Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.RAR Ransomware (HACK.txt, burakozkaya083@gmail.com, forumkurdu74@gmail.com)


  • Please log in to reply
19 replies to this topic

#1 ecel

ecel

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 24 March 2018 - 01:01 PM

my computer was hack hd by cryptoLocker virus c: and d: .rar xrar as it was compressed and encrypted. they paid the ransom they wanted but they did not give the rar passwords. all recycling points deleted. it also brings the recovery programs corrupted. we are a small business, please help us with our staff accounts and current accounts in RARs..
 
 
 
HACK.txt
SİZDEN 1000 $ İSTİORUUM
MAİL : guvenliwebicin@gmail.com(mail closed)

REFERANS NO : Qq!09CAq29CAq
after hack  ransom mail burakozkaya083@gmail.com
after hack ransom mail forumkurdu74@gmail.com
Unable to determine ransomware.
Please make sure you are uploading a ransom note and encrypted sample file from the same infection.

This can happen if this is a new ransomware, or one that cannot be currently identified automatically.

You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.

Please reference this case SHA1: 137e906896956721af8a7bd457c1830f4192b8fe

Edited by quietman7, 28 March 2018 - 03:56 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:25 AM

Posted 24 March 2018 - 07:29 PM

Please be patient until Demonslay335 has a chance to review the case SHA1 you provided. BleepingComputer is inundated with support requests and he is not logged in at the moment.

If it is something new, our crypto malware experts most likely will need a sample of the malware file itself to analyze. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ecel

ecel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 25 March 2018 - 02:11 AM

Please be patient until Demonslay335 has a chance to review the case SHA1 you provided. BleepingComputer is inundated with support requests and he is not logged in at the moment.

If it is something new, our crypto malware experts most likely will need a sample of the malware file itself to analyze. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.

These are some common folder variable locations malicious executables and .dlls hide:

  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %Temp%\ / %AppData%\Local\Temp\

Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.

 

I could not find anything just c.rar d.rar and c2.rar files and ransom note. all recycling points were deleted and important files were in rar
E3ernX.jpg

Edited by ecel, 25 March 2018 - 02:18 AM.


#4 Amigo-A

Amigo-A

  • Members
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:25 PM

Posted 28 March 2018 - 01:33 PM

quietman7

Is it possible to somehow edit the first post of this topic to understand where the original text of the Ransom-note? 


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:25 AM

Posted 28 March 2018 - 03:56 PM

Done.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 ecel

ecel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 29 March 2018 - 02:00 PM

There is no clue on the computer. restore points deleted important files in .rar. recovery programs can not bring back important files, all need to find corrupted rar passwords. No method worked :( and the money we paid went to waste.

first mail : guvenliwebicin@gmail.com (mail closed)

extensions of files do not change direct hd folders are entering into rar. recycling points are deleted. pc opened at 23:30 started at 2:30 finished


Edited by ecel, 29 March 2018 - 02:13 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:25 AM

Posted 29 March 2018 - 02:54 PM

We have had two other ransomware topics related to .RAR/WinRAR archives.

RAR Ransomware (realxakepok@bigmir.net) Ransomware turns docs, into .RAR files
ROSHALOCK 2.00 (All_Your_Documents Ransomware) Support & Help Topic
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 ecel

ecel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 29 March 2018 - 03:38 PM

 

I am checking right now. results report thank you


Edited by ecel, 29 March 2018 - 03:38 PM.


#9 ecel

ecel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 29 March 2018 - 03:51 PM

I guess I'm very unlucky. there seems to be no solution. I am thankful for your contributions to all the answers. I hope to reach you with a result.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:25 AM

Posted 29 March 2018 - 06:03 PM

In cases where there is no free decryption tool, restoring from back up is not a viable option and file recovery software does not work, the only other alternative to paying the ransom is to backup/save your encrypted data as is and wait for a possible solution...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.

Law enforcement authorities have had some success arresting cyber-criminals, seizing C2 servers and releasing private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time. Some criminals have even released the keys here at Bleeping Computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Amigo-A

Amigo-A

  • Members
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:25 PM

Posted 30 March 2018 - 01:40 AM

ecel

Please insert the entire text of the ransom-note HACK.txt into your new message. 
Of the first post it is not understand where the text of ransom-note.
 
Or unload the original ransom-note at https://www.sendspace.com/
Then insert this link to the file into new message.

Edited by Amigo-A, 30 March 2018 - 01:40 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#12 ecel

ecel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 30 March 2018 - 01:28 PM

 

ecel

Please insert the entire text of the ransom-note HACK.txt into your new message. 
Of the first post it is not understand where the text of ransom-note.
 
Or unload the original ransom-note at https://www.sendspace.com/
Then insert this link to the file into new message.

ransom-note.download link :https://www.sendspace.com/file/4nwurj

 

fist ransom-note.
SİZDEN 1000 $ İSTİORUUM
MAİL : guvenliwebicin@gmail.com
 
REFERANS NO : Qq!09CAq29CAq

Edited by ecel, 30 March 2018 - 01:34 PM.


#13 ecel

ecel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 30 March 2018 - 01:31 PM

In cases where there is no free decryption tool, restoring from back up is not a viable option and file recovery software does not work, the only other alternative to paying the ransom is to backup/save your encrypted data as is and wait for a possible solution...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.

Law enforcement authorities have had some success arresting cyber-criminals, seizing C2 servers and releasing private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time. Some criminals have even released the keys here at Bleeping Computer.

okey thank you



#14 Amigo-A

Amigo-A

  • Members
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:25 PM

Posted 30 March 2018 - 02:29 PM

SİZDEN 1000 $ İSTİORUUM
MAİL : guvenliwebicin@gmail.com
 
REFERANS NO : Qq!09CAq29CAq

 

 

This is the whole text of the ransom-note?

 

Whose addresses are they?
burakozkaya083@gmail.com
forumkurdu74@gmail.com

 

 


Edited by Amigo-A, 30 March 2018 - 02:31 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#15 ecel

ecel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 31 March 2018 - 08:12 AM

 

SİZDEN 1000 $ İSTİORUUM
MAİL : guvenliwebicin@gmail.com
 
REFERANS NO : Qq!09CAq29CAq

 

 

This is the whole text of the ransom-note?

 

Whose addresses are they?
burakozkaya083@gmail.com
forumkurdu74@gmail.com

 

yes this whole text those addresses are the ones that close the first address and communicate with me. We made the first adrese payment. telling him not to like us and cutting down on communication.

then burakozkaya083@gmail.com said that they took over our passwords we received a mail and wanted to pay off again.and wanted to send this adrese mail for communication forumkurdu74@gmail.com

1. mail adress  ransom-note guvenliwebicin@gmail.com (closed after paying)

2, mail adress : burakozkaya083@gmail.com (said to be the agent and take over the passwords)

3. mail adress : forumkurdu74@gmail.com (

the last address to ask for payment. we proved that we sent a rar file that we had opened and sent a screenshot of the passwords)

 


Edited by ecel, 31 March 2018 - 08:25 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users