Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help to identify (maybe) new Ramsonware ?


  • This topic is locked This topic is locked
5 replies to this topic

#1 spider21

spider21

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 16 January 2018 - 06:29 AM

I tried ID Ramsonware, without success, uploading the note file (SHA1: e385e862afa46990d4ef2c02e63e22415ac59be4).

 

You can download the note file here:  http://www.filedropper.com/keybackup

 

I'm not able to upload crypted files because the Ramson generated only one big file (700MB) with no extension that I suppose contain all files, and then deleted the original files from disk.

 

I supposed that hacking breach was through RDP session (pc was exposed during night and user do not set a strong password for his).

 

Security essentials detected following files:

 

2018-01-14T00:57:16.605Z DETECTION Ransom:MSIL/Paradiz.A!bit file:C:\Users\user\Downloads\csf\PortableApps\lpe\ DP_Main.exe

2018-01-14T00:57:16.729Z DETECTION Trojan:Win32/Tiggre!rfn file:C:\Users\user\Downloads\csf\PortableApps\lpe\ lpe\CVEx64.exe
2018-01-14T00:57:16.792Z DETECTION Trojan:Win32/Tiggre!rfn file:C:\Users\user\Downloads\csf\PortableApps\lpe\ lpe\CVEx86.exe
2018-01-14T00:57:16.807Z DETECTION HackTool:Win64/Mikatz!dha file:C:\Users\user\Downloads\csf\PortableApps\lpe\ mimikatz\Win32\mimidrv.sys
2018-01-14T00:57:17.026Z DETECTION HackTool:Win64/Mikatz!dha file:C:\Users\user\Downloads\csf\PortableApps\lpe\ mimikatz\Win32\mimikatz.exe
2018-01-14T00:57:17.026Z DETECTION HackTool:Win64/Mikatz!dha file:C:\Users\user\Downloads\csf\PortableApps\lpe\ mimikatz\Win32\mimilib.dll
2018-01-14T00:57:17.057Z DETECTION Trojan:Win32/Tiggre!rfn file:C:\Users\user\Downloads\csf\PortableApps\lpe\ mimikatz\Win32\mimilove.exe
2018-01-14T00:57:17.073Z DETECTION HackTool:Win64/Mikatz!dha file:C:\Users\user\Downloads\csf\PortableApps\lpe\ mimikatz\x64\mimidrv.sys
2018-01-14T00:57:17.182Z DETECTION HackTool:Win64/Mikatz!rfn file:C:\Users\user\Downloads\csf\PortableApps\lpe\ mimikatz\x64\mimikatz.exe
2018-01-14T00:57:17.197Z DETECTION HackTool:Win64/Mikatz!dha file:C:\Users\user\Downloads\csf\PortableApps\lpe\ mimikatz\x64\mimilib.dll
2018-01-14T00:57:17.338Z DETECTION Virus:Win32/Parite.C file:C:\Users\user\Downloads\csf\PortableApps\NTPa ssworder\NTPassworder.exe

 

I assume that hacker worked on pc disabling antivirus after log on to console.

 

Could you help me to understand if it's possible to decrypt the big file ?

 

Thank you

 

 

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 AM

Posted 16 January 2018 - 07:13 AM

Did you find any ransom notes and if so, what is it's actual name? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Most ransomware will drop a ransom note in every directory/affected folder where data has been encrypted. These notes are often created in multiple file formats (.txt, .html, .png) to ensure that the victim can open them. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a .html, .txt, .png, .bmp, .url file.

Did the cyber-criminals provide an email address to send payment to?


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 spider21

spider21
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 16 January 2018 - 10:28 AM

Yes , there was a txt file with email and a Joker image made with characters .

 

You can see the file downloading here: http://www.filedropper.com/keybackup



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 AM

Posted 18 January 2018 - 11:03 AM

Ok. Please be patient until Demonslay335 has a chance to review the information you provided. BleepingComputer is inundated with support requests and he is not logged in at the moment.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Amigo-A

Amigo-A

  • Members
  • 607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:07:02 PM

Posted 18 January 2018 - 01:32 PM

File DP_Main.exe was used in attacks Paradise Ransomware
Detection confirms this.
It is delivered as RaaS and the text of the note can strongly differ for  different iterations.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 AM

Posted 18 January 2018 - 02:01 PM

Since the infection has been identified by Amigo-A, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the below support topic discussion.

To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users