Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to determine ransomware


  • This topic is locked This topic is locked
6 replies to this topic

#1 networkdwebguys

networkdwebguys

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 23 November 2017 - 07:31 AM

ID Ransomware have not find my PC effected ransomware file

 

i have upload file but show  "Unable to determine ransomware."  

 

 

My Case : case SHA1: 83f1b8f73830ca1c5af6e3a7325d1e1e335e73cc



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:57 AM

Posted 23 November 2017 - 10:31 AM

ID Ransomware identified the ransom note as Xorist, and I'd say the patterns in the files look like Xorist as well. I've also seen Xorist use the extension ".CERBER" before.

 

Try the Emsisoft Xorist decrypter using an encrypted file and it's original.

 

https://decrypter.emsisoft.com/xorist

 

The Mircop detection was a false-positive since you uploaded a file called "Lock.php.CERBER".


Edited by Demonslay335, 23 November 2017 - 10:32 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:57 AM

Posted 23 November 2017 - 06:22 PM

Actual Cerber Ransomware encrypted files are renamed (encrypted) with 10 random characters + .cerber extension (i.e. 2C1OlcaXdF.cerber) or a random 4 character hexadecimal extension (i.e. 1xQHJgozZM.b71c) appended to the end of the encrypted data filename. Cerber v2 encrypted files are renamed (encrypted) with 10 random characters followed by a .cerber2 extension appended to the end of the filename (i.e. Ku7dYlcvkj.cerber2). Cerber v3 will be renamed (encrypted) with 10 random characters followed by a .cerber3 extension appended to the end of the filename (i.e. um87p5n5x9.cerber3).

The fake Cerber (variants of Xorist or CerberTear based on HiddenTear) utilize the .cerber extension appended to the end of the original extension and filename (i.e. picture.jpg.cerber}. GPAA Ransomware (Global Poverty Aid Agency) will have scrambled file names with the .cerber6 extension appended to the end of the encrypted data filename (i.e. 2BiwaFbX6wlPaDSy.cerber6).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 networkdwebguys

networkdwebguys
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 24 November 2017 - 01:29 AM

Thanks for Replay but my full system all files erdecrypt to .CERBER extension 

 

i have all ready find now .exe file it's file take encyptrd my data but, how to cerberdecrypt  my all data

 

please replay me fast 

 

thanks

 

 



#5 dimo70

dimo70

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sofia
  • Local time:08:57 AM

Posted 24 November 2017 - 02:05 AM

Unable to determine ransomware.

Please reference this case SHA1: a2cac77695fe4b75c0cba0183948039d4ea93401


Sofia, Bulgaria

WWW: http://eastcomputerservise.com/

 


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:57 AM

Posted 25 November 2017 - 11:18 AM

@networkdwebguys

Follow the instructions for the Xorist decrypter... It is definitely Xorist as I said. You just need an encrypted file and it's original to use the decrypter. Sample pictures, something that was recently downloaded and can be re-downloaded, something you sent to someone who can send it back, copy from a backup... There's plenty of options, you only need one file pair. Worst case, Thyrex may be able to help with a few encrypted Word documents.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:57 AM

Posted 25 November 2017 - 04:49 PM

Since the infection has been identified, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users