Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pulpy / Rozlok Ransomware (.AES, Instruction.txt) Support Topic


  • Please log in to reply
27 replies to this topic

#1 TechGeekMSP

TechGeekMSP

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 26 December 2017 - 11:02 AM

A site was hit with .AES extension and looks like in may have been a hack. There wasnt a ransom HTML or a virus we can see just a text file called Instruction.txt "Hi all your files are encrypted, to decrypt all your files write to us on the mail:..."

 

Their IT consultant doesnt have good backup for most of the data so trying to help out but not sure there's much I can recommend, but hoping this group has a silver bullet somewhere : )

Thx.



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,591 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:40 PM

Posted 26 December 2017 - 11:32 AM

That text file is the ransom note. Have you uploaded the ransom note and an encrypted file to ID Ransomware for identification? If it doesn't identify, we need the case SHA1 in order to manually inspect the files.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 rgvcomputerguys

rgvcomputerguys

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 26 December 2017 - 02:58 PM

I have a new customer that just got hit with the same ransomware. How can i help i can upload the some files that u may need. 

 

Thanks 

 

 



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,085 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 PM

Posted 26 December 2017 - 04:51 PM

You can submit (upload) both encrypted files and ransom notes together along with any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware for Demonslay335 to review.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 TechGeekMSP

TechGeekMSP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 26 December 2017 - 05:06 PM

I went ahead and uploaded the ransom note and a sample file, (I think i might have done that Friday) states it might be a version of the Globe or Vortex but no luck with any of the decrypt tools so far. I never recommend paying to any client, but the backups are 8 months old so we need to see if they can function with what they have and hopefully they will buy a better firewall and backup service. In the mean time if this one is able to be decrypted that would be the best.


Edited by TechGeekMSP, 26 December 2017 - 05:07 PM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,591 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:40 PM

Posted 26 December 2017 - 06:29 PM

If it's Vortex (which only hits Polish victims it appears), it cannot be decrypted. They changed how they generate keys and I can no longer exploit it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Amigo-A

Amigo-A

  • Members
  • 629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:40 AM

Posted 29 December 2017 - 12:46 PM

TechGeekMSP
 
Did you post the message for the same purpose in this forum?
 
Is your ransom-note written in English or Russian?

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#8 TechGeekMSP

TechGeekMSP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 29 December 2017 - 01:20 PM

The ransom note was was in English, I did not post it there, but will do that today. Thanks for the heads up.



#9 Amigo-A

Amigo-A

  • Members
  • 629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:40 AM

Posted 29 December 2017 - 01:57 PM

TechGeekMSP

 

Thanks for the answer. It is important.

Can you give me the full text of the ransom-note?
I think that on another site you do not need to multiply topics. Necessary this to explore here. 

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#10 Amigo-A

Amigo-A

  • Members
  • 629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:40 AM

Posted 29 December 2017 - 02:13 PM

Your ransom-note Instruction.txt looks like this?
 
Hi, all your files have been encrypted. You can decipher if you write to me on the mail:pulpy2@cock.li  Otherwise, all your files will be deleted within 2 days without any problems!
 
:)

Edited by Amigo-A, 29 December 2017 - 02:29 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#11 Amigo-A

Amigo-A

  • Members
  • 629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:40 AM

Posted 29 December 2017 - 03:33 PM

This Pulpy has an Russian brother by name Rozlok
 
 

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#12 TechGeekMSP

TechGeekMSP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 29 December 2017 - 08:24 PM

Here's the message 

 

Hi all your files are encrypted, to decrypt all your files write to us on the mail: pulpy@protonmail.ch



#13 Amigo-A

Amigo-A

  • Members
  • 629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:40 AM

Posted 30 December 2017 - 06:59 AM

TechGeekMSP
 
Yes, this variant is also there. There is also a variant with e-mail pulpy@cock.li
I reflected all this in the article and added some details that I managed to extract from the code.
 
Pretty rough work. Delivery via the vulnerable configuration of RDP, malicious in the archive with the password "111" - launching and infecting. 
After encryption, even the encryptor's file and its version in the archive are encrypted. 
In the Russian-speaking version there is the same file enbild.exe. All by analogy.
 
In parallel the distribution for users through compromised websites: automotive, sports, New Year theme, etc.
Several such sites are listed in the article and in the analysis. 

Edited by Amigo-A, 30 December 2017 - 07:06 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#14 SNF123

SNF123

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 30 December 2017 - 10:31 AM

Hi.

Was there any resolution to this, can it be fixed? 



#15 TechGeekMSP

TechGeekMSP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 30 December 2017 - 02:21 PM

Makes sense it looked like it got in though a router they were using as a "firewall" to the RDP server. Let me know if there is a decryption key, so far they are not able to recover the files.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users