Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

systemwall (.system _HELP_INSTRUCTION)


  • This topic is locked This topic is locked
5 replies to this topic

#1 codebase

codebase

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 31 January 2018 - 12:04 PM

This is mostly for inforamtion and identification

 

Files encrypted as

28B0C4303AC580100F06CA073D3763C4.SYSTEM

(machine in question is offline right at a remote site so I can't upload a sample)

 

 

(I altered the DECRYPT-ID below)

_HELP_INSTRUCTION.txt

 

Hello!
 
Attention! All Your data was encrypted!
 
For specific informartion, please send us an email with Your ID number:
 
systemwall@keemail.me
 
systemwall@protonmail.com
 
systemwall@yandex.com
 
systemwall1@yandex.com
 
xxxx.x@dr.com (this email appears to be unique based on a name from the client address book)
 
Please send email to all email addresses! We will help You as soon as possible!
 
IMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!
 
 
DECRYPT-ID-af717ca2-a4ef-48ca-8bc1-8851bad1f877 number
 
 
 
Ransom request  email
 
From: name from client address book<systemwall@protonmail.com>
Date: Mon, Jan 29, 2018 at 2:05 PM
Subject: PC Help Information
To: 
 
Hello!
 
We are glad to hear You! And We will be happy to help You!
 
Here is Your personal instruction:
 
 
Password:  035unit
 
Please read it carefully! After that just follow Your instruction and You will solve this problem very quickly!
 
Our kind regards,
 
name from client address book
 
Support Manager
 
Worldwide Children Charity Community
 
 
 
Her diagnosis:  Acute Lymphoblastic Leukemia (ALL)
 
Need for medical help:  $120k
 
Already contributed: 81k
 
this included an image of a child 
Google image search finds 
 
 
 
 
Details from onetimesecret
 
Hello!
 
to decrypt your files You will need a special software with your special unique private key. 
 
Price of software with your private key is JUST a 0.35 bitcoins. With this product you can decrypt all your files and protect Your system!!! Protect!!! Your system will work without any vulnerability.
 
Also You will have a FREE tech support for solving any PC troubles for 3 years!
 
You can buy bitcoins through this bitcoin web site     https://localbitcoins.com/
 
or www.bitquick.co - fast way to buy bitcoin with cash
 
or www.coinatmradar.com - it`s a Bitcoin ATM (very simple and fast)
 
or www.paxful.com
 
Register there and find a nearest Bitcoin seller. It`s easy! Choose more comfortable payment method for buying Bitcoin!
 
After that You should send bitcoins to the charity bitcoin wallet address:
 
1JzKzrm9sAcRyNgcR3x4xcftpwxW8ZafEy
 
All this process is very easy! It`s like a simple money transfer.
 
And now most important information:
 
We are the International Children Charity Organisation! Your money will be spent for the children charity. So that is mean that You will get a participation in this process too. Many children will receive presents and medical help!
 
And We trust that you are kind and honest person! Thank You very much! We wish You all the best! Your name will be in the main donors list and will stay in the charity history!
 
Remember You can save many children destinies! Money for You is just a paper (You will earn money again in the next month), but for many children is a real chance to change their life!
 
Also ONLY WE can give to our customers very important benefits:
 
1) You will restore all Your data immediately
 
2) Your network vulnerabilities will be closed
 
3) You will protect Your system from the main attack in the future! It`s a very important option!
   Only our community can give You this opportunity! All other anti-malware companies just promise it, but in fact they cannot    protect You! It`s very terrible!
 
4) Main idea - many children will receive a donation and medical help from Your name!
 
5) You will have a free tech support for solving any PC troubles! Just ask a support and support will help You! 
 
P.S> When your payment will be delivered you will receive your software with private key IMMEDIATELY!
 
P.P.S> In the next 24 hours your price may be doubled by the Main Server automatically.
 
       So now you have a chance to restore your PC at low price!
 
Best regards,
 
Charity Team
 
 
From what I have gathered at this point the attack vector was a publically exposed RDP connection to a Windows 7 Pro computer with multiple accounts and likely weak passwords. 
In addition to the normal encryption this variant appears to have damaged the user accounts / operating system in some way. 
Issue became apparent when users could not connect to computer anymore. Local logons didn't work either. 
I was unable to recover the passwords... something I usually have no problem with on a machin of this vintage. 
Offline tools showed all accounts a locked out (Including the default administrator)
I was able to unlock the admin account and clear the password to logon, and discover the encrypted files. 
I created a new admin user and was able to logon although I get warnings about unavailable system locations and the desktop doesn't render. 
Machine is currently offline and I don't have access, where it will remain until I have good reason to recover it. 
 
 

Edited by codebase, 31 January 2018 - 12:06 PM.


BC AdBot (Login to Remove)

 


#2 codebase

codebase
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 31 January 2018 - 12:09 PM

https://id-ransomware.malwarehunterteam.com/identify.php

 

Unable to determine ransomware.

Please make sure you are uploading a ransom note and encrypted sample file from the same infection.

This can happen if this is a new ransomware, or one that cannot be currently identified automatically.

You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.

Please reference this case SHA1: 3c4849c2cea02bedd6d91b4fc6666e1ea813de70



#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,563 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:28 AM

Posted 31 January 2018 - 12:14 PM

Looks like it is probably a new iteration of CryptoMix. Would need the malware itself to confirm, but the note filename, structure, and filename pattern matches.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,563 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:28 AM

Posted 31 January 2018 - 12:18 PM

Confirmed it is CryptoMix. ID Ransomware is already identifying it by the filemarker if you had uploaded an encrypted file.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Amigo-A

Amigo-A

  • Members
  • 585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:07:28 PM

Posted 31 January 2018 - 01:12 PM

System CryptoMix Ransomware with the .System-extension has been known since the beginning of January.
The addresses have changed and the text itself is a bit different. This is not fundamentally new.
What else is new?

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:28 AM

Posted 31 January 2018 - 02:10 PM

Since the infection has been identified, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users