Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected on 06.06.2017 - unknown ransomware


  • Please log in to reply
8 replies to this topic

#1 alineduard

alineduard

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 25 March 2018 - 06:21 AM

Goodday,

 

beeing infected on 06.06.2017, I've managed to save a certain amount of data. Sadly, all of my work in Photoshop and Corel Painter was lost, photos and .psd/.riff alike.

 

I've tried all options in the TrendMicro's RFDecryptor, some actually show files are infected, while some detect none of the selected ransomware. Nemucod, Telecrypt, Xorist and some tohers seem to be active, but no decryptor tool managed to decrypt the said files.

 

I post here a link towards a jpeg and a riff file that were infected:

 

https://www.sendspace.com/file/y596zy

https://www.sendspace.com/file/rgkn7i

 

Any suggestion would be appreciated.

 

Many thanks in advance, and have a nice day.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:57 AM

Posted 25 March 2018 - 06:56 AM

More information is needed to determine specifically what infection you are dealing with since there are many variants of crypto malware (file encrypting ransomware).

Are there any obvious file extensions appended to or with your encrypted data files? If so, what is the extension and is it the same for each encrypted file or is it different? Some types of ransomware will completely rename, encrypt or even scramble file names while others do not append any extensions.
Did you find any ransom notes and if so, what is the actual name of the note?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Did you submit (upload) any samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 alineduard

alineduard
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 25 March 2018 - 08:54 AM

Hi,

 

no ransom notes were ever attached to any of my encrypted files. It looks like I was lucky enough to notice the infection at the right time (my machine was extremely slow for two-three days now), and I started to back up my sane files. Almost all of my PDF, txt, jpg, video and music (mp3&4, ogg, etc)and of course the restore points were attacked first since I was unable to recover lots of personal data.

No email address either and no suspicious extension.

I do have clean versions of some of the corrupt jpeg files, which are uploaded to deviantart and some other sites. If that may help.

 

However, a detail: when I use the decrypt_xorist.exe along with the member provided key, on those jpegs, and even on other files, it says the file is decrypted - and yet it's only renamed, due to a bug within the ransomware itself, as far as I understand. Those are hard times indeed if ransomwares too are buggy.

 

Thanks.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:57 AM

Posted 25 March 2018 - 04:06 PM

I know in some cases using a faulty or incorrect decrypter may cause additional damage or corruption of files so that is why it's important to identify what you are dealing with first. Without the above information I previously asked you about, our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if they can help.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:57 AM

Posted 26 March 2018 - 10:09 AM

Since there is no extension or filemarker in the files, it will be impossible to identify without the malware itself or the ransom note. There is nothing further we can do at this point without either of those.

 

It definitely isn't Xorist, you will just get corrupted data throwing random decrypters at files.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 alineduard

alineduard
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 01 April 2018 - 03:25 PM

Hi,

 

many thanks for your time, then. These weren't vital files afterall, but it is somehow dangerous to keep them in the eventuality of a future decryption ? Who knows. To be more precise, could the fact that I download them (from Google Drive for instance) on my machine from time to time represent a potential danger ?

 

 

Thanks.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:57 AM

Posted 01 April 2018 - 06:30 PM

In cases where there is no free decryption tool, restoring from back up is not a viable option and file recovery software does not work, the only other alternative to paying the ransom is to backup/save your encrypted data as is and wait for a possible solution...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.

Law enforcement authorities have had some success arresting cyber-criminals, seizing C2 servers and releasing private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time. Some criminals have even released the keys here at Bleeping Computer.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:57 AM

Posted 02 April 2018 - 12:43 PM

