Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Apocalypse (new variant)


  • This topic is locked This topic is locked
1 reply to this topic

#1 rodneyd

rodneyd

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 05 January 2018 - 02:58 PM

I was affected from a Ramsomware that creates files extension:

- .missing

- .Contact_Data_Recovery.txt

Your PC ran into a critical problem and all files have been encrypted with .missing extension.
Including all partitions from all drives. Its impossible to decrypt your files by yourself or with
thierd parties softwares and doing such a thing could damage all files forever.

The only safe method to recover your data is contacting the email below and purchasing for the right decrypter software.

Email:       pcsolutions@mail.ru

ID code: .MISSING_xxxxxxxxx

Contact the email with your ID code and 1-2 files for free decryption to make sure the data is still safe and undamaged.
If you dont receive an answer within 12 h, email again from another email service.

The faster you purchase the software the sooner you get back on track.լ㐐

id-ransomware Says its Apocalypse (new variant)

 

https://id-ransomware.malwarehunterteam.com/identify.php?case=49224dbd67f53a35d3892dac60ab52be19b177fd

 

We paid the Ransome they sent a program called.  "Windows Reparation Smard Decrypter.exe"

But this required another key that we had to pay for.

 Did a little checking on the Tool the Ransomware guy supplies "Windows Reparation Smard Decrypter.exe" with IDR it looks for the following files .encrypted .crypted_file and .missing.  As far as I can see it the first file is apocalypse the second is Kangaroo ransomware and the last one is the new one.

On the terminal server the main attacker was ip 5.8.33.107 kept on logging in and disconnecting every hour or so during the time of the encryption.  There where a few others 88.204.157.55, 185.130.227.35 and 185.129.148.165 but they only logged in once or twice.

Checked the %AppData% and %LocalAppData% folders for each user profile, in addition to the %ProgramData% folder to see if there are any files in those folders? Any executable files (.exe, .cmd, .bat, .com, .scr, .pif, etc) or script files (.vb, .vbs, .js, etc).  there where none.

Ran FRST Sent to emsisoft.com they found nothing.

Also did a virustotal and reverse.it check

 https://www.virustotal.com/#/file/61cef4c4ccdbdc15dfdad183806f375239ff944d9baeca465a1370444c556c88/detection

https://www.reverse.it/sample/61cef4c4ccdbdc15dfdad183806f375239ff944d9baeca465a1370444c556c88?environmentId=120

Still no luck in working it out.

The company I work for will be paying the second Ransome as there is no backup for the customer.
 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 AM

Posted 05 January 2018 - 05:28 PM

Unfortunately, there is no known method at this time to decrypt files encrypted by Apocalypse (New Variant) without paying the ransom. If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time.

There ia an ongoing discussion in this topic where you can ask questions and seek further assistance but as noted it is not decryptable.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in one of the above support topic discussion. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users