Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blind, Kill Ransomware Support Topic (How_Decrypt_Files.hta)


  • Please log in to reply
54 replies to this topic

#16 ChristophTCMedia

ChristophTCMedia

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 23 October 2017 - 06:17 AM

Hello Emmanuel,

 

we didn't found the file netcache64.sys, neighter on the server nor on the clients.

 

btw. the server is an SBS2011 vm on a free ESXI and the clients are windows 7 pc's

 

I'found an interesting log entry on a client pc:

 

Name: "rsa in log.evtx"

File:     https://ufile.io/db2n4

 

It seems, that all files were encrypted after this event. Unluckily, the file (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_ead19bd5-5202-4e39-995c-b88dd3680ff7)
in the event log was also encrypted.


Edited by ChristophTCMedia, 23 October 2017 - 06:19 AM.


BC AdBot (Login to Remove)

 


m

#17 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:09:22 PM

Posted 23 October 2017 - 06:45 AM

Hello ChristophTCMedia,
 
I sent your answer to Doctor's Web analysts, I will get back to you as soon as possible.
Kind regards,
 
Emmanuel

#18 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:09:22 PM

Posted 23 October 2017 - 07:31 AM

Hello,
 
.kill extension encrypted files and .blind ransomware are the same it seems.
https://www.bleepingcomputer.com/forums/t/660613/need-help-in-decrypt-kill-files/

Regards,
Emmanuel

#19 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:09:22 PM

Posted 24 October 2017 - 04:47 AM

Hello ChristophTCMedia,
 
Without the netcache64.sys file, it is not possible for the moment to go further.
If you find it on your server or the clients PC, don't hesitate to share it for analyse.
 
Kind regards,
Emmanuel

#20 makretallica

makretallica

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 29 October 2017 - 11:40 AM

Hey Emmanuel ! 

I have exactly the same problem as christophe and i found the netcache64.sys file !! 
here it is ! 
https://ufile.io/aqa4w
please reply as soon as possible !!!

 

 

 

 

 

 

 

 

 

 

 

 

#21 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:09:22 PM

Posted 29 October 2017 - 02:53 PM

Hello makretallica,
 
Thank you to share also 1 or 2 Encrypted Files, the original files and your Ransom Note (Message for Paying Name: How_Decrypt_Files.hta).
Best regards,
Emmanuel

#22 batmansk

batmansk

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 30 October 2017 - 01:33 PM

Hello,

I joined the club, got encrypted :-D

 

@Emmanuel

 

is it possible to help?

 

Original files, encrypted files, Ransom note, netcache64.sys

https://ufile.io/jypvb

 

thx



#23 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:09:22 PM

Posted 30 October 2017 - 01:57 PM

Hello batmansk,
 
I will send this to Doctor Web for analyse. Hope they will find a solution soon.
Best regards,

#24 BrionLax

BrionLax

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 31 October 2017 - 10:21 AM

I have been affected by this as well.  Any update on a possible solution?



#25 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:09:22 PM

Posted 31 October 2017 - 10:40 AM

Hello  BrionLax,
 
analysing a recent ransomware can take some time. I will give update on this forum as soon as I get news.
If we need some more samples, I will also ask it here.
Kind regards,
 
Emmanuel

#26 BrionLax

BrionLax

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 31 October 2017 - 10:43 AM

Thank you sir!



#27 BrionLax

BrionLax

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 31 October 2017 - 11:28 AM

As a thought, there is an offer to decrypt 3 files without paying.  If you had the dectrypted files and the encrypted files, would that be helpful in any way?



#28 batmansk

batmansk

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 31 October 2017 - 12:37 PM

@Emmanuel

Sorry for previous file, I think I made a mistake.

I think files were encrypted with different keys(from another computer).

 

Here you can find again correct data(all files encrypted, not encrypted, netcache64.sys, hta file)

https://ufile.io/ii9a7

 

thx



#29 xwald

xwald

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 09 November 2017 - 09:35 AM

Hi,

just got a PC that's hit by this. What I can see:

 

  1. Encryped files have ".[kill@rape.lol].kill" added to their filenames.
  2. In ./User/Desktop there's 2 suspicious files: "kill.exe.[kill@rape.lol].kill" & "networkshare.exe.[kill@rape.lol].kill". Both seem to be encrypted at first glance (due to the extension), but both show the "This program cannot be run in DOS mode" at the beginning when viewed with a text editor.
  3. In ./User/Downloads there's a "!kill_clear.exe.[kill@rape.lol].kill", same "features" as above in #2.
  4. In ./Users/AppData/Roaming there's a "netcache64.sys".
  5. Files are encrypted locally (in the areas the User has access) as well on a network share.

I have this PC here at hand and will, if needed, provide any help possible to me. I'll watch this thread closely.

Huge thanks @all that are working on this!

 

Have a good time!



#30 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:09:22 PM

Posted 13 November 2017 - 05:03 AM

Hello batmansk and makretallica,

The analysis of your netcache64.sys files are done and we need additional encrypted files to advance.

Please send me encrypted archive files (not too small) as well as .doc or .docx files

Upon receipt, I will forward them to the analysts of Doctor Web.
Thxs, Emmanuel
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users