Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Read Me infection removal aftermath


  • This topic is locked This topic is locked
6 replies to this topic

#1 hateway

hateway

  • Members
  • 163 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 17 March 2018 - 04:45 PM

It all started with a 'Read Me' html file on the desktop that showed up in multiple files as well. As soon as it was clicked, got the ransomware flash. Removed many items with Eset online scanner, Malwarebytes and Adware cleaner on Win 10 64-bit dell inspiron. Now all of the documents and photos say they are corrupted when you try to open them. Any suggestions? No restore points except the day of infection and today.

 

Many Thanks!


Edited by hamluis, 17 March 2018 - 04:46 PM.
Moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,406 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:07 PM

Posted 18 March 2018 - 09:53 AM

What does that 'Read Me' html file indicates? Post a Screenshot of it.


Edited by JSntgRvr, 18 March 2018 - 09:54 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 hateway

hateway
  • Topic Starter

  • Members
  • 163 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 18 March 2018 - 02:01 PM

There are several text files simply called Read Me and here is what they say:

 

What has happened to my files ? Why i am seeing this ?
All of your files have been encrypted with RSA 2048 Encryption. Which means, you wont be able to open them or view them properly.   It does NOT mean they are damaged. 
 
Solution
Well its quite simple only we can decrypt your files because we hold your RSA 2048 private key. So you need to buy the special decryption software and your RSA private key from us if you ever want your files back. Once payment is made, you will be given a decrypter along with your private key , once you run that , All of your files will be unlocked and back to normal.
 
 
So there are 2 ways to do this either you wait for a miracle and get your price doubled or follow instructions below carefully and get back your all important files.
 
Payment procedure
First try to open decrypter page in normal browser
 
 
 
 
Wait a few seconds, and site will open then enter your GUID mentioned below and process. 
 
9817107723338B068D99C944FCA3FE76
 
 
 
If you failed to open links in normal browsers
Download a special browser called "TOR browser" and then open the given below link. Steps for the same are - 
 
1. Go to  https://www.torproject.org/download/download-easy.html.en to download the "TOR Browser". 
2. Click the purple button which says "Download TOR Browser" 
3. Run the downloaded file, and install it. 
4. Once installation is completed, run the TOR browser by clicking the icon on Desktop. 
5. Now click "Connect button", wait a few seconds, and the TOR browser will open. 
6. Copy and paste the below link in the address bar of the TOR browser.
 
 
 
Now HIT "Enter"
 
7. Wait a few seconds, and site will open then enter your GUID mentioned below and process. 
 
9817107723338B068D99C944FCA3FE76
 
If you have problems during installation or use of Tor Browser, please, visit Youtube and search for "Install Tor Browser Windows" and you will find a lot of videos.


#4 hateway

hateway
  • Topic Starter

  • Members
  • 163 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 18 March 2018 - 02:20 PM

 

There are several text files simply called Read Me and here is what they say:

 

What has happened to my files ? Why i am seeing this ?
All of your files have been encrypted with RSA 2048 Encryption. Which means, you wont be able to open them or view them properly.   It does NOT mean they are damaged. 
 
Solution
Well its quite simple only we can decrypt your files because we hold your RSA 2048 private key. So you need to buy the special decryption software and your RSA private key from us if you ever want your files back. Once payment is made, you will be given a decrypter along with your private key , once you run that , All of your files will be unlocked and back to normal.
 
 
So there are 2 ways to do this either you wait for a miracle and get your price doubled or follow instructions below carefully and get back your all important files.
 
Payment procedure
First try to open decrypter page in normal browser
 
 
 
 
Wait a few seconds, and site will open then enter your GUID mentioned below and process. 
 
9817107723338B068D99C944FCA3FE76
 
 
 
If you failed to open links in normal browsers
Download a special browser called "TOR browser" and then open the given below link. Steps for the same are - 
 
1. Go to  https://www.torproject.org/download/download-easy.html.en to download the "TOR Browser". 
2. Click the purple button which says "Download TOR Browser" 
3. Run the downloaded file, and install it. 
4. Once installation is completed, run the TOR browser by clicking the icon on Desktop. 
5. Now click "Connect button", wait a few seconds, and the TOR browser will open. 
6. Copy and paste the below link in the address bar of the TOR browser.
 
 
 
Now HIT "Enter"
 
7. Wait a few seconds, and site will open then enter your GUID mentioned below and process. 
 
9817107723338B068D99C944FCA3FE76
 
If you have problems during installation or use of Tor Browser, please, visit Youtube and search for "Install Tor Browser Windows" and you will find a lot of videos.

 

Following those instructions the user is presented with:

 

Sigma Ransomware

 

Your documents, photos, databases and other important files have been encrypted
Your Total number of files encrypted are 8797

To recover them you need the private key of the key pair used to encrypt them and the decryptor software.
You can buy both of them for $400.00

Within 7 days you can purchase this product at a special price: ≈ $400

After 7 days the price of this product will increase up to: ≈ $800

Final deadline is 17-05-2018 19:14:37 (after that you will loose your important files forever)

Once you pay full ransom in bitcoins and processed , you can download Sigma Decryptor from this page itself

 

  1. Register a bitcoin wallet.

    Create a Bitcoin Wallet (we recommend Blockchain.info) or other wallets (click here)

  2. Purchase the required amount of bitcoins.

    There are several ways you can buy bitcoins, you can use bitcoin exchanges (click here), buy directly from people selling near you (click here) or using a bitcoin ATM (click here) or With Credit Or Debit Card (click here)

  3. Send exactly $400.00 to the address:

    16NtitX22osDjtSVMTF5QZ4WaBHoirQHvM The confirmation may take several minutes, please be patient.

    Status: payment awaiting...

    This payment request is valid until 25-03-2018 19:14:37 UTC after that it will get double ≈ $800



In case of any problems with payment or having any other questions, please contact us via SUPPORT
 
 
 
I think I found the key in Application Data > Application Data > Microsoft > Crypto > RSA folder of their PCs for the private key.
 
There are 2 system files, 
6ccffeebf26f3b53bf560ce3ebc894a3_d61de884-9754-4e06-8f47-71e8750096f0
and
dbe5a52f49f0c5500c270a9769f89b92_d61de884-9754-4e06-8f47-71e8750096f0
 
but I still don't know how or where to enter the key!


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,406 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:07 PM

Posted 18 March 2018 - 06:47 PM

Seems to me that the computer has been infected with the Sigma Ransomware.

 

For those who are infected with the Sigma Ransomware, there is currently no way to decrypt files for free. If you need assistance in removing the infection or would like to discuss the ransomware, you can use our dedicated Sigma Ransomware Help & Support topic.

 

I will notify a moderator in this regard.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:07 PM

Posted 19 March 2018 - 06:26 AM

Since the infection has been identified, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the above support topic discussion.

To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Platypus

Platypus

  • Moderator
  • 14,200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:11:07 AM

Posted 19 March 2018 - 08:40 AM

Since the topic is now locked, hateway has forwarded their thanks in a report.

Edited by Platypus, 19 March 2018 - 08:43 AM.

Top 5 things that never get done:

1.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users