Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pulpy / Rozlok Ransomware (.AES, Instruction.txt) Support Topic


  • Please log in to reply
27 replies to this topic

#16 Amigo-A

Amigo-A

  • Members
  • 583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:35 PM

Posted 30 December 2017 - 02:23 PM

---del---


Edited by Amigo-A, 30 December 2017 - 02:26 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


BC AdBot (Login to Remove)

 


#17 Amigo-A

Amigo-A

  • Members
  • 583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:35 PM

Posted 30 December 2017 - 02:25 PM

SNF123
TechGeekMSP
 
Both encoders are a continuation of the previously known RSA2048Pro
Linked addresses, files and even errors are the same. 
Information about available decryption is not present.

Edited by Amigo-A, 30 December 2017 - 02:29 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#18 scagman12

scagman12

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 31 December 2017 - 10:59 AM

I uploaded the instrction.txt file as well as an encrypted file.

 

 

Any decrypters found yet?

 

 



#19 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:35 AM

Posted 31 December 2017 - 12:15 PM

Unfortunately, there is no known method that I am aware of to decrypt files encrypted by Pulpy (Rozlok) Ransomware without paying the ransom.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#20 Amigo-A

Amigo-A

  • Members
  • 583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:35 PM

Posted 31 December 2017 - 04:47 PM

This so all is mixed, pepper mixture, which may not help and after payment.

I can't translate detailed data into English correctly. Google also can't. Sorry.
 
Never need to pay a ransom, until the files of Word documents and images, presented to your choice, are decrypted.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#21 scagman12

scagman12

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 31 December 2017 - 06:45 PM

I guess they will lose all the data since backup was corrupt as well
I guess they will lose all the data since backup was corrupt as well

#22 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:35 AM

Posted 31 December 2017 - 09:39 PM

In cases where restoring from back up is not a viable option, file recovery software does not work and there is no free decryption tool, the only other alternative to paying the ransom is to backup/save your encrypted data as is and wait for a possible solution...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.

Law enforcement authorities have had some success arresting cyber-criminals, seizing C2 servers and releasing private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time. Several of them have done that here at Bleeping Computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#23 RunInCirclesQuickly

RunInCirclesQuickly

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 30 January 2018 - 08:35 PM

I mistakenly posted a new thread on this. We were hit by the Pulpy virus and i suspect it was through RDP.

Any clues as to what exactly in the rdp protocol is exploited?

#24 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:35 AM

Posted 30 January 2018 - 08:53 PM

Bad passwords - simple as that. It's always some account with a really poor password, sometimes even an account someone forgot exists. Even if you "think" it's a secure password, it isn't worth the risk having RDP exposed to the internet, as it takes only a few seconds to do dictionary attacks, etc. against the server. Put it behind a VPN, period.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#25 Amigo-A

Amigo-A

  • Members
  • 583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:35 PM

Posted 31 January 2018 - 02:25 AM

RunInCirclesQuickly

 


Edited by Amigo-A, 31 January 2018 - 02:26 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#26 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:35 AM

Posted 31 January 2018 - 07:47 AM


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#27 RunInCirclesQuickly

RunInCirclesQuickly

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 31 January 2018 - 07:54 AM

Makes sense, we had an extremely poor password on a forgotten account that was just sitting in the rdp allowed users group. A ticking timebomb.

RDP is disabled. VPN is not a good option in our use case. What about RD Gateway? This may be going too far off topic.

Thank you for the replies.

#28 TechGeekMSP

TechGeekMSP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 19 March 2018 - 12:39 PM

Just curious if this article means this version of cryptolocker has a fix now? https://www.bleepingcomputer.com/news/security/author-of-polski-vortex-and-flotera-ransomware-families-arrested-in-poland/  We've been trying to secure the client but there was still a lot of data gone that would useful if recoverable. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users