Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Skeleton Ransomware SKELETON@RAPE.LOL


  • This topic is locked This topic is locked
11 replies to this topic

#1 shizzle08

shizzle08

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 13 December 2017 - 08:13 AM

Hi guys PC was attacked by this ransomware. I tried googling this but no luck finding more info.

anyway I included the ransom note and the sample JPG encrypted file for you reference.

 

I'm already in contact with Dr.Web and waiting for their feedback.

https://we.tl/lRXVbclC84.

 

 

SHA1: 8dccbfadc14880b2daa48ed14c4cff2cb2db3d19

File Extension: [skeleton@rape.lol].skeleton

Contact Email Address: skeleton@rape.lol

 

When i browse rape.lol it redirects in cock.li. I think this is related to blind@rape.lol and kill@rape.lol


Edited by shizzle08, 13 December 2017 - 09:42 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:43 AM

Posted 13 December 2017 - 09:16 AM

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to
ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. Any contact email addresses or hyperlinks provided by the criminals may also be helpful with identification. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 shizzle08

shizzle08
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 13 December 2017 - 09:36 AM

 Unable to determine ransomware.

 

Encrypted file and ransom note: https://we.tl/lRXVbclC84.

 

SHA1: 8dccbfadc14880b2daa48ed14c4cff2cb2db3d19

File Extension: [skeleton@rape.lol].skeleton

Contact Email Address: skeleton@rape.lol

 

When i browse rape.lol it redirects in cock.li. I think this is related to blind@rape.lol and kill@rape.lol


Edited by shizzle08, 13 December 2017 - 09:43 AM.


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:43 AM

Posted 13 December 2017 - 09:50 AM

I've set out a hunt on this one, we'll need the malware itself to analyze and confirm. I'm not sure if it's related to Blind yet, it does have a similar pattern for storing a key at the end of the file, but longer. Could be an upgraded version.

 

https://twitter.com/demonslay335/status/940952443009097728


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:43 AM

Posted 13 December 2017 - 10:21 AM

Samples of suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 shizzle08

shizzle08
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 13 December 2017 - 10:28 AM

I've set out a hunt on this one, we'll need the malware itself to analyze and confirm. I'm not sure if it's related to Blind yet, it does have a similar pattern for storing a key at the end of the file, but longer. Could be an upgraded version.

 

https://twitter.com/demonslay335/status/940952443009097728

 

Dr.web ask me this file maybe this is the malware exe. https://we.tl/oiXb1ZTAAB

 

filename: !!skeleton.exe.[skeleton@rape.lol].skeleton 



#7 shizzle08

shizzle08
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 13 December 2017 - 10:31 AM

Samples of suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing.

 

I already deleted the files. Im afraid that my personal computer might get infected. but I already uploaded it here, https://we.tl/oiXb1ZTAAB



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:43 AM

Posted 13 December 2017 - 10:44 AM

 

Samples of suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing.

 

I already deleted the files. Im afraid that my personal computer might get infected. but I already uploaded it here, https://we.tl/oiXb1ZTAAB

 

 

Yep, that's the malware. And I can confirm it is a new iteration of Blind. The newest versions have not been decryptable I'm afraid.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 shizzle08

shizzle08
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 13 December 2017 - 10:46 AM

 

 

Samples of suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing.

 

I already deleted the files. Im afraid that my personal computer might get infected. but I already uploaded it here, https://we.tl/oiXb1ZTAAB

 

 

Yep, that's the malware. And I can confirm it is a new iteration of Blind. The newest versions have not been decryptable I'm afraid.

 

 

 

what do you suggest? just reformat my workstation and say goodbye to my files or wait a little longer?



#10 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 314 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:07:43 AM

Posted 13 December 2017 - 10:55 AM

@shizzle08,

wait a moment for the confirmation of Dr.Web



#11 shizzle08

shizzle08
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 13 December 2017 - 10:58 AM

@shizzle08,

wait a moment for the confirmation of Dr.Web

 

alright bro. thanks I'm still waiting for Dr.Web response



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:43 AM

Posted 13 December 2017 - 12:52 PM

Since the infection has been identified, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users