Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

m6m6 Ransomware


  • Please log in to reply
19 replies to this topic

#1 joestermeyer

joestermeyer

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 01 December 2017 - 03:52 PM

Hello - I was infected today with ransomware and the process renamed all non-exe files with the following extension:

 

filename.extension.teduggreene@adexec.com.m6m6 (CONFIG.SYS.teduggreene@adexec.com.m6m6)

 

I ran a few scanners and was unable to make any progress.  Below is a copy of the letter:

 

Hello. Your files have been encrypted.

For help, write to this e-mail: teduggreene@adexec.com
Attach to the letter 1-2 files (no more than 3 MB) and your personal key.


If within 24 hours you have not received a response, you need to follow the following instructions:


a) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en
B) From the TOR browser, follow the link: torbox3uiot6wchz.onion
c) Register your e-mail (Sign Up)
d) Write us on e-mail: teduggreene@torbox3uiot6wchz.onion


ATTENTION: e-mail (teduggreene@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion



Your personal key:

25581f43e68d4d58c76a7fbf16bb00d8f6a96a585175fe1cb820b773b0c221
ad49b19027a94de8ede0970eabd9e565d8e33385f6f4de7f7d02ddc1d4a4
bb9111e91e21bc60fd2f7f91057f34b49bc274f5e5fadc7e21016ab1b172
b12b3229c3fcef1daddbe3c813f82ea5d2ec4d91a11ffdc5af34404cfdcc
cccf6d2aadcb30



BC AdBot (Login to Remove)

 


#2 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:05:25 PM

Posted 01 December 2017 - 06:36 PM

You need to upload the ransom note AND an encrypted file here:https://id-ransomware.malwarehunterteam.com/

 

The site will attempt to identify your ransomware and suggest a solution (if any.

 

If it cannot identify the ransomware, it will give you a SHA1 hash that yjou need to post in this topic for Demonslay335 to review.


We are drowning in information - and starving for wisdom.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,935 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:25 PM

Posted 01 December 2017 - 07:43 PM

What is the actual name of the ransom note?

Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 joestermeyer

joestermeyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 01 December 2017 - 11:18 PM

I have uploaded an encrypted file as well as the ransom note.  I did try to submit them to the link but the tool was unable to detect.  Here is the data

 

SHA1: 3bd7cf67e30f404aa18658d76e98b6e22bf13dff

 

Thanks,

Jon



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:25 PM

Posted 02 December 2017 - 01:17 AM

Any chance you have some encrypted files with their originals? Also, more importantly we will need the malware executable itself.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Amigo-A

Amigo-A

  • Members
  • 610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:25 AM

Posted 02 December 2017 - 04:32 AM

 
Outwardly it looks like a non-modified note from YYTO Ransomware with extension .m5m5 an September.
 

b2a7f2d0bc7d.png

 

YYTO Ransomware


Edited by Amigo-A, 02 December 2017 - 07:02 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#7 joestermeyer

joestermeyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 02 December 2017 - 05:14 AM

I hadn't seen that YYTO similarity before - too many options to run down!  Thanks for the direction I will try some cleaners.  If there are any to recommend that would be great.

 

I will also try to upload some samples encrypted and prior

 

thanks!



#8 Amigo-A

Amigo-A

  • Members
  • 610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:25 AM

Posted 02 December 2017 - 07:00 AM

joestermeyer

What is the name of the ransom-note now?

Help.txt or Readme.txt


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#9 joestermeyer

joestermeyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 02 December 2017 - 09:03 AM

Ransom note was readme.txt



#10 Amigo-A

Amigo-A

  • Members
  • 610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:25 AM

Posted 02 December 2017 - 10:28 AM

Yes. 

They use different names: Help.txt or help.txt and Readme.txt or readme.txt ...


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#11 joestermeyer

joestermeyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 02 December 2017 - 11:47 AM

Any further thoughts on a cleaning process and/or decrypting process?

 

thanks!



#12 Amigo-A

Amigo-A

  • Members
  • 610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:25 AM

Posted 02 December 2017 - 01:46 PM

Till there is no public free tool for decrypting files...

 


Edited by Amigo-A, 02 December 2017 - 01:47 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#13 joestermeyer

joestermeyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 02 December 2017 - 04:13 PM

Please let me know what I can provide to assist in further troubleshooting.



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,935 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:25 PM

Posted 02 December 2017 - 08:16 PM

As Demonslay335 noted in Post #5 above, he needs the malware executable itself. If you can find it, submit the file to the link I provided in Post #3.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 joestermeyer

joestermeyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 03 December 2017 - 09:58 AM

I have not been able to identify the exe - any tips on how to find?  My anti-virus won't run due to the file encryption






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users