Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locky or Cryptowall?


  • Please log in to reply
14 replies to this topic

#1 samwiseOrgin

samwiseOrgin

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 22 November 2017 - 02:00 AM

My client was infected with a ransomware that I can not, unfortunately, determine between locky or cryptowall (Which version?) 

 

Unfortunately ATM, I do not have ransomnote, nor information of what extension the file has been changed to. 

 

Following link is the only picture I was able to get it from my client

 

https://ssl-proxy-updated.herokuapp.com/2d6fd2cf22e8688870de674369f4b4c0614718ca/687474703a2f2f6b696e696d6167652e6e617665722e6e65742f32303137313132325f3136322f3135313133333139343433343751624868445f4a5045472f32303137313132325f3133343335312e6a70673f747970653d77363230/

20171122_134351.jpg?type=w620

As it seems it says :

all your files were encrypted with RSA-2048 crypto algorithm! Without your personal key and special sofrware data recovery is impossible!

If you want to restore your files, please write us to the emails: datsun987@tutanota.com OR datsun987@yahoo.com

 

 

Any help to determine which ransomware this is will be very much appreciated 


Edited by samwiseOrgin, 22 November 2017 - 02:01 AM.


BC AdBot (Login to Remove)

 


#2 Amigo-A

Amigo-A

  • Members
  • 478 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:05 AM

Posted 22 November 2017 - 03:52 AM

Locky or Cryptowall?

 

No.

If we draw analogies by the style of the title of the redemption notes and the text, then it is probable, this is the new Matrix Ransomware's variant.

---

1) previous ransom notes

WhatHappenedWithMyFiles.rtf

!WhatHappenedWithMyFiles!.rtf
#_#WhatWrongWithMyFiles#_#.rtf
new #What-Happened-With-Files#.rtf
 
Yes, this is Matrix
 
2) submitted by you ransom text
All your were encrypted with RSA-2048 crypto algorithm!
Without your personal key and special software data recovery is impossible!
If you want to restore your files, please write us to the e-mails:
datsun987@tutanota.com OR datsun987@yahoo.com
* Additinal info you can find in files: #What-Happened-With-Files#.rtf
SdA8KjxOjFRmrDlbwBORkLZwysI

If we compare with the updates (at the bottom of my page there is a block of updates)

https://id-ransomware.blogspot.ru/2016/12/matrix-ransomware.html

 

8e4494465dd7.png

From above - it's yours text from screen, from below, this is the previous version from November 2, 2017.

 

Yes, this is Matrix


Edited by Amigo-A, 22 November 2017 - 04:20 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#3 Amigo-A

Amigo-A

  • Members
  • 478 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:05 AM

Posted 22 November 2017 - 03:55 AM

samwiseOrgin

 

And what extension is added to your files?


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#4 samwiseOrgin

samwiseOrgin
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 22 November 2017 - 03:57 AM

samwiseOrgin

 

And what extension is added to your files?

The picture was only info I was given to

At this time I do not have more information. 



#5 Amigo-A

Amigo-A

  • Members
  • 478 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:05 AM

Posted 22 November 2017 - 04:11 AM

Unfortunately, Matrix Ransomware is focused on Russia, South-East Asia and Korea, in particular.

These are different malicious campaigns with their own attributes. 


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 samwiseOrgin

samwiseOrgin
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 22 November 2017 - 04:13 AM

Korea, in particular. 



#7 samwiseOrgin

samwiseOrgin
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 22 November 2017 - 04:32 AM

Unfortunately, Matrix Ransomware is focused on Russia, South-East Asia and Korea, in particular.
These are different malicious campaigns with their own attributes. 


That's rather weird finding... It has been months since i've come across Matrix Ransomware. Of course,i have limitted contact of people.. Majority of effection was caused by either CRBR or Magniber..

#8 Amigo-A

Amigo-A

  • Members
  • 478 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:05 AM

Posted 22 November 2017 - 05:07 AM

Matrix Ransomware attacks аrе held from the end of last year in different regions of the world.

Magniber's attack - this is a recent distribution. 

 

Matrix Ransomware is being installed through exploit kits on sites displaying malvertising, which target vulnerabilities in Internet Explorer (CVE-2016-0189) and Flash (CVE-2015-8651). Both of these vulnerabilities rely on visitors using unpatched and outdated versions of Internet Explorer and Flash Player.

 

Your client needs to install the appropriate updates for Windows, in order not to expose his PC this attacks in the future.

His place of residence (Korea, Japan, China, etc.) in this case does not matter. The threat can be global and switched in the future on any country, to what direction they will be indicated by shadow rulers.


Edited by Amigo-A, 22 November 2017 - 05:25 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#9 samwiseOrgin

samwiseOrgin
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 22 November 2017 - 05:59 AM

Matrix Ransomware attacks аrе held from the end of last year in different regions of the world.

Magniber's attack - this is a recent distribution. 

 

Matrix Ransomware is being installed through exploit kits on sites displaying malvertising, which target vulnerabilities in Internet Explorer (CVE-2016-0189) and Flash (CVE-2015-8651). Both of these vulnerabilities rely on visitors using unpatched and outdated versions of Internet Explorer and Flash Player.

 

Your client needs to install the appropriate updates for Windows, in order not to expose his PC this attacks in the future.

His place of residence (Korea, Japan, China, etc.) in this case does not matter. The threat can be global and switched in the future on any country, to what direction they will be indicated by shadow rulers.

 

I will be updating more info when and if I get more info from him... Otherwise go ahead and lock it after 3 days..per say..

I figure there are no decryptor for the Matrix Ransomware?



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:05 PM

Posted 22 November 2017 - 07:06 AM

The best way to identify the different ransomwares that do not append an extension is the ransom note (including it's name), samples of the encrypted files, information related to any email addresses used by the cyber-criminals to request payment and the malware file responsible for the infection. Without any of that information or a file marker/unique hex pattern identifier, it is difficult to determine what you are dealing with.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Amigo-A

Amigo-A

  • Members
  • 478 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:05 AM

Posted 22 November 2017 - 02:24 PM

samwiseOrgin

I figure there are no decryptor for the Matrix Ransomware?

 

Yes, unfortunately, there are no public decryption tools for files encrypted by the Matrix Ransomware. 


Edited by Amigo-A, 22 November 2017 - 02:26 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#12 samwiseOrgin

samwiseOrgin
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 22 November 2017 - 07:29 PM

Thank you all, my client has acknowledged the situation and had wiped his HDD last night. There was no back-up or shadow-recovery that he had saved. 

Situation has been  resolved. Go ahead and close the topic.



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:05 PM

Posted 22 November 2017 - 07:36 PM

As a general rule Bleeping Computer does not always close (lock) topics in this forum. Other readers looking for similar information may want to add their comments or ask a related question which may prompt further discussion. Exceptions to that rule are redundant (duplicate) topics and referrals to specific support topics for ease of management.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 samwiseOrgin

samwiseOrgin
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 22 November 2017 - 08:20 PM

As a general rule Bleeping Computer does not always close (lock) topics in this forum. Other readers looking for similar information may want to add their comments or ask a related question which may prompt further discussion. Exceptions to that rule are redundant (duplicate) topics and referrals to specific support topics for ease of management.

Understood!

Much appreciated! 



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:05 PM

Posted 22 November 2017 - 09:52 PM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users