Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

STOP ransomware (.STOP, .SUSPENDED - !!! YourDataRestore !!! txt) Support Topic


  • Please log in to reply
19 replies to this topic

#1 glenn_ITP

glenn_ITP

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 22 February 2018 - 03:11 AM

Hi
 
Just got a call from a customer with the above ransomware extention.
Here is the ransomnote:
All your important files were encrypted on this PC.
 
All files with .SUSPENDED extension are encrypted.
 
Encryption was produced using unique private key RSA-1024 generated for this computer.
 
To decrypt your files, you need to obtain private key + decrypt software.
 
To retrieve the private key and decrypt software, you need to contact us by email suspendedfiles@bitmessage.ch send us an email your !!!RestoreProcess!!!.txt file and wait for further instructions.
 
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
 
Price for decryption $600 if you contact us first 72 hours.
 
 
 
Your personal id:
 
5QDwX38ApBptxAvLONsohcyWyDsZhoeW15GuYzU5
 
 
 
E-mail address to contact us:
 
suspendedfiles@bitmessage.ch
 
 
 
Reserve email address to contact us:
 
suspendedfiles@india.com
 
 
Posting to help others find info on this.

BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:04 AM

Posted 22 February 2018 - 11:00 AM

I see your submission to ID Ransomware was not identified. I have only one other submission from Italy as well. May be something new, doesn't look familiar to me (then again all the ransom notes blur together anymore).

 

We will need the malware executable in order to properly identify and analyze it. I've put out a hunt on Twitter to see if anyone has spotted it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Amigo-A

Amigo-A

  • Members
  • 609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:04 PM

Posted 22 February 2018 - 11:09 AM

This is a new version of Ransomware, whom I descripted on December 25, 2018 as STOP Ransomware.
 
Analogous text of ransom note, the same sum of ransom.
Another extension, notes name and other e-mail.
Such changes is normal in the environment of Ransomware.
 
d1a3db50e15e.png
 
On February 10, 2018 was one more STOP-iteration.

Edited by Amigo-A, 22 February 2018 - 11:26 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#4 Amigo-A

Amigo-A

  • Members
  • 609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:04 PM

Posted 22 February 2018 - 11:34 AM

Demonslay335  ;)
But there is still no specimen of malware on hand.

Edited by Amigo-A, 22 February 2018 - 11:36 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#5 glenn_ITP

glenn_ITP
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 23 February 2018 - 02:49 AM

I'll try to get a sample on monday when I will go pick up the infected pc.

Any specific I should be looking for?

#6 Amigo-A

Amigo-A

  • Members
  • 609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:04 PM

Posted 23 February 2018 - 12:07 PM

These are some common folder variable locations malicious executables and .dlls hide:

  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware. 

 

 

Example of recommendation

https://www.bleepingcomputer.com/forums/t/608858/id-ransomware-identify-what-ransomware-encrypted-your-files/?p=4383151


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#7 glenn_ITP

glenn_ITP
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 05 March 2018 - 03:07 AM

I totally forgot to get a sample... I'm sorry.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,921 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:04 AM

Posted 05 March 2018 - 04:57 PM

Does that mean you are still going to try and submit a sample?


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 ruthay

ruthay

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 18 April 2018 - 11:15 AM

Amigo-A, thank you for identifying my .WAITING ransomware  as a new version of this one! I can still send you a copy of the ransom note through SendSpace, if you need it but it requires an email address.

 

Are you still in need of a sample of the program? In an unfortunate turn of events, I fried the hard drives on that PC while trying to connect them to another computer to pull the un-encryped data off. New PCBs are on the way, so when I get those disks back up, I will try to get you a sample. Will probably be in mid May sometime as the PCBs are going to take 20 days to get here. Hopefully, I can get them working again

 

Thanks again!



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:04 AM

Posted 18 April 2018 - 12:15 PM

@ruthay

 

SendSpace does not require an email address. Just upload the file and share the link. Example instructions in the first post of this topic: https://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-exx-ezz-ecc-etc-decryption-support-requests/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 ruthay

ruthay

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 18 April 2018 - 12:25 PM

@Demonslay335

 

Thanks, I missed that.

 

Link to note: https://www.sendspace.com/file/sykx4j


Edited by ruthay, 18 April 2018 - 12:37 PM.


#12 Amigo-A

Amigo-A

  • Members
  • 609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:04 PM

Posted 19 April 2018 - 01:18 PM

ruthay
 
Thank you. I corrected the entries in the digest according to the new information.
 
Let's hope together with you that your files will be liberated. 

Edited by Amigo-A, 19 April 2018 - 01:20 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#13 woji

woji

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 06 June 2018 - 11:59 AM

Hello.

A new version is in the world ... extension .CONTACTUS 

 

 

note: !!!RESTORE_FILES!!!

 

 

All your important files were encrypted on this PC.
 
All files with .CONTACTUS extension are encrypted.
 
Encryption was produced using unique private key RSA-1024 generated for this computer.
 
To decrypt your files, you need to obtain private key + decrypt software.
 
To retrieve the private key and decrypt software, you need to CONTACTUS us by email decryption@bitmessage.ch send us an email your !!!RESTORE_FILES!!!.txt file and wait for further instructions.
 
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
 
Price for decryption $600 if you contact us first 72 hours.
 
 
 
Your personal id:
 
pOVTnyE2aIwqpy9o6uXWfg00sCQC97ZuvP0cbURZ
 
 
 
E-mail address to contact us:
 
decryption@bitmessage.ch
 
Reserve e-mail address to contact us:
 
decryption@india.com
 
 
 
_____________
unfortunately, no sample found ... only encrypted files :(
i have backup, but it is very annoying


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,921 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:04 AM

Posted 06 June 2018 - 03:23 PM

This variant was reported May 30th as noted here under === Update section === BLOCK OF UPDATES ===.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Amigo-A

Amigo-A

  • Members
  • 609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:04 PM

Posted 07 June 2018 - 02:02 AM

I added english text in block of updates. 
 
Unfortunately, I do not have any samples of this Crypto-Ransomware.
Perhaps, in bases of antivirus companies have this samples .
This encryption must be cracked. For this need to find samples of this Crypto-Ransomware.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users