017 - 11:35 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 ComputerDirect

ComputerDirect

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 05 December 2017 - 02:08 PM

One of our clients have been infected with something that looks similar to Stroman or FAT32, except all encrypted files are appended with the extension ".ntfs" on the end. However ransom note named info.txt (which is added to every directory on the hard drive) looks very similar.
ID Ransomware Case: SHA1: d55810c76936a54436bf7f4133256b29028095bc
 

[info.txt file contents as shown below]

 

Your data set are encrypted.
 
We can help decrypted files.
 
Price for full decrypt all files 700$
 
You will get decrypt soft + personal key + manual.
 
 
 
For recover your files - contact us email:
 
BM-2cSw2ES9uVbaMPuAGvHiazYE8h2vhrz1i6@bitmessage.ch
 
 
 
Please use public email for contact: gmail etc.
 
 
 
For you to be sure, that we can decrypt your files
 
You can send us 1-2 encrypted files and we will send back it in a decrypt format FREE.
 
For download files use only dropmefiles.com not more then 10 Mb
 
 
 
Send us an email:
 
1.Personal ID 
 
2.link dropmefiles.com 
 
after wait decrypted files and further instructions.
 
 
 
Personal ID:
 
j2V5H5FAQ9OYZ7CAKAJIZ1AOHaUUu6
 
 
 
Do not rename encrypted files
 
Not use false encryption key, it cause pernament data loss
 
 
 
You must pay within 72 hours, or the price will be more.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 AM

Posted 05 December 2017 - 03:26 PM

It may be a new variant. Please be patient until Demonslay335 has a chance to check out the submission.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 songbird70ca

songbird70ca

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:01 AM

Posted 08 January 2018 - 02:08 PM

I have the same note except my files have all changed to .gigahertz



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 AM

Posted 08 January 2018 - 04:27 PM

.gigahertz is the newest variant reported a few days ago as noted by Amigo-A and Updated (January 2, 2018)...here.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 songbird70ca

songbird70ca

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:01 AM

Posted 09 January 2018 - 11:55 AM

I found the ransom text...
 
 
Your data set are encrypted.
 
We can help decrypted files.
 
Price for full decrypt all files $700 usd
 
You will get decrypt soft + personal key + manual.
 
 
 
For recover your files - contact us email:
 
BM-2cSs3qfF5wo1x6EQbsXJX3nwkzJwYx9R98@bitmessage.ch
 
 
 
Please use public email for contact: gmail etc.
 
 
 
For you to be sure, that we can decrypt your files
 
You can send us 1-2 encrypted files and we will send back it in a decrypt format FREE.
 
For download files use only dropmefiles.com not more then 10 Mb
 
 
 
Send us an email:
 
1.Personal ID 
 
2.link dropmefiles.com 
 
after wait decrypted files and further instructions.
 
 
 
Personal ID:
 
r48h5FuXAJAkaaxaF1a8MAh6xAel74
 
 
 
Not use false encryption key, it cause pernament data loss
 
You can send a message within 72 hours, or the price will be more.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 AM

Posted 09 January 2018 - 02:22 PM

I'm not aware of any known method to decrypt files encrypted by any Stroman Ransomware variants without paying the ransom.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Noarge

Noarge

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 26 February 2018 - 12:01 PM

Hi all, 

 

all my files have been encrypted with .microsoft extension. Any news about it?



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 AM

Posted 26 February 2018 - 12:41 PM

...all my files have been encrypted with .microsoft extension. Any news about it?

I have not seen that extension before. Did you submit (upload) any samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware for assistance with identification and confirmation?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Noarge

Noarge

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 26 February 2018 - 01:28 PM

Hi,

 

Yes I uploaded the files. One is the sample encrypted file and the Ransom note is datainfo.txt. And it says 1 Result: Stroman. :(

 

Text in the datainfo.txt:

 

Your data set are encrypted.
 
All files with .microsoft extension are encrypted.
 
We can help decrypted files.
 
You will get decrypt soft + personal key(for your personal id) + manual.
 
For you to be sure, that we can decrypt your files
 
You can send us 1-2 encrypted files and we will send back it in a decrypt format FREE.
 
For download files use only dropmefiles.com not more then 10 Mb
 
Send us an email:
 
1.Personal ID 
 
2.link dropmefiles.com 
 
after wait decrypted files and further instructions.
 
You can send a message within 72 hours, or the price full decrypt will be more.
 
Please use public email for contact: gmail etc.
 
Price for full decrypt all files $700 usd
 
For recover your files - contact us email:
 
BM-2cSs3qfF5wo1x6EQbsXJX3nwkzJwYx9R98@bitmessage.ch
 
Your personal ID:
 
EN5m8S6MibO9AG4A2A5J6IkirIX7toGOD7d3


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 AM

Posted 26 February 2018 - 02:15 PM

Unfortunately, I'm not aware of any known method to decrypt files encrypted by any Stroman Ransomware variants without paying the ransom and obtaining the private RSA keys from the criminals.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users