Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

EncryptServer2018 Ransomware (.2018, Attention !!!! txt) Support Topic


  • Please log in to reply
16 replies to this topic

#1 secbill

secbill

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 10 January 2018 - 01:04 PM

Encrypted files and changed names to long string with .2018 extension, left text file with instructions in file name Attention!!!!.txt 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:58 AM

Posted 10 January 2018 - 01:43 PM

We'll need the malware executable itself to analyze.

 

I did see this come thru the alerts earlier. Here's the ransom note for search engines.

 

The encrypted file was renamed as something like "aRx9KCdQaxM7QyxMHlwoEx8hYkNdIlNV ID [redacted].2018".

                   Attention !!!
All your files on this server have been encrypted.
Write this ID in the title of your message
To restore the files need to write to us on e-mail:  tornado_777@aol.com or BM-2cXXgKAo8HzUmijt8KMywZYHm8xDHhxwZg@bitmessage.ch
The price for restoration depends on how quickly you write tous.
After payment we will send you a decryption tool that willdecrypt all your files.
 
GUARANTEES!!!
You can send us up to 3 files for free decryption.
 -files should not contain important information
 -and their total size should be less than 1 MB
 
HOW TO OBTAIN BITCOINS!!!
The easiest way to buy bitcoins is the LocalBitcoins website.
You need to register, click "Buy bitcoyne" and select theseller
by method of payment and price
https://localbitcoins.com/buy_bitcoins
 
IMPORTANT !!!
Do not rename encrypted files
Do not try to decrypt your data with third-party software,this can lead to permanent data loss!
 
Your ID [redacted]

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 secbill

secbill
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 10 January 2018 - 05:00 PM

That is the same content of the Attention!!!!.txt file I uploaded to ID Ransomware site



#4 secbill

secbill
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 11 January 2018 - 08:40 AM

When I logged into another server that had a share infected,  it triggered a program that infected my profile and possibly more, I shut that server off, what should I look for on other servers to make sure this does not happen? Without actually login in?



#5 Amigo-A

Amigo-A

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:58 PM

Posted 11 January 2018 - 03:37 PM

Does it attack only files on servers?


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 secbill

secbill
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 11 January 2018 - 08:32 PM

It started on a server I believe, I had a temporary RDP redirect to 3386 Natted. Weird part is that the user the few files I was able to look at belonged to was not administrator, xxadmin. It infected the shares on the other servers and I think it used the X$ shares on the other servers to spread. A 3rd 2016 server I logged into ran something when login in, boobytrapped I was never able to login again, something about profile could not be loaded, for any user



#7 secbill

secbill
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 12 January 2018 - 06:39 AM

From id-ramsomware.malwarehunterteam.com Please reference this case SHA1: cc6a918caef5874e49828e294d43ae81f43b084b I need to find out how it spread from server to server. And how it loaded a payload on the login process, I have one server not touched but I have not logged into it fearing it will too get infected.



#8 Amigo-A

Amigo-A

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:58 PM

Posted 12 January 2018 - 10:18 AM

Weird part is that the user the few files I was able to look at belonged to was not administrator
There is nothing strange with this. Administrator rights are not required.
A simple port change will not help. An open port is easily identified and an attack is already being conducted through it.
 
These are the most common mistakes (misconceptions) and completely useless actions.

Edited by Amigo-A, 12 January 2018 - 10:21 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#9 Amigo-A

Amigo-A

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:58 PM

Posted 12 January 2018 - 10:44 AM

secbill

From the Michael's post of it is unclear how the encrypted files look.

Do can you make for me a screenshot of the list 5 encrypted files?

 

Upload Pictures Online

Edited by Amigo-A, 12 January 2018 - 10:46 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#10 Amigo-A

Amigo-A

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:58 PM

Posted 12 January 2018 - 03:49 PM

Description of this EncryptServer2018 Ransomware

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#11 secbill

secbill
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 13 January 2018 - 08:09 AM

There was also a svchost.com in the system32 folder that was infected with neshta came up as win32 neshta-skc I think. I think the shares on a win 2016 folder were infected initially but it seems to have run an encryption when I logged into that server, I saw a box pop up quickly that showed some files I believe encrypting or at least numbers were going fast. Also found a .freerdp folder in the machine that had the open rdp port. I know the open rdp port was not the right thing to do, but vendor asked for that to configure some software temporarily. I am afraid to log on to an unencrypted server thinking it may get encrypted. 


 

Description of this EncryptServer2018 Ransomware

 

Yes that is it. Thank you



#12 Amigo-A

Amigo-A

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:58 PM

Posted 13 January 2018 - 01:17 PM

The named files and folder refer to the secondary aspect.

The svchost.exe system process is multitasking, therefore it's a tasty morsel for various malware. 


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#13 Amigo-A

Amigo-A

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:58 PM

Posted 13 January 2018 - 01:28 PM

If any software is out of date for more than 1 year, then it can not be used.
There are many hacker infrastructures that detect obsolete software on servers and opened ports around the world. It's like an open door to a house that can be seen from afar and every attacker can get there without difficulty.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#14 secbill

secbill
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 13 January 2018 - 01:57 PM

How do you think they made it encrypt systemfiles on my 2016 server when an admin user logged in? I mean encrypt as a process during the logon process.  I have a virtual backup of good server and I am checking for any malware now. Did not find anything on my offiste vm, except for the dcmtk.dll and isislibrary.dll online.games Ive seen that before. Thanks for your help


Edited by secbill, 13 January 2018 - 06:29 PM.


#15 Amigo-A

Amigo-A

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:58 PM

Posted 14 January 2018 - 11:40 AM

I can not know this, because I did not participate in this process. :)

If they penetrated with the help of the RDP-vulnerability, they placed in the root directory a password-protected archive, then launched the file from the archive, entered a password, and launched encryption.


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users