Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random 9 Character in Extension by New Cerber Ransomware


  • Please log in to reply
8 replies to this topic

#1 kamiran

kamiran

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 16 October 2017 - 08:40 AM

Hi Dears,

 

We find a new Cerber variant that is unknown , It used 9 characters in extension. in This sample is : .1ss33ggur

 

Any Body see this variant ? Or any idea ?

 

Please reference this case SHA1: 333d5246caf3c35f88f077309332aa43f49a44b1

 

HOW TO DECRYPT FILES.txt  :

YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.

DON'T WORRY YOUR FILES ARE SAFE.

TO RETURN ALL THE NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM.

PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK.

YOU CAN GET THEM VIA ATM MACHINE OR ONLINE 

https://coinatmradar.com/   (find a ATM)

https://www.localbitcoins.com/  (buy instantly online any country)

THE PRICE FOR DECRYPTOR SOFTWARE IS 1 BTC

BTC ADRESS : 1AXaJtH9r1ez3KyWtLshw9opYzmK4sE3PW

VERRY IMPORTANT !

DO NOT TRY TO SCAN WITH ANTIVIRUS YOU RISK LOSING YOUR DATA .

ANTIVIRUSES ONLY DESTROY THE ENCRYPTED DATA , THEY DO NOT KNOW THE ALGORITH WITH WICH THE ENTIRE SYSTEM WAS ENCRYPTED.

THE ONLY WAY TO DECRYPT YOUR SYSTEM AND RETURN TO NORMAL IS TO BUY THE ORIGINAL DECRYPTOR SOFTWARE.

For more information : 1ss33ggur@scryptmail.com    (24/7)

Subject : SYSTEM-LOCKED-ID: XXXXXXXX

Edited by kamiran, 16 October 2017 - 08:41 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:52 AM

Posted 17 October 2017 - 08:37 AM

There are several different ransomware infections which append a random 4, 5, 6, 7, 8, etc character extension to the end of all affected filenames...CTB-Locker, Crypt0L0cker, CryptON (Cry9, Cry36, Cry128, Nemesis), Skull, SynAck, Maktub Locker, Alma Locker, Princess Locker, Locked-In, Mischa, Goldeneye, Al-Namrood 2.0, Cerber v4x/v5x and some Xorist variants.

Cerber v4x/v5x typically will be renamed (encrypted) with 10 random characters followed by a random 4 character hexadecimal extension appended to the end of the encrypted data filename (i.e. 1xQHJgozZM.b71c, 0ezTpYXxVn.b6d3, n3yJiVM0Nn.a60d) and leave files (ransom notes) named README.hta, README.html, _HEJDDP_README_.hta, _READ_THIS_FILE_<random hexadecimal>.html (i.e _5M6C2B8.html), _HELP_HELP_HELP_<random hexadecimal>.hta (i.e _5M6C2B8.hta).

Xorist uses a ransom note named HOW TO DECRYPT FILES.txt that states "YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED" as indicated in your note above.

The best way to identify the different ransomwares that use "random character extensions" is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses used by the cyber-criminals to request payment and the malware file responsible for the infection. If you have not done so, I suggest you try uploading both encrypted files and ransom notes together at ID Ransomware since that provides a more positive match.

If you did upload both the ransom note and encrypted file samples to ID Ransomware, our crypto malware experts most likely will need a sample of the malware file itself to analyze. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Amigo-A

Amigo-A

  • Members
  • 584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:52 PM

Posted 18 October 2017 - 02:59 AM

xxxx://tjhyml.com/   - the above addresses

Tw4tw6Y.png

 

It's Not Over! WannaCry?
============================================================
======================Corrupted FILES!=========================
============================================================
To Fix Your Corrupted FILES! Contact : 1ss33ggur@scryptmail.com
With Privat Subject ID = error2299330 ===============================
======================Corrupted FILES!=========================
============================================================

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#4 Amigo-A

Amigo-A

  • Members
  • 584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:52 PM

Posted 18 October 2017 - 03:06 AM

blockchain.info/address/1AXaJtH9r1ez3KyWtLshw9opYzmK4sE3PW

Number of transactions 4
Total received 1.002574 BTC
Final balance 0 BTC

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#5 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:03:52 PM

Posted 18 October 2017 - 05:32 AM

 

Hi Dears,

 

We find a new Cerber variant that is unknown , It used 9 characters in extension. in This sample is : .1ss33ggur

 

Any Body see this variant ? Or any idea ?

 

Please reference this case SHA1: 333d5246caf3c35f88f077309332aa43f49a44b1

 

HOW TO DECRYPT FILES.txt  :

YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.

