Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SambaCry / StorageCrypt Ransomware Support (.locked, _READ_ME_FOR_DECRYPT.txt)


  • Please log in to reply
29 replies to this topic

#1 johnwwweissberg

johnwwweissberg

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 25 November 2017 - 01:22 PM

We use a Thecus 7710G NAS which was attacked and encrypted. The tool on the ID Ransomware site was not able to determine the type of ransomeware. Here is the case on the ID Ransomware site: SHA1: 7d1cff7dea5ee8f5a5016381e962766b52c59aef

 

 

The encrypted file have been given the extension: .locked

 

All the directories on the NAS contain a file with name: _READ_ME_FOR_DECRYPT.txt

 

Here is the text of the ransomware note:

 

Warning
 
    Your documents,photos,databases,important files have been encrypted by RSA-4096 and AES-256!
    If you modify any file, it may cause make you cannot decrypt!!!

    You have to pay for decryption in bitcoin

    Before paying you can send to us up to 2 files for free decryption
    and it can also prove that we have ability to decrypt.
        
    Please note that files must NOT contain valuable information
    and their total size must be less than 2Mb


        
    How to decrypt your files  ?
    
        To decrypt your files,please following the steps below

        1,Pay 0.4 bitcoin  to this address: 1HUqiacJ6F6yLwTeGwohEdgWVuehibEegq
        
            Pay To : 1HUqiacJ6F6yLwTeGwohEdgWVuehibEegq
            Amount : 0.4

        2,After you have finished paying,Contact us and Send us your Decrypt-ID via email
    
        3,Once we have confimed your deal,You can use the tool we sent to you to decrypt all your files.



    How to obtain bitcoin ?

        The easiest way to buy bitcoin is LocalBitcoins site.
        You have to register, click Buy bitcoins  and select the seller
        by payment method and price

        https://localbitcoins.com/buy_bitcoins

        https://paxful.com/buy-bitcoin

        http://bitcointalk.org/
    

    If you have any questions please do not hesitate to contact us



Contact Email    :    JeanRenoAParis@protonmail.com

Decrypt-ID        :

    CDwQ5HyOC0s+EM/tWRMEXP32IGfsQjSt2nGt2C84CrI9Jm+GWcGpprRBuO5m
    j8AH0Tqi8Chn0QsxgPNc0eAFSnGTD5IdwMpcl1mQCVSxXFBxFm+KRD977iCo
    NhKuOwAMqqQY8Hj/Zw2v5gPJ6p7AO0s7nf1F6+NXE54NEPe8dxY0fLnmq5ra
    H70+mD9kLDzYVI33oUbAhY2KTvNbBUkLR7QutIiJzH1SqMOgtaPeq/8pfOKg
    jY/UF3ew7vmdewjebTpERRDIqKRQxziGxDkIO7Id+Rf/g5u6yhzuWGl07E7f
    3hZw7zwV3P/9G7amLvElLVrw1F7SnGjwWjLyDnL3w/aiKLBb8rP0P6UTHsW9
    B8r4tfGxZWncgie4XNWHqIJbTu0F504gJCwEJkMonY8ke/Yf0Axmc8JCtxyn
    a4owPWRYBKXnjbSVTMr6C622WhXU1ptXwhNxNIBhteJVM2vuZF4ety1ej7EE
    wbJFE3y/qnUkszmcYPA/iE2CB2lOqw6hZBUrdNbv2leoQhBt2EsbhJLdwJJ0
    7huOmSvUjhw33vGMnjgdN7dDuREKSZB5EdOY3/WKIVXvqnMFM+oYMTq7zxL1
    Whx1BQyHQ76QNToQWtAFaqneByTYzxjsu4m5lMsplK2KklKAJdBwH+WLxkUA
    TnY9w112NmSS9zJfBDV7Raw=


Edited by quietman7, 27 November 2017 - 08:27 PM.


BC AdBot (Login to Remove)

 


m

#2 baronvon

baronvon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 25 November 2017 - 04:38 PM

Wish I could be more helpful, but I came across this looking for assistance as well. I have the identical issue, though I'm running a Western Digital EX4100. I got hit Thursday morning 11/23/17 and have been trying to figure out what breed of ransomware this is.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:43 PM

Posted 25 November 2017 - 05:00 PM

The .locked extension is more generic since it is used by several types of ransomware.

Did you upload (submit) both encrypted files and ransom notes together along with contact email addresses and hyperlinks to ID Ransomware? Doing that provides a more positive match and helps to avoid false detections.

If you did, then our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if the encrypted files can even be decrypted. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 johnwwweissberg

johnwwweissberg
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 25 November 2017 - 06:18 PM

I have submitted (via the file submission page) some strange files we located on the NAS that we certainly did not place there.



#5 baronvon

baronvon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 25 November 2017 - 06:20 PM

Can I ask where you found them? Looking on my own NAS now.



