Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

>XLS Encryption?


  • Please log in to reply
4 replies to this topic

#1 SteveStaves

SteveStaves

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 01 February 2018 - 04:58 PM

I have a client that has just has her files encrypted.  All files have a .XLS extension and the only read_me file in every folder says to download TOR and then click on the decryptor icon.  There are no indications of what the infection is, what was used etc.  Has anyone ever heard of this?  If so, what s it and is there a decryptor available?

Edited by hamluis, 01 February 2018 - 06:17 PM.
Moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:55 PM

Posted 01 February 2018 - 10:13 PM

More information is needed to determine specifically what infection you are dealing with since there are many variants of crypto malware (file encrypting ransomware).
What is the actual name of the ransom note?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment and the malware file responsible for the infection.

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to
ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals together provides a more positive match and helps to avoid false detections. Any email addresses or hyperlinks provided by the criminals may also be helpful with identification. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

Without the above information or if this is something new, our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if the encrypted files can even be decrypted. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Amigo-A

Amigo-A

  • Members
  • 323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:55 AM

Posted 02 February 2018 - 08:05 AM

SteveStaves

 .XLS extension

only read_me file in every folder 

 
Take a screenshot for "read_me", upload a picture to imgbb.com
Or upload the "read_me" file to https://www.sendspace.com
Give us the links here.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#4 Daddyoisme

Daddyoisme

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted Today, 03:00 AM

I guess this thread has been abandoned. I have a friend with the same problem. They didn't upgrade their ESET NOD32 AV to the latest version when it asked back in 2017 and four days ago was hit by this new version of what I think may be GranCrab. It encrypted all documents and user files with ..xls and no that's not a typo it has two periods. The AV was updated and the PC was scanned, so all the READ_ME.html files are now gone. None of the detectors I have used can determine the type of ransomware it is exactly. I tried to upload one of the encrypted files for online analysis without success. Any suggestion would be greatly appreciated. Thanks.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:55 PM

Posted Today, 07:42 AM

As I already noted...the best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment and the malware file responsible for the infection.

Without the above information, our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if they can help.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users