Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ms.decry@aol.com infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 Hacked805

Hacked805

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 25 October 2017 - 02:55 PM

Hi everyone,

 

We were hit with Ransomware.  We think it happened sometime over the weekend, but we didn't notice anything wrong until 10/23 (Monday).  We were not running anti virus at the time of the infection.  The computer that was hit is our server running MS Server 2007 R2 ( I believe this is what it is running but I don't want to turn it on to confirm.

 

 

 

All of the folders on the server contain a file named - _HELP_INSTRUCTION - Notepad and they have the following : 

 

All your files are already encrypted due to a vulnerability in the system!

 

For decoding it is necessary to pay ransom by bitcoins.  Bitcoins can be bought here - localbitcoins.com in many ways.  Write to us at mail         ms.decry@aol.com      and tell us your unique ID in the subject line.  DECRYPT-ID-be9abbeb-d90e-436a-85d1-7dfc3ac9d3b1 number

 

We would really like to get our files decrypted, if possible. 

 

Any help is greatly appreciated.

 

Thanks in advance,

Derek



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:31 AM

Posted 25 October 2017 - 03:16 PM

CryptoMix Ransomware (CryptoMix Revenge) will leave files (ransom notes) named _HELP_INSTRUCTION.TXT.

Are there any obvious file extensions appended to or with your encrypted data files? If so, what is the extension and is it the same for each encrypted file or is it different?

Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Hacked805

Hacked805
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 25 October 2017 - 04:07 PM

Thanks or the reply.

 

I uploaded a file and it came back with Revenge Ransomware, a CryptoMix variant, being distributed by RIG Exploit Kit.

 

 

Looks like the file extensions are .coban

 

What do you think?



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:31 AM

Posted 25 October 2017 - 04:19 PM

Probably a new extension they are using.

Avast released a decrypter tool for victims of some variants of this infection.If avast's decrypter does not work and CERT Polaka cannot help, I am not aware of any other way to decrypt files encrypted by CryptoMix variants without paying the ransom. If possible, your best option is to restore from backups or wait for a possible solution at a later time.

There are ongoing discussions in the following topics where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in one of the above support topic discussions...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users