Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

[decrypt.guarantee@aol.com].block - Ransomware


  • This topic is locked This topic is locked
9 replies to this topic

#1 needthekey

needthekey

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 20 December 2017 - 08:51 AM

If anyone has been attached by [decrypt.guarantee@aol.com].block ( Dharma variant) ransomware?  Please do not pay the money. I paid the ransomware but they did not returning the key. 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 AM

Posted 20 December 2017 - 11:20 AM

That is not uncommon with ransomware developers.

BTW, this is a related topic...
Dharma/Crysis/Unlock92 similar ransomware
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Amigo-A

Amigo-A

  • Members
  • 568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:42 AM

Posted 20 December 2017 - 01:11 PM

If look at the information you provided, it is probably, this Unlock92 Ransomware

Upload us a screenshot of the ransom requirements to find out for sure or compare with those, that in this article and in the updates at the end of the article.


Edited by Amigo-A, 20 December 2017 - 01:15 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 AM

Posted 20 December 2017 - 03:21 PM

That is what I thought so too but Demonslay335 did not confirm it was Unlock92 in the other topic.

I'm seeing uploads with that extension are getting tagged as the latest CrySiS/Dharma based on the filemarkers, so that leads me to believe it could be that instead...


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Amigo-A

Amigo-A

  • Members
  • 568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:42 AM

Posted 21 December 2017 - 11:55 AM

Here everything is simple and simultaneously not so simple. 
We know that Unlock92, like many others [CrySiS, Dharma, Apocalypse, ODCODC, XRTN, BandarChor, Rakhni, Paycrypt, Bucbi, Amnesia, Scarab, Unlock92, WannaCry (at least one of them), NotPetya, XData], originate from the same source (distributors and criminal groups from Ukraine).
Features: they like to switch between various extortionary campaigns aimed towards Russia (this the main direction of Ukrainian crypto-extortionists) and in the other direction, where the euro and dollars go to in hands.
Period of time: three months of work, three months of rest or three months of work on another extortion project.
The same email address only confirms the transition from one project to another. Or did him not have time change it, a pity to lose money which go coming from all sides. 

Edited by Amigo-A, 21 December 2017 - 12:42 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 needthekey

needthekey
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 21 December 2017 - 12:08 PM

I lost my money and all my family pictures, including my lost baby. I hope the programmers read this and release the key, after all I PAID. 



#7 Amigo-A

Amigo-A

  • Members
  • 568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:42 AM

Posted 21 December 2017 - 12:15 PM

Extortionists do not have a feeling of pity and there is not a drop of conscience.


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 AM

Posted 21 December 2017 - 04:41 PM

I lost my money and all my family pictures, including my lost baby. I hope the programmers read this and release the key, after all I PAID.

Sorry to hear that and it's one reason most security experts will advise against paying the ransom demands of the malware writers...there is never a guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

Further, paying only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 DaveM66

DaveM66

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 01 January 2018 - 12:45 PM

I am currently working to restore an Unlock92 V2 infection.
The file extensions have all been changed to decrypt.guarantee@aol.block

I have recovered some data and restored my customer from recovered data to 2015. At least they are up and running at this point.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 AM

Posted 01 January 2018 - 03:24 PM

There already is an ongoing discussion where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

Rather than have several different individual topics, it would be best (and more manageable for staff) if all victims posted questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users