Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blind, Kill Ransomware Support Topic (How_Decrypt_Files.hta)


  • Please log in to reply
54 replies to this topic

#1 ftcnet

ftcnet

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 15 September 2017 - 11:42 PM

Customer has .BLIND ransomware on server shares and workstations.  Symantec Endpoint Protection Cloud didn't catch it.  What's a good tool for cleaning Win7Pro workstations and SBS-2011, Windows Server 2008?  I think the backups are current as of yesterday AM, so probably will restore corrupted files, but would like to clean workstations instead of having to re-image them.

BC AdBot (Login to Remove)

 


m

#2 ftcnet

ftcnet
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 16 September 2017 - 12:12 AM

hmm.. seems to be a rather recent variant.  Not finding much with search.  Demonslayer335 mentions it in his Twitter feed.

id-ransomware says: "Unable to determine ransomware." ref: SHA1: 29dcda0ceb7dc9bef91d4dd2ec0c2f97d0c1f906

Latest Malwarebytes doesn't find it.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:10 AM

Posted 16 September 2017 - 06:25 AM


If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:10 AM

Posted 16 September 2017 - 09:14 AM

Does the server have RDP open to the world? If so, that needs locked down, that was probably your vector of attack, and no antivirus on the planet will stop something once someone actually has control of the server. RDP should only ever be available behind a VPN.

 

We'll need a sample of the malware to analyze it and properly identify if it's something new versus a change of an existing ransomware.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 ChristophTCMedia

ChristophTCMedia

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 19 October 2017 - 11:06 AM

Hallo at all,

 

on October 14 2017 something went wrong so that the entire Server from our a customer (exept Win and Program directories) was encrypted

Id Ransomware detects the file as jigsaw encryption, but the tool can't decrypt the files.

 

There are no shadow copies and backups

 

Encrypted File:

Name: 800px-fisker_karma.jpg.[kill@rape.lol].kill

File:    https://ufile.io/wv56k

 

Original File:

Name: 800px-fisker_karma.jpg

File:    https://ufile.io/i0jht

 

Message for Paying

Name: How_Decrypt_Files.hta

File:    https://ufile.io/kms55

 

Have someone a solution?



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:10 AM

Posted 19 October 2017 - 02:23 PM

Afraid the Jigsaw detection would be a false-positive. The one version of Jigsaw using that extension did not have an email address in the extension as well.

 

I suspect it may actually be a new variant of the Blind ransomware. We found a sample of it lately, but haven't analyzed it yet to fully confirm. I also suspect it is from RDP hacking, so double-check the system and network were not compromised.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:04:10 PM

Posted 20 October 2017 - 04:54 AM

A ransom note - one on one!

 

https://id-ransomware.blogspot.ru/2017/09/blind-ransomware.html


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#8 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 72 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:12:10 PM

Posted 20 October 2017 - 10:47 AM

Hello ChristophTCMedia,
 
do you find this trojan file on the client's  server : netcache64.sys ? If so, can you send it in a zipped archive with the password of your choice (don't forget to give the password).
 
Kind regards,
 
Emmanuel

#9 chorata

chorata

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 22 October 2017 - 05:01 AM

Hello to all. One of my old server, but with important files got the virus. I have backup, but it is 3 weeks old and I have some files that are important. So if there is a way to decrypt them… I’m attaching some pics with relevant staff and I have a original file and encrypted file.

 

Original file

https://drive.google.com/open?id=0B4qx5XW6i9R9THlTbFB5LTh1Zlk

Encrypted file

https://drive.google.com/open?id=0B4qx5XW6i9R9LXJlYks5RExaRGc

 

Pic01

https://drive.google.com/open?id=0B4qx5XW6i9R9dG9KcUhaOGhqWWc

 

Pic02

https://drive.google.com/open?id=0B4qx5XW6i9R9Z1J2WE0zWGswWFE

 

Pic03

https://drive.google.com/open?id=0B4qx5XW6i9R9Qjl3ZmxZbDlsZUE



#10 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:04:10 PM

Posted 22 October 2017 - 01:43 PM

ftcnet
chorata

The reliable information about Blind Ransomware is available since September 15, 2017, but it is still few. 


Edited by Amigo-A, 23 October 2017 - 04:53 AM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#11 chorata

chorata

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 22 October 2017 - 01:52 PM

I can help with whatever is needed: files from the infected server or I have e servers on which we can run test decryptions so we can stop this.



#12 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:04:10 PM

Posted 22 October 2017 - 02:18 PM

chorata

Send a sample of the malicious file for analysis to specialists by link


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#13 chorata

chorata

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 22 October 2017 - 02:22 PM

chorata

Send a sample of the malicious file for analysis to specialists by link

Original file

https://drive.google.com/open?id=0B4qx5XW6i9R9THlTbFB5LTh1Zlk

Encrypted file

https://drive.google.com/open?id=0B4qx5XW6i9R9LXJlYks5RExaRGc

 

Pic01

https://drive.google.com/open?id=0B4qx5XW6i9R9dG9KcUhaOGhqWWc

 

Pic02

https://drive.google.com/open?id=0B4qx5XW6i9R9Z1J2WE0zWGswWFE

 

Pic03

https://drive.google.com/open?id=0B4qx5XW6i9R9Qjl3ZmxZbDlsZUE



#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:10 AM

Posted 22 October 2017 - 05:16 PM

We've recently acquired a sample of this malware, and it is being analyzed.

 

If you have the file %APPDATA%\netcache64.sys, it may be of use.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 chorata

chorata

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 22 October 2017 - 06:00 PM

We've recently acquired a sample of this malware, and it is being analyzed.

 

If you have the file %APPDATA%\netcache64.sys, it may be of use.

The file of the link is the original of

 

netcache64.sys

https://drive.google.com/open?id=0B4qx5XW6i9R9VklEU09xaEhHUU0






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users