Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help identify ransomware? (.b007 extension)


  • Please log in to reply
12 replies to this topic

#1 Daniel_K

Daniel_K

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 25 October 2017 - 05:20 AM

Hi,
 
Helping someone to try to identify ransomware to see if decryption tool exists. The "ID Ransomware" site couldn't identify.

 

A deadline exist (hours from now), will screwing the BIOS clock back help? (Windows 2003). Thinking of bringing down,

clone HDD, change BIOS clock and power up again.

 

The Readme.txt saved to pastebin here: https://pastebin.com/vqAEEuW2

 

Thanks in advance,

Daniel


Edited by Daniel_K, 25 October 2017 - 05:29 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 AM

Posted 25 October 2017 - 05:54 AM

Did you upload (submit) both encrypted files and ransom notes together to ID Ransomware? Doing that provides a more positive match and helps to avoid false detections.

Any files that are encrypted with Cerber v4x/v5x will be renamed (encrypted) with 10 random characters followed by a random 4 character hexadecimal extension appended to the end of the encrypted data filename (i.e. 1xQHJgozZM.b71c, 0ezTpYXxVn.b6d3, n3yJiVM0Nn.a60d) and leave files (ransom notes) named README.hta, README.html, _HEJDDP_README_.hta, _READ_THIS_FILE_<random hexadecimal>.html (i.e _5M6C2B8.html), _HELP_HELP_HELP_<random hexadecimal>.hta (i.e _5M6C2B8.hta) as explained here. Any files that are encrypted with Cerber v5x will also include a few new changes as explained here.

CRBR Encryptor is a renamed version of Cerber that is used in the ransom note. Any files that are encrypted with CRBR Encryptor still encrypts files with 10 random characters followed by a random 4 character hexadecimal extension appended to the end of the encrypted data filename (i.e. 1xQHJgozZM.b71c) and leave files (ransom notes) named _R_E_A_D___T_H_I_S_.hta, _R_E_A_D___T_H_I_S_.txt as explained here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Daniel_K

Daniel_K
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 25 October 2017 - 06:12 AM

Yeah, did upload readme file and an encrypted file with the .b007 extension. No match.

The encrypted sample had the "*@mail.com" (see the pastebin link) email address inserted into the filename too.

 

If anyone get's smarter on this by having an encrypted sample file, msg me.

 

 

Did you upload (submit) both encrypted files and ransom notes together to ID Ransomware? Doing that provides a more positive match and helps to avoid false detections.

Any files that are encrypted with Cerber v4x/v5x will be renamed (encrypted) with 10 random characters followed by a random 4 character hexadecimal extension appended to the end of the encrypted data filename (i.e. 1xQHJgozZM.b71c, 0ezTpYXxVn.b6d3, n3yJiVM0Nn.a60d) and leave files (ransom notes) named README.hta, README.html, _HEJDDP_README_.hta, _READ_THIS_FILE_<random hexadecimal>.html (i.e _5M6C2B8.html), _HELP_HELP_HELP_<random hexadecimal>.hta (i.e _5M6C2B8.hta) as explained here. Any files that are encrypted with Cerber v5x will also include a few new changes as explained here.

CRBR Encryptor is a renamed version of Cerber that is used in the ransom note. Any files that are encrypted with CRBR Encryptor still encrypts files with 10 random characters followed by a random 4 character hexadecimal extension appended to the end of the encrypted data filename (i.e. 1xQHJgozZM.b71c) and leave files (ransom notes) named _R_E_A_D___T_H_I_S_.hta, _R_E_A_D___T_H_I_S_.txt as explained here.


Edited by Daniel_K, 25 October 2017 - 06:21 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 AM

Posted 25 October 2017 - 06:26 AM

If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Daniel_K

Daniel_K
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 25 October 2017 - 06:28 AM

Thanks again for feedback.

 

I will sent it to Demonslay335

 

If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing. Doing that will be helpful with analyzing and investigating by our crypto malware experts.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 AM

Posted 25 October 2017 - 06:30 AM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:29 AM

Posted 25 October 2017 - 11:20 AM

Messing with the BIOS clock won't do anything to decrypt files... you can't just turn back time that way, lol.

 

I don't recognize the note or anything with this. The file looks to be encrypted with AES-ECB though, or some other repeating-key cipher possibly. Can you provide a few encrypted files and their originals?

 

Preferably, we need the malware itself to analyze. You may submit it here if you get a hold of it: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Dare I say shame on having a Server '03 hooked to the internet at all...


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 Daniel_K

Daniel_K
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 25 October 2017 - 02:14 PM

I know messing with the BIOS clock won't fix anything with the files. The owner of the data in this case was worried about the details in the Readme file stating "To return your files you have 72 hours".
This time expired this afternoon local time. My hint about the BIOS was if there could be any potential malicious code which started to wipe data.

 

I actually don't know how the 2003 server was infected (Virus on lan?) since I haven't been part of that work, just the data recover part. It was a small family company - as with them many times - they don't really know the best practices to protect their information assets, sadly.

 

I will see if I can get more encrypted files tomorrow and potentially the code itself, if resistent on disk.

Messing with the BIOS clock won't do anything to decrypt files... you can't just turn back time that way, lol.

 

I don't recognize the note or anything with this. The file looks to be encrypted with AES-ECB though, or some other repeating-key cipher possibly. Can you provide a few encrypted files and their originals?

 

Preferably, we need the malware itself to analyze. You may submit it here if you get a hold of it: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Dare I say shame on having a Server '03 hooked to the internet at all...


Edited by Daniel_K, 25 October 2017 - 02:15 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 AM

Posted 25 October 2017 - 02:27 PM

In most cases victims can ignore any warnings in the ransom note that mentions files will be deleted or unrecoverable after so many number of hours or days...it typically is just a scare tactic to get victims to quickly pay the ransom.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Daniel_K

Daniel_K
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 26 October 2017 - 01:03 AM

Demoslay335, some files have been uploaded, let me know if more files are needed. Thanks.



#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:29 AM

Posted 26 October 2017 - 08:52 AM

You didn't provide any originals for the encrypted files, just random unencrypted files. I need to compare the before/after of the encryption to see if there's a pattern.

 

We also really need the malware itself, that's really more important, so we can analyze what it actually does (and if it can be exploited or not).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 Daniel_K

Daniel_K
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 26 October 2017 - 02:12 PM

Sorry, misunderstood. I found two files where one of them where unencrypted, uploaded them.

Doing block level backups to have copies, will try to recover removed files.

 

You didn't provide any originals for the encrypted files, just random unencrypted files. I need to compare the before/after of the encryption to see if there's a pattern.

 

We also really need the malware itself, that's really more important, so we can analyze what it actually does (and if it can be exploited or not).



#13 Amigo-A

Amigo-A

  • Members
  • 532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:29 PM

Posted 27 October 2017 - 09:39 AM

It is possible that this is a new version of Yyto Ransomware
 

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users