Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Linux ransonware uses .locked extension and read_me_for_recover_your_files.txt


  • This topic is locked This topic is locked
10 replies to this topic

#1 klund

klund

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 10 December 2017 - 03:43 PM

OS: Linux

Extension: .locked

Ransom Note: read_me_for_recover_your_files.txt

 

I caught the process "sshd.lock" doing the encryption and did a "kill -KILL" on it.  It was choking on a very large (9 TB) disk, so I was able to catch it in the act.

 

I've saved off the files it created in /dev/shm and /tmp

 

I have about 30 files caught in the middle of encryption operation, if this helps.

 

It got our website (which we have semi-recovered) and about 30 minutes before I killed it, it got our database files.

 

Help?!?

 

KLund



BC AdBot (Login to Remove)

 


#2 klund

klund
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 10 December 2017 - 05:55 PM

Looks like it took advantage of a CIFS vulnerability to get in.  Can't confirm because this NAS pipes smb logs to /dev/null



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 PM

Posted 10 December 2017 - 06:07 PM

The .locked extension is more generic since it is used by several types of ransomware...CryptoShocker, LockeR, SambaCry (StorageCrypt), Bitpaymer, LOCKED, Stampado, Philapdelphia, Fantom, BankAccountSummary, RAA-SEP, Uyari, PokemonGo, Russian EDA2, JobCrypter, Zyklon Locker (GNL), ApocalypseVM, KimcilWare Ransomware, Message of Death, FirstRansomware, Zyka, C/C++ Ransomware (version of Globe) and some variants of Amnesia and Globe 3 all append the .locked extension to the end of the affected filename. As such, more information (i.e a sample of the malware file itself, ransom note, contact email address provided by the criminals) is needed for identification and confirmation.

The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses or hyperlinks used by the cyber-criminals to request payment and the malware file responsible for the infection.

You can submit samples of encrypted files, ransom notes and any contact email addresses or hyperlinks used by the cyber-criminals to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. Any contact email addresses or hyperlinks provided by the criminals may also be helpful with identification. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 klund

klund
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 10 December 2017 - 06:18 PM

Thank you.  ID Ransonware did not find a match.  I fed it the ransom note and the encrypted index.php (.locked) file

 

Please reference this case SHA1: c6c5bacc521a702d1bf238039b5f6c235adedb5a

 

klund



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 PM

Posted 10 December 2017 - 06:23 PM

Ok...please be patient until Demonslay335 has a chance to review the information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 277 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:07:29 PM

Posted 11 December 2017 - 07:32 AM

You can also share the read_me_for_recover_your_files.txt file and one or two .locked crypted files here to see if I can help.



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:29 PM

Posted 11 December 2017 - 11:00 AM

Looks to be StorageCrypt. I do not identify on the ".locked" extension because literally 50 generic ransomware use that extension anymore. The note has new contact detail that I will add to ID Ransomware for identification.

 

https://www.bleepingcomputer.com/news/security/storagecrypt-ransomware-infecting-nas-devices-using-sambacry/

https://www.bleepingcomputer.com/forums/t/663782/sambacry-storagecrypt-ransomware-support-locked-read-me-for-decrypttxt/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 klund

klund
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 11 December 2017 - 11:58 AM

I have copies of many before and after files if that will help.  Where do I upload the files as Emmanuel_ADC-Soft requests?

 

KLund



#9 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 277 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:07:29 PM

Posted 11 December 2017 - 12:02 PM

Can you use sendspace or we transfer for that and share the link here, thank you

https://www.sendspace.com/ or https://wetransfer.com/


Edited by Emmanuel_ADC-Soft, 11 December 2017 - 12:38 PM.


#10 klund

klund
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 11 December 2017 - 03:32 PM

Emmanuel_ADC-Soft,

 

I uploaded the encrypted index.php, a random (large) zip file that was encrypted, and a before and after set of zip files.

 

https://we.tl/Y6WDUbfaMN

 

Forgot the ransom note, but is was included in the case upload:

 

case SHA1: c6c5bacc521a702d1bf238039b5f6c235adedb5a

 

Included here as well:

===BEGIN CUT=======================================

[WHAT HAPPENDED]

        Your important files produced on this device have been encrypted.

        No one can decrypt your files except us.


        To recover your files,please following the steps below

        1,Pay 0.51 bitcoin  to this address: 15MXS1MuNNm3MwgLv75ZHftkgjNrV8PAj6

                Pay To : 15MXS1MuNNm3MwgLv75ZHftkgjNrV8PAj6
                Amount : 0.51

        2,After you have finished paying,Send us your ID via email

        3,Once we confirmed your payment,We will immediately send you the decrypt tool .


[FREE DECRYPTION AS GUARANTEE]

        Before paying you can send to us up to 2 files for free decryption.
        Please note that files must NOT contain valuable information
        and their total size must be less than 2Mb

[ATTENTION]

        Do not rename encrypted files.
        Do not try to decrypt your data using third party software, it may cause permanent data loss.
        Don't forget to send us your ID after payment



Contact Email        :        gentilpascal@protonmail.com

Your ID                        :

        PirIset00GcJ6267IorDvCteLjuXEaWGgJnS
        8VD/8iAB7hBBTsrmxJlGuCXC/SsbxPtjSgpS
        Vl9NhNr0K0SPTVhRfwwKAUuXQDQ+ZhrTk/cq
        xvzsHgQv8zNoD3beK0Sfxsg6A+Qd//ZakUS0
        shbNBwRKMBMjmc5pFY51DLKgBePVLOHW9+PL
        Esa8nAdejSGIl+OIRjoABU2MrmwiCfi3x3b/
        YKDEHY5AJpXEP20ioOG8VuEn0I4v2AZ6GQeI
        j62QM/JYqR7QuiBm3buUEBEh5b3uO4rUtd8O
        WPMCyVqPauHCwcuYjNtomb7hDA/vrZs1/gNS
        rX4dBxKigEHIdBe1vhGCbkyCLjJ8bKYNhNg6
        mj5lbSDQS3DTaLKYcJG2cnasvdf3ZQxmEMOs
        QxabCMmxAHRh6eP2L/82NEkJuXnTnjBbWSd2
        AF/1IOczgTVfZ4AiVqlER4pqXq6+g+IS2HAc
        9FOpVslvSkjNoNL//KxGCX7cD7JH2obWVinp
        HMlGDJFjzqZvb4Op3QpAsXHucZ8xHxRSmURJ
        +jKV5oPM0rOeKEgAlnXew1FHslwcNTOLUF6X
        V3sPKsJCFDA0QO1bMAu2X5xx7uiUZAazPQ6E
        9E55tjXnqOjeSOWcIQDCa/NG/31JtdYU7+hs
        v297Z6nTZ2aLt42MaZSzSmm8ubvxsawE4JQ=



===END CUT=======================================



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 PM

Posted 11 December 2017 - 03:59 PM

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion. Demonslay335 and Emmanuel_ADC-Soft can assist you from there.

To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users