Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Extractor Ransomware (.xxx ext - ReadMe_XXX.txt) Support Topic


  • Please log in to reply
13 replies to this topic

#1 DLHPEPO

DLHPEPO

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 22 December 2017 - 04:40 PM

Hi all, this night had been infected with a ransomware that seems to be Teslacrypt.
 
Most of files has been encrypted like this: "filename"."realextension"."xxx" but I don´t have any message to pay BTC or something like that, and the problem is bigger when the hacker or virus has deleted all the backup files stored in a NAS.
 
I have uploaded to sendspace a file if someone can help me.
 
https://www.sendspace.com/file/qaze9x
 
I tried all the Teslacrypt app to solve the issue but all the app told me that is not a Teslacrypt file.
 
I would be very granted if someone can help me.
 
Thanks!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 AM

Posted 22 December 2017 - 08:27 PM

The original TeslaCrypt will have the .ecc extension appended to the end of the encrypted data filename and leave ransom notes named RECOVERY_KEY.TXT, HELP_RESTORE_FILES.txt and HELP_RECOVER_FILES.txt.

TeslaCrypt 2.0 will have the .ezz/.exx extension appended to the end of the encrypted data filename and leave files (ransom notes) named HELP_TO_SAVE_FILES.txt and RECOVERY_FILES.TXT.

TeslaCrypt 2.1 will have the .aaa/.abc/.ccc/.vvv extension appended to the end of the encrypted data filename and leave files (ransom notes) named Howto_Restore_FILES.txt, RECOVERY_FILE_[random].txt, restore_files_[random].txt, recover_files_[random].txt, recover_file_[random].txt, Howto_RESTORE_FILES_[random].txt, howto_recover_file_[random].txt, _how_recover_[random].txt, how_recover+[3-random].txt. At least one version is disguised as CryptoWall.

TeslaCrypt 3.0 will have the .xxx, .ttt, .micro or .mp3 extension appended to the end of the encrypted data filename and leave files (ransom notes) named recovery_file_[random].txt, recover_file_[random].txt, Howto_Restore_FILES.TXT, help_recover_instructions+[3-random].txt, Recovery+[5-random].txt, _ReCoVeRy_+[5-random].txt, Recovery_[5-random].txt, _H_e_l_p_RECOVER_INSTRUCTIONS+[3-random].txt, _recovery_+cryptolocker.txt, RECOVERY.TXT.

TeslaCrypt 4.0 no longer uses an obvious extension for encrypted filenames and will leave files (ransom notes) named RECOVER+[random].TXT, RECOVER[5-random].TXT, recover_file.txt, _rEcOvEr_[5-random].txt, +-HELP-RECOVER-+[5-random]-+.txt, +REcovER+[5-random].txt, -!RecOveR!-[5-random]++.txt, {RecOveR}-[5-random]__.txt, -!recover!-!file!-.txt. TeslaCrypt 4.0 is further identified by the hex pattern in the header.

The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment and the malware file responsible for the infection.

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to
ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals together provides a more positive match and helps to avoid false detections. Any email addresses or hyperlinks provided by the criminals may also be helpful with identification. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

2016-07-01_0936.png


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 DLHPEPO

DLHPEPO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 23 December 2017 - 03:46 AM

Yesterday was upload a file to ID Ransomware. Told me that is Teslacrypt 3.0 and tried all the app to decrypt without success.

 

Can not upload a screen capture, the forum told me that i don´t have rights to do it



#4 Amigo-A

Amigo-A

  • Members
  • 609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:03 AM

Posted 23 December 2017 - 04:36 AM

DLHPEPO

Upload Pictures Online
 
Later paste a simple link here.

Edited by Amigo-A, 23 December 2017 - 04:39 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#5 DLHPEPO

DLHPEPO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 23 December 2017 - 05:52 AM

Thanks for the help!

 

here is the screen capture

 

https://imgur.com/scGKrRM



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 AM

Posted 23 December 2017 - 06:56 AM

The ReadMe_XXX.txt ransom note matches one used by Extractor Ransomware. It does not match that of a note used by TeslaCrypt so ID Ransomware provided two possibilities based on the .xxx extension...see here.

Were there any contact email addresses or hyperlinks provided by the cyber-criminals?

Do you have a sample of the malware file itself? If so, it can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing.
 
For future reference....How do I post a screen shot?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Amigo-A

Amigo-A

  • Members
  • 609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:03 AM

Posted 23 December 2017 - 07:21 AM

Yes, these data were used by Extractor Ransomware:
Extension: .xxx
Ransom note: ReadMe_XXX.txt
 
But DLHPEPO says that he does not have a Ransom note... 

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#8 DLHPEPO

DLHPEPO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 23 December 2017 - 10:43 AM

A lot of thanks guys, yes I have found the Ransom note, is like this:

 

*****************************************************

Hello
 
I crypted all your important data 
I stored the crypted data in your hard disk.
If you want to become your data back, send me an mail containing your ip adress.
 
Your ip adress:   
 
e-mail : server.recover@mail.ru
********************************************************************************
 
Is there anything that I can do yo restore my files?


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 AM

Posted 23 December 2017 - 11:16 AM

That is the contents of the ransom note. What is the actual name of that file?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 DLHPEPO

DLHPEPO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 23 December 2017 - 11:22 AM

ReadMe_XXX.txt



#11 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:06:03 AM

Posted 23 December 2017 - 12:11 PM

So it is Extractor :

https://id-ransomware.malwarehunterteam.com/identify.php?case=9f190edb6f14019d456628772f1ba23883557e2b



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 AM

Posted 23 December 2017 - 04:14 PM

Since Extractor is still under analysis, I'm not aware of any solution to decrypt your files without paying the ransom and even then there is no guarantee. If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 DLHPEPO

DLHPEPO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 23 December 2017 - 04:50 PM

I suppose this will be the only way to recover the files. I have all the servers backed but the guy who infect it, delete my backups too, so the only way is to recover my lost backups at the moment.

 

A lot of thanks for your help guys.



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 AM

Posted 23 December 2017 - 05:13 PM

You're welcome.

When or if a decryption solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users