Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seems to be new ransomware .gr3g


  • Please log in to reply
10 replies to this topic

#1 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:10 PM

Posted 30 October 2017 - 11:43 AM

Hello,
 
My client is facing this ransomware with extension .gr3g
All encrypted files are like this hpp21udgf9rm8m1t4mrc4947g2_1509372663_Stop Pieces auto Tafani W GGE.pdf.libbywovas@dr.com.gr3g
 
Any help is requested, thank you very much.
 
Ransom note format : ..._Readme.txt
ID Ransomware ticket : ef44f2a4a6557931ebcc25772da7731682abc0dc
 
download link https://we.tl/Fxr5WPQXMH with ransom note, crypted samples and pair original/crypted files
 
Thank you,
Emmanuel

BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:10 PM

Posted 30 October 2017 - 12:56 PM

I just recently tweeted a hunt for this based on your (and several other) submissions: https://twitter.com/demonslay335/status/925056662389624832

 

We'll need a sample of the malware to analyze and identify properly.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:10 PM

Posted 30 October 2017 - 01:46 PM

Hello Demonslay355,
 
The trojan is  a file called RASMANS.EXE
He will try to share it for analyse.
 
Emmanuel

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:10 PM

Posted 30 October 2017 - 06:23 PM

Samples of suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:10 AM

Posted 31 October 2017 - 02:49 PM

libbywovas@dr.com.gr3g

this is another new variant Yyto Ransomware


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#6 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:10 PM

Posted 01 November 2017 - 05:36 AM

Hello,
Unfortunately the client's antivirus has erased the file and he failed to send it to me. It's in the logs that he saw that it was the file RASMAN.EXE that was concerned.
Any idea to go further ? Can the logs be useful to analyze to see what happened?
Thx, Emmanuel

#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:10 PM

Posted 01 November 2017 - 08:20 AM

If the logs have a hash of the executable that was deleted, we can use that to hunt it down.

 

Based on analyzing patterns in the ransom note and the encrypted file (versus original), we are fairly certain this is another variant of YYTO (which is not decryptable) as mentioned. Cannot be 100% certain until the malware is acquired of course.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:10 PM

Posted 02 November 2017 - 05:52 AM

Hello Demonslay335,
I sent you the logs of my client and uploaded them here
 
I hope this can help. Thank you.
Kind regards, Emmanuel

#9 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:10 PM

Posted 04 November 2017 - 08:28 AM

The answer of libbywovas@dr.com libby vasquez to my request to decipher encrypted files for free :

 

Hello. Your files have been successfully decrypted. The files are attached to the email.

We can help you with decryption of all your files. The cost of our services will be $1000.
After payment, you will receive software that automatically decrypts all your files.

To purchase the program, you need to transfer $1000 Bitcoin coins to this purse: 1GUEcFM77KBPGZWVND6NoLyH2YeGwijQ6X
You can buy Bitcoin coins on this exchange: https://localbitcoins.com and https://localbitcoins.net, as well as in any place convenient for you.
The price is valid for 24 hours from the date of sending this message.

Stupid questions and suggestions - will be ignored.

 

encrypted samples .gr3g : https://we.tl/iJ4nAwVqXp

decrypted files : https://we.tl/uYgckhlVY4

emails : https://we.tl/ETSq7xf6vj

antivirus logs : https://we.tl/uUV2GKgYec

 

Can this help ? Thxs, Emmanuel



#10 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:10 AM

Posted 04 November 2017 - 12:03 PM

blockchain.info/address/1GUEcFM77KBPGZWVND6NoLyH2YeGwijQ6X

 

Nobody paid on this wallet yet.


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#11 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:10 AM

Posted 09 November 2017 - 10:34 AM

This BTC wallet yesterday replenished on large sum - 0.133883 BTC. 


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users