Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

+asdasd333@default.rs ransomware


  • Please log in to reply
12 replies to this topic

#1 andrew_b

andrew_b

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 11 December 2017 - 10:08 AM

Hi there, need your help.

 

I was infected by ransome virus yesterday morning. I assume that it was caused due to low lenght of the password (3 digits) set on RDP to the admin user.

The virus encrypted all the files in each directory putting its extention +asdasd333@default.rs to each file, moreover, virus created an INSTR.txt file that contains following message Для расшифровки пишите в джаббер: asdasd333@default.rs , Ваш ПИН: 69

 

Can u Help Me to figure out what is exact name of that ransomware virus? can i delet it? and more important can i decryp my files. (infected-encrypted file is attached below)


Edited by andrew_b, 11 December 2017 - 10:18 AM.


BC AdBot (Login to Remove)

 


#2 andrew_b

andrew_b
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 11 December 2017 - 10:13 AM

the encrypted file https://fex.net/#!608385288444


Edited by andrew_b, 11 December 2017 - 10:21 AM.


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:28 AM

Posted 11 December 2017 - 11:17 AM

I do not recognize what ransomware it may be. The file does have some patterns in it, suggesting either something like simple XOR, or AES in ECB mode.

 

Can you provide a few encrypted files and their originals? Also please provide the ransom note.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 andrew_b

andrew_b
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 11 December 2017 - 12:02 PM

hmm.. it might be a problem to find both fils (encrypted and dercypted) however, till the tomorrow's evening i will try to find files
the ransom note:Для расшифровки пишите в джаббер: asdasd333@default.rs , Ваш ПИН: 69 --- In order to decrypte files please contact me via Jabber asdasd333@default.rs your pin 69
In addition, i have just scanned the computer by AVZ scanner and what i have got 
https://fs19.fex.net/get/908621830254/140913807/d9de4859/avz_log.txt --- However, it will be useful only if you speak russian...

If you can provide me with similar to AVZ scanner that scans and logs suspicious activity but in English?



#5 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 295 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:12:28 PM

Posted 11 December 2017 - 12:57 PM

@andrew_b,

scanned files: 102561, extracted from the archives: 86387, found malicious software 0, suspicion - 0

logs in English https://we.tl/06yMtewcVy



#6 andrew_b

andrew_b
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 11 December 2017 - 01:11 PM

I do not recognize what ransomware it may be. The file does have some patterns in it, suggesting either something like simple XOR, or AES in ECB mode.

 

Can you provide a few encrypted files and their originals? Also please provide the ransom note.

here i found few files that are decrypted - found on another computer

 



#7 andrew_b

andrew_b
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 11 December 2017 - 01:16 PM

@andrew_b,

scanned files: 102561, extracted from the archives: 86387, found malicious software 0, suspicion - 0

logs in English https://we.tl/06yMtewcVy

Thatks Emmanuel for the translation - yes it does not find any viruses but it found few suspicious activities  here WINDOWS\system32\DRIVERS\ehdrv.sys and here ntkrnlpa.exe however, i can not find that files even when i enabled showing hidden files



#8 thyrex

thyrex

  • Members
  • 565 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:01:28 PM

Posted 11 December 2017 - 10:55 PM

It's last (or one of last) version this Ransomware https://virusinfo.info/showthread.php?t=206679

Without key cann't to be decrypted.


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#9 andrew_b

andrew_b
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 12 December 2017 - 03:08 AM

https://fex.net/#!759489924778 the quarantine files made by AVZ scanner mybe  that will help, coz i still did not find the virus executive file and i have no idea how to remove it from my pc



#10 andrew_b

andrew_b
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 12 December 2017 - 03:11 AM

It's last (or one of last) version this Ransomware https://virusinfo.info/showthread.php?t=206679

Without key cann't to be decrypted.

so if this is the case the only person how may decrypt files is the person that demands ransom?



#11 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 295 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:12:28 PM

Posted 12 December 2017 - 03:15 AM

https://fex.net/#!759489924778

Hello, your link is not working can you give it the right one thx

Emmanuel



#12 andrew_b

andrew_b
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 12 December 2017 - 03:23 AM

 

https://fex.net/#!759489924778

Hello, your link is not working can you give it the right one thx

Emmanuel

 

https://fex.net/load/759489924778/141768836



#13 Amigo-A

Amigo-A

  • Members
  • 507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:28 PM

Posted 12 December 2017 - 07:53 AM

andrew_b
 
Probably, this is new version of FLKR Ransomware
Вероятно, это новая версия FLKR Ransomware
 
General description / Общее описание

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users