DON'T WORRY YOUR FILES ARE SAFE.

TO RETURN ALL THE NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM.

PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK.

YOU CAN GET THEM VIA ATM MACHINE OR ONLINE 

https://coinatmradar.com/   (find a ATM)

https://www.localbitcoins.com/  (buy instantly online any country)

THE PRICE FOR DECRYPTOR SOFTWARE IS 1 BTC

BTC ADRESS : 1AXaJtH9r1ez3KyWtLshw9opYzmK4sE3PW

VERRY IMPORTANT !

DO NOT TRY TO SCAN WITH ANTIVIRUS YOU RISK LOSING YOUR DATA .

ANTIVIRUSES ONLY DESTROY THE ENCRYPTED DATA , THEY DO NOT KNOW THE ALGORITH WITH WICH THE ENTIRE SYSTEM WAS ENCRYPTED.

THE ONLY WAY TO DECRYPT YOUR SYSTEM AND RETURN TO NORMAL IS TO BUY THE ORIGINAL DECRYPTOR SOFTWARE.

For more information : 1ss33ggur@scryptmail.com    (24/7)

Subject : SYSTEM-LOCKED-ID: XXXXXXXX

Hello kamiran,

 

The HOW TO DECRYPT FILES.txt says it's Xorist ransomware : https://id-ransomware.malwarehunterteam.com/identify.php?case=6f8cbeddb023da1a5d1e1ef4f266a7d0796460ff

Hope this can help,

Kind regards,

 

Emmanuel - emte@adc-soft.com



#6 Amigo-A

Amigo-A

  • Members
  • 584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:52 PM

Posted 20 October 2017 - 03:41 PM

This is another site - It's Not Over! WannaCry?
xxxx://amymeila.com/

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#7 kamiran

kamiran
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 20 October 2017 - 05:35 PM

 

 

Hi Dears,

 

We find a new Cerber variant that is unknown , It used 9 characters in extension. in This sample is : .1ss33ggur

 

Any Body see this variant ? Or any idea ?

 

Please reference this case SHA1: 333d5246caf3c35f88f077309332aa43f49a44b1

 

HOW TO DECRYPT FILES.txt  :

YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.

DON'T WORRY YOUR FILES ARE SAFE.

TO RETURN ALL THE NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM.

PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK.

YOU CAN GET THEM VIA ATM MACHINE OR ONLINE 

https://coinatmradar.com/   (find a ATM)

https://www.localbitcoins.com/  (buy instantly online any country)

THE PRICE FOR DECRYPTOR SOFTWARE IS 1 BTC

BTC ADRESS : 1AXaJtH9r1ez3KyWtLshw9opYzmK4sE3PW

VERRY IMPORTANT !

DO NOT TRY TO SCAN WITH ANTIVIRUS YOU RISK LOSING YOUR DATA .

ANTIVIRUSES ONLY DESTROY THE ENCRYPTED DATA , THEY DO NOT KNOW THE ALGORITH WITH WICH THE ENTIRE SYSTEM WAS ENCRYPTED.

THE ONLY WAY TO DECRYPT YOUR SYSTEM AND RETURN TO NORMAL IS TO BUY THE ORIGINAL DECRYPTOR SOFTWARE.

For more information : 1ss33ggur@scryptmail.com    (24/7)

Subject : SYSTEM-LOCKED-ID: XXXXXXXX

Hello kamiran,

 

The HOW TO DECRYPT FILES.txt says it's Xorist ransomware : https://id-ransomware.malwarehunterteam.com/identify.php?case=6f8cbeddb023da1a5d1e1ef4f266a7d0796460ff

Hope this can help,

Kind regards,

 

Emmanuel - emte@adc-soft.com

 

 

No this is not Xorist



#8 kamiran

kamiran
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 20 October 2017 - 05:40 PM

 

This is another site - It's Not Over! WannaCry?
xxxx://amymeila.com/

 

 

Yes it seems that this ransomware is related to these websites because of 1ss33ggur@scryptmail.com

 

But we can not find more information about this ransomware.

 

As you see it mention Cerber in ransomware note but we did not see this type of Cerber before.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:52 AM

Posted 20 October 2017 - 05:58 PM

The ransom note is almost the same as the one reported here (except for mention of Cerber) which turned out to be Xorist.

You may be dealing with a dual ransomware infection...however, there have been instances of fake Cerber Ransomware (variants of Xorist or CerberTear based on HiddenTear) with .cerber and .cerber6 extensions so this could be new.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users