Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Velso Ransomware Help & Support Topic (.velso * get_my_files.txt)


  • Please log in to reply
14 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:51 PM

Posted 26 January 2018 - 11:37 AM

This topic is to be used to assist those who have been infected with the Velso Ransomware.

The Velso Ransomware will append the .velso extension to encrypted files and then drop a ransom note named get_my_files.txt.

This ransom note contains an email address, which is currently MerlinVelso@protonmail.com, that can be used to get payment instructions.

It is believed that this ransomware is being manually installed by the attackers when they hack into computers via remote desktop services.

ransom-note.jpg



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 PM

Posted 26 January 2018 - 07:07 PM

More information in this BC news article by Grinler...The Velso Ransomware Being Manually Installed by Attackers
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 TechGuru11

TechGuru11

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 26 February 2018 - 03:36 PM

As a heads up, I have numerous reports from clients stating that after they paid the Velso ransom they did not receive keys and additional payments were requested. It is very important to utilize off-site backups and set up some upgraded security measures to prevent the intrusion on your networks.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 PM

Posted 26 February 2018 - 04:48 PM

As typical with ransomware, some victims have reported they paid the ransom and were successful in decrypting their data. Some victims have reported paying the ransom only to discover the criminals wanted more money...demanding additional payments with threats the data would be destroyed or exposed. Still others have reported they paid but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the decryption software and/or key they received did not work, resulted in errors and in some cases caused damage to the files. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all. In some cases victims may actually be dealing with scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid.

There is never a guarantee decryption will be successful or that the decrypter provided by the cyber-criminals will work as they claim and using a faulty or incorrect decryptor may cause additional damage or corruption of files. The criminals may even send you something containing more malware...so why should you trust anything provided by those who infected you in the first place.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jdixon

jdixon

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 20 March 2018 - 01:00 PM

Our experience was the key was received from the criminals (unknown if it works or not) but they demanded more money for the decryptor. We did not move forward on the decryptor so we do not know if they would have actually sent it or not. This was the .David extension which seems to be a variant of Velso.


Edited by jdixon, 20 March 2018 - 01:00 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 PM

Posted 20 March 2018 - 01:07 PM

Yes the .david extension was confirmed as Velso by Michael Gillespie (demonslay335).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 aaaP

aaaP

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 23 March 2018 - 08:34 AM

hello,

 

can someone who paid for velso and david ransomware share the address given to send the payment?



#8 jdixon

jdixon

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 23 March 2018 - 09:00 AM

Client ended up trying to pay for the decryptor and we received it. Files were successfully decrypted.

 

Email address was: davidfreemon2@aol.com

Bitcoin wallet was: 1NFz1zsFPPQ1TR7qkKwawLMjQ1FMyKt2Ne

Ransomware: .David


Edited by jdixon, 23 March 2018 - 09:03 AM.


#9 aaaP

aaaP

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 23 March 2018 - 09:16 AM

Client ended up trying to pay for the decryptor and we received it. Files were successfully decrypted.

 

Email address was: davidfreemon2@aol.com

Bitcoin wallet was: 1NFz1zsFPPQ1TR7qkKwawLMjQ1FMyKt2Ne

Ransomware: .David

 

thanks jdixon you're help is very useful



#10 anthonymaddick

anthonymaddick

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 24 April 2018 - 05:44 AM

â€hi Jdixon,  i have paid the ransom but they have only given me the key would you know what decrepit tool i need? 

​they are requesting more money which i do not want to pay



#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:51 PM

Posted 24 April 2018 - 01:26 PM

Were the keys given as a base64 string? I might be able to create a decrypter in the future that utilizes the keys they provide. If I ever have the time.  :smash:


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 ProudBeaver

ProudBeaver

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 31 May 2018 - 09:35 AM

Hello all,

 

My office has been hit by the .david variant of the Velso ransomware.  Its been devastating for me financially and for the few employee I have.  

 

Attempts to contact davidfreemom2@aol.com result in an error message from AOL.  Is this the correct contact info??

 

Any Suggestions?

 

Thanks

 

Grimm



#13 jdixon

jdixon

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 31 May 2018 - 10:35 AM

 

Hello all,

 

My office has been hit by the .david variant of the Velso ransomware.  Its been devastating for me financially and for the few employee I have.  

 

Attempts to contact davidfreemom2@aol.com result in an error message from AOL.  Is this the correct contact info??

 

Any Suggestions?

 

Thanks

 

Grimm

 

 

Check the text file and see if there was a different email left.


hello,

 

can someone who paid for velso and david ransomware share the address given to send the payment?

 

@aaaP,

Did you ever get that decryptor I sent you working?



#14 ProudBeaver

ProudBeaver

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 31 May 2018 - 10:37 AM

Unfortunately the email provided "davidfreemon2@aol.com"  appears to have been shut down by AOL


Edited by ProudBeaver, 31 May 2018 - 10:48 AM.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 PM

Posted 31 May 2018 - 04:18 PM

The criminals do not keep working email contact addresses for very long for fear of being tracked by law enforcement.

Besides most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is never a guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users