Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tastylock / Tasty - new ransomware


  • This topic is locked This topic is locked
3 replies to this topic

#1 overworked_parttimer

overworked_parttimer

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 26 December 2017 - 06:23 PM

Hello everyone,

 

 

First time posting but long time follower of this community. My friend’s small accounting practice (two old ladies) was recently hit with a ransomware and their Quickbooks data was locked. Unfortunately it turns out that their backups were not working properly (incremental backups were corrupt) and recoverable data only goes back to mid-2016.You can imagine the horrific situation the ladies are going through right now...

 

 

I went online to see what ransomare they got hit with and ID-Ransomware identified the samples I uploaded as “Cryptomix Revenge”. The encrypted files were renamed with B2EAA5B401DD769549D03B8C05AB5A8D.tastylock filenames and extension and I could not find any mention of .tastylock anywhere online. This seems to be a new ransomware or it may just be a modified version of an existing ransomware.

I have a sample encrypted file and its original version attached here for anyone to look at and I hope someone can help us. https://drive.google.com/open?id=185Gtu95gretYjwbSzqGyZ1rffW_DuO7m

Original file:     BIGLOGO.BMP

 

Encrypted file:  B2EAA5B401DD769549D03B8C05AB5A8D.tastylock

 

Encryption file used for the attack:        1tasty.exe

The application file that seems to have been used to carry out the encryption is also included here if anyone is interested in looking at it. Using a text editor, the RSA Keys shown in the file resembles what are mentioned in this article (https://www.bleepingcomputer.com/news/security/new-arena-cryptomix-ransomware-variant-released/) but is for the .Arena cryptomix variant and not a .Tastylock version.


Here is the ransom note message but it did not indicate their demands or timeframe:


Filename:  

_HELP-INSTRUCTION.TXT

 

 

 

Message:

 

All you files an encrypted!

 

 

 

For decrypt write DECRYPT ID to t_tasty@aol.com

 

 

 

YOU DECRYPT-ID-8e1bc1c6-793c-4eaa-85ce-fd4b06c54e32 number

 

 

 

!!!ATTENTION!!!

 

 

 

Do not change!
Do not move files!
Do not use other programs (they do not work)!
You can lose your files if you do not follow the instructions!

 

 

 

 

Thank you very much to anyone that can help out!


Edited by overworked_parttimer, 26 December 2017 - 06:25 PM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:15 PM

Posted 26 December 2017 - 06:40 PM

Confirmed it's a CryptoMix variant, thanks for the malware sample. Afraid it cannot be decrypted at this point. I've added identifiers to ID Ransomware.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 overworked_parttimer

overworked_parttimer
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 26 December 2017 - 07:09 PM

Thanks for that info. Is it possible that there may be a decryption solution later like with the other variants?



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,605 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:15 PM

Posted 26 December 2017 - 07:48 PM


Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.When or if a decryption solution is found, that information will be provided in the above support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users