#6 johnwwweissberg

johnwwweissberg
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 25 November 2017 - 06:26 PM

One of the 3 files I posted has extension: .so

 

We are fairly certain that this was the real culprit. I would search for any files ending in .so



#7 MinaTheRed

MinaTheRed

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 25 November 2017 - 08:00 PM

Our WD MyCloud was hacked week before last.  Due to Thanksgiving prep I've had to wait until now to start trying to figure this out - all my music, files, and pictures are locked and I'm utterly devastated.  The locked files have the extension of .locked.  I ran Norton on the drive (and I have to figure out why it wasn't actively protecting the drive) and it removed heur.advml.b, and three copies of w32.licum.  I've uploaded the ransom note and a sample file to ID Ransomware and it hasn't found the locker (reference SHA1: 123938387b8ce803e2e014df1681d71f2ca4f5c3).  I tried to run it through nomoreransom.org, but when I submit the files it just goes back to the front page (I tried on Firefox, Internet Explorer, and Google Chrome).  Can anyone please advise what I can do to get my files back?  As violated and angry as I am over this I'll be doggoned if I'll pay one penny to these greedy, thieving SOBs, but the thought of losing all of my files is just... so upsetting.  

 

Thank you so much in advance for any help you can provide!

 

ETA: I was just scrolling through the files and there are some .SO files in there that I don't recognize.  Does that mean anything to anyone?


Edited by MinaTheRed, 25 November 2017 - 08:06 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:43 PM

Posted 25 November 2017 - 09:01 PM

Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with, the type of encryption used by the malware writers and a variety of other factors. Please be patient until Demonslay335 has a chance to review and analyze the submitted files.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 baronvon

baronvon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 25 November 2017 - 10:59 PM

Our WD MyCloud was hacked week before last.  Due to Thanksgiving prep I've had to wait until now to start trying to figure this out - all my music, files, and pictures are locked and I'm utterly devastated.  The locked files have the extension of .locked.  I ran Norton on the drive (and I have to figure out why it wasn't actively protecting the drive) and it removed heur.advml.b, and three copies of w32.licum.  I've uploaded the ransom note and a sample file to ID Ransomware and it hasn't found the locker (reference SHA1: 123938387b8ce803e2e014df1681d71f2ca4f5c3).  I tried to run it through nomoreransom.org, but when I submit the files it just goes back to the front page (I tried on Firefox, Internet Explorer, and Google Chrome).  Can anyone please advise what I can do to get my files back?  As violated and angry as I am over this I'll be doggoned if I'll pay one penny to these greedy, thieving SOBs, but the thought of losing all of my files is just... so upsetting.  

 

Thank you so much in advance for any help you can provide!

 

ETA: I was just scrolling through the files and there are some .SO files in there that I don't recognize.  Does that mean anything to anyone?

 

Out of curiosity, does your WD Dashboard see your RAID volume? Mine just reports "No Configured Volumes" but I can ssh into the device and manually mount the RAID array and see all my files that way.



#10 MinaTheRed

MinaTheRed

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 26 November 2017 - 01:22 PM

Out of curiosity, does your WD Dashboard see your RAID volume? Mine just reports "No Configured Volumes" but I can ssh into the device and manually mount the RAID array and see all my files that way.

 

I'm not sure what a RAID volume is, but I can see all my files and the different drives I set up for each share.  Is that the same thing?

 

Thank you to you both, Demonslay335 and Bleepin' Janitor, for helping!  Please let me know if I can provide any additional information!



#11 Amigo-A

Amigo-A

  • Members
  • 249 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:43 AM

Posted 26 November 2017 - 01:59 PM

It ransom note looks new and her style including. The commas after the numbers (1,Pay 2,After 3,Once) indicate that the author of the note forgot that he writes the text in a non-native language, in which the semicolon stands where the dot in the native language of the author (on the numeric keypad that is to the right of the main keypad). The same method also says that the ransom note was not written to order, otherwise another person would notice this gaffe.
We have not seen this gaffe earlier in the previous ransom notes.
 
Based on known data, a preliminary (or alert) description of the threat was compiled.
The threat is added in the Digest as StorageCrypter Ransomware
 
 

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#12 Amigo-A

Amigo-A

  • Members
  • 249 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:43 AM

Posted 26 November 2017 - 02:13 PM

MinaTheRed
 
It is possible that baronvon meant this picture.
afdb1702ccdf.png
 
There can see the status of all RAID.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#13 benswan

benswan

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 27 November 2017 - 05:40 PM

I happened to me as well. About a week and a half ago. I exposed my WD MyCloud to the internet via port forwarding on my router. My wife noticed she didn't have access to the files. I noticed the .locked extension, but immediately unplugged the NAS. When I plugged it back in, I couldn't get to anything. I wasn't sure what failed. I ended up buying a USB 3.5" SATA enclosure and put the disk in it. Once I could connect directly to my computer, I found the note. SUCKS. They wanted 1.0 BTC - ha ha ha. I offered .011 just to see if they would bite and they came back with .12, which is around $1100 USD. I hope you guys can figure out how to decrypt, because I'm not giving them a penny. Lessons learned.



#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 27 November 2017 - 08:23 PM

I've been getting submissions with that note for some time now, only just noticed this topic. I've added rules to ID Ransomware to identify it as "StorageCrypter" as Amigo named it, seems good enough for now until we find a sample of the malware. We'll definitely need the malware itself for proper analysis to tell whether it can be decrypted or not.
 
I'm taking a quick look at the files uploaded. The "美女与野兽.exe" (translates to "Beauty and the beast" in Chinese according to Google) seems like it may be a backdoor according to it's VirusTotal results.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 Amigo-A

Amigo-A

  • Members
  • 249 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:43 AM

Posted 28 November 2017 - 12:50 PM

美女与野兽 .exe

 

or 

The Beauty and the Beast 

;)


Edited by Amigo-A, 28 November 2017 - 12:51 PM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users