Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PLZ help ..... bad ransomware 5K bounty


  • Please log in to reply
6 replies to this topic

#1 helpmeplz123

helpmeplz123

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 12 March 2018 - 07:51 AM

Can you help with this ransomware ? Do you have crazy skillz

my bitcoin wallet.dat is encrypted by it some ransomware unknown , if you can help I will give you $5000

I have attached 1 encrypted file on link below, if you can decrypt it , then you can decrypt my wallet.dat

https://ufile.io/sum9z  -- it was a png file of my QR code

hackers URL with instructions ... http://igza4c6icqzboodb.onion

use gate code to enter

GateCode:H1CreWiGz4cK

|--iGZa4C2015win ID:#Ez9Sfk6BsgKnnq9E0E8fdtiMpt2BcbYG#

here is my BTC address so you know im serious -
https://blockchain.info/address/13Lo5aZDZuEm4qVF478KfWJUvi9JCDngAx

I cant get anywhere with this thing , and I have some skillz ,

if many people help I will pay everyone a fair share.

thank you

EDIT: infected PC formatted and gone.
EDIT if you break the png file above your can break my wallet and get yourself paid.

 

I have been on a thread on BTC talk also . . if you google the onion address the hacker uses you will find my thread.

 

I am so tired and drained of this whole situation. Please see the BTC talk thread before asking dupe questions.

 

https://bitcointalk.org/index.php?topic=3079850

 

warmest regards



BC AdBot (Login to Remove)

 


#2 helpmeplz123

helpmeplz123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 12 March 2018 - 01:31 PM

2 more qr files , non public

 

https://ufile.io/p0ude

 

too many scammers claiming they done it , stupid really and pointless , the wallet is encrypted , helps no one !

 

I have been trying to ID this ransomware for  3 days.


Edited by helpmeplz123, 12 March 2018 - 01:31 PM.


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:17 PM

Posted 12 March 2018 - 06:10 PM

I have not seen encrypted files in that format before, looks to be something new. We will need the malware executable in order to analyze it.

 

For reference, the encrypted file has a seemingly random extension that is mentioned on the Tor site, ".igza4c", and the encrypted file has the following format.

|--iGZa4C2015win ID:#Ez9Sfk6BsgKnnq9E0E8fdtiMpt2BcbYG# GateCode:H1CreWiGz4cK --|<base64>|--igza4c6icqzboodb.onion--|

With the encrypted contents being the "<base64>" portion. The decoded bytes are definitely encrypted, hard to tell by what algorithm, but looks to be a block cipher based on the size (e.g. AES). If it is something like AES, then the only hope of decryption will be finding a flaw in how the key is handled in the malware itself.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 helpmeplz123

helpmeplz123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 12 March 2018 - 08:28 PM

Thank you for looking at my case.

 

Was thinking the only chance was to exploit the TOR site.

 

something new from 2014 ? you see the dates on the site and read all the hacker bulls**t.

 

Do you think if I paid I would get the software needed ?


Edited by helpmeplz123, 12 March 2018 - 08:29 PM.


#5 helpmeplz123

helpmeplz123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 13 March 2018 - 05:06 AM

ttacker from site emailed me ..... see below

Hi! I'm sorry about the situation, but I'm not able to help you.
The main member of the team and this project ( head developer ) is currently unavailable and only he can modify the code and make the final decision, everything is automated... Personally, I'm not from this project (this is old project) but I am responsible for checking mails and communication. I am not responsible for contracting the price. The price for software is real big (for today) because the project from 2014, I'm really sorry... If you decide to pay, be sure to read the INFO file (MUST READ!)
Have a nice day and good luck
iGZa4Crew
#T1M0T1


My reply:

Im not going to pay ,
but contact your head deleloper and tell him I have 5-10K with his name
on it. Im sure he could send the software. I decrypt the wallet , and
the send BTC to an account of his choosing,
just pass on my message and email if you can , would be most gratful and
ofcourse when a deal is done I will send you a slice of the pie.
I would not mind using some trustworthy on BTC talk to escrow
between us. they get software I give wallet and pass , and we are all
very happy poeple.

Please pass on my message


Lets just see what happens now , but I am 100% not paying ! If I lose 10.5 BTC its not the end of the world. Even tho just 10K is alot of money to me. People need to learn that BTC crime wont pay.



#6 MarkMackerel

MarkMackerel

  • Malware Study Hall Sophomore
  • 81 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 13 March 2018 - 06:05 AM

Please update on what happened. How did you get this ransomware? By browsing the darknet?

#7 helpmeplz123

helpmeplz123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 13 March 2018 - 07:44 AM

No Idea , I have a degree in software engineering so i'm not some n00b. I take my OPSEC serious. Its not like I clicked a link in an email or anything like that.

Its seems to be a new form of ransomware but from 2014. I only noticed that it also got my USB wallet backup when I needed some cash and BTC price went up.

My USB must have been in machine when infection took place. I think the ransomware went after all my wallet files only. No ransom note. no system lock out. Just encryption of appdata/roaming/

 

The TOR site says this ransomware has time delay triggers so they keep it online because infections will still happen from creation to unknown.


Edited by helpmeplz123, 13 March 2018 - 07:45 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users