Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

File Spider Ransomware (.spider - HOW TO DECRYPT FILES.url) Support Topic


  • Please log in to reply
29 replies to this topic

#1 loopdemack

loopdemack

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 AM

Posted 10 December 2017 - 01:30 PM

Is the .spider ransomware known ransomware or is it some variant of another ransomware hiding behind .spider extension?
 
Currently there is a huge attack on all Balkan states in Europe with mails on Balkan languages with mails pointed with exact company names which were attacked with  almost legitimate email content, like executor court order case,  with some numbers and names and used bank accounts. Everything is fake of course but its very intelligent attack.
 
I hope it will not make huge damage.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:01 PM

Posted 10 December 2017 - 06:02 PM

Did you submit any samples of encrypted files, ransom notes and any contact email addresses or hyperlinks used by the cyber-criminals to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 loopdemack

loopdemack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 AM

Posted 10 December 2017 - 07:23 PM

Did you submit any samples of encrypted files, ransom notes and any contact email addresses or hyperlinks used by the cyber-criminals to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

 

I got the hard drive few minutes ago, I see the ransomware instructions were under this hyperlink https://vid.me/embedded/CGyDc?autoplay=1&stats=1

 

I didn't submitted yet I will of course. As I understood it was a major attack that targeted companies specifically and a each email was very specific. Each email had exact company name.

I'm trying to extract originating email from the outlook database.

 

Here I uploaded one crypted jpg file https://www.mediafire.com/file/p1yb6xjrhwicfyn/IMG_1655.JPG.spider



#4 loopdemack

loopdemack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 AM

Posted 10 December 2017 - 07:31 PM

Unable to determine ransomware.

Please make sure you are uploading a ransom note and encrypted sample file from the same infection.

This can happen if this is a new ransomware, or one that cannot be currently identified automatically.

You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.

Please reference this case SHA1: 08e40687ffa4474ec23441f5fe15f050d89039e7



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:01 PM

Posted 10 December 2017 - 07:42 PM

Ok...please be patient until Demonslay335 has a chance to review the information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 loopdemack

loopdemack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 AM

Posted 11 December 2017 - 02:14 AM

https://www.mediafire.com/file/b4wsy978yfbid7h/Spider.rar

Interesting here is the spider exe with the list of files that was encrypted also there is id file maybe that's the key  for decoding?

https://www.virustotal.com/en/file/6500a1baa13e0698e3ed41b4465e5824e9a316b22209223754f0ab04a6e1b853/analysis/1512974406/



#7 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 409 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:03:01 AM

Posted 11 December 2017 - 07:10 AM

Hello loopdemack,

Do you have the instruction.txt file or ny other ransom note ?



#8 qvisti

qvisti

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 11 December 2017 - 09:20 AM

Here is YouTube video for this ransomware how it works and also you can see ransom note.

 



#9 loopdemack

loopdemack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 AM

Posted 11 December 2017 - 10:19 AM

Here is the official broadcast about this ransomware from one of the Balkan states.

https://www.nezavisne.com/nauka-tehnologija/internet/Hitno-upozorenje-zbog-e-maila-koji-se-siri-u-BiH/455600

 

Department of Information Security - CERT broadcasted that behind the spider ransomware its local variant of ‘HiddenTear+ ransomware email were sent from the office@adriadoo.com but there are also backup emails.



#10 loopdemack

loopdemack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 AM

Posted 11 December 2017 - 10:31 AM

Hello loopdemack,

Do you have the instruction.txt file or ny other ransom note ?

https://www.mediafire.com/file/h2652i1vahbkl9y/HOW%20TO%20DECRYPT%20FILES.rar

 

Here is the file I rar'ed it.



#11 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 409 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:03:01 AM

Posted 11 December 2017 - 10:36 AM

OK Thank you. no instruction.txt file ?



#12 loopdemack

loopdemack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 AM

Posted 11 December 2017 - 10:50 AM

OK Thank you. no instruction.txt file ?

No.



#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:01 PM

Posted 11 December 2017 - 11:13 AM

I've added detections for this (recovering from the weekend).

 

On first glance, it is not HiddenTear-based, and looks to be possibly secure. Haven't got much time to analyze much further on it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 thyrex

thyrex

  • Members
  • 599 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:05:01 AM

Posted 11 December 2017 - 01:39 PM

Not HiddenTear.

AES-128 CFB mode + RSA-2048 for key and ID encryption


Edited by thyrex, 11 December 2017 - 01:41 PM.

Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:01 PM

Posted 11 December 2017 - 05:53 PM

Correct. I confirmed it is not decryptable, keys are generated securely and per file.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users