Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HC6 / HC7 / HC9 Ransomware (.f*cku, .gotya, - recover_your_fies.txt) Support


  • Please log in to reply
36 replies to this topic

#1 steelersfan123

steelersfan123

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 27 November 2017 - 11:27 AM

So we came in to work from the holiday weekend and almost every computer on the network including the server has files with .bleepu extensions.  I have ran Malwarebytes it found one file hc6.exe in c:\windows\.  I can't seem to find anything related to this variant of ransomware, does anyone know anything? I used ID Ransomware Site to analyze the encryption and it couldn't determine what type of file it was.

Edited by quietman7, 10 January 2018 - 06:55 AM.


BC AdBot (Login to Remove)

 


#2 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:33 AM

Posted 27 November 2017 - 12:54 PM

Hello,

Can you share here 3-4 crypted files (doc, xls, pdf, zip), the ransom note and the hc6.exe file.

Regards, Emmanuel



#3 steelersfan123

steelersfan123
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 27 November 2017 - 01:33 PM

     Here is a link to a zip file with the files you requested.

 

https://www.dropbox.com/s/l34anvxe6io34ql/infected.zip?dl=0

 

Here is the ID Ransomware reference number

SHA1: 1e4c87b681e8fe5a96e7ee284fcb865e785bcfd3


Edited by steelersfan123, 27 November 2017 - 01:41 PM.


#4 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:33 AM

Posted 27 November 2017 - 01:55 PM

@steelersfan123,

Ok. I will come back to you asap, we are starting the analyse.

Kind regards,

Emmanuel



#5 Amigo-A

Amigo-A

  • Members
  • 481 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:11:33 AM

Posted 27 November 2017 - 02:21 PM

steelersfan123
 
Did I understand correctly that the extension on the files is actually a .f*сku?
 
If the answer is 'Yes', does this match with the data that Michael reported on the link? 

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 steelersfan123

steelersfan123
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 27 November 2017 - 02:24 PM

Yes you understood correctly, and yes his twitter feed is the only place i have found anything close to having information on this issue



#7 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:33 AM

Posted 27 November 2017 - 04:03 PM

analyse is still going on.

 

There is someone at nullforwarding@qualityservice.com for decrypting samples of crypted files.

Kind regards, Emmanuel



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:33 AM

Posted 27 November 2017 - 04:19 PM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can also be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 steelersfan123

steelersfan123
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 27 November 2017 - 04:28 PM

I uploaded a zip file with the files and linked it as you requested.

This ransomware spread to 10 PC's and our server, not just infecting shares but it infected everything it could find that met its criteria. 

 

I thank you all for the help with this



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:33 AM

Posted 27 November 2017 - 06:48 PM

Thanks for the sample. Looks to be Python-based, I should be able to start analyzing it tomorrow.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:33 AM

Posted 28 November 2017 - 02:01 PM

Some good news, this one is decryptable. Will be working on a decrypter for it soon. :)


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 Amigo-A

Amigo-A

  • Members
  • 481 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:11:33 AM

Posted 28 November 2017 - 02:05 PM

steelersfan123

 

Please pass me the original file 'recover_your_fies.txt' or best make a full-sized content screenshot ans pass it.


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:33 AM

Posted 28 November 2017 - 02:08 PM

@Amigo-A

 

Here's the ransom note it produces. The Bitcoin address is randomly chosen from 14 hard-coded addresses.

 

https://pastebin.com/teu9rxPs


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:33 AM

Posted 28 November 2017 - 02:16 PM

What name are we going to use for this one?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:33 AM

Posted 28 November 2017 - 02:22 PM

I'm calling it "hc6", as that's the main module and executable for it. Nothing else "unique" really. Uses AES-256 CBC and SHA256.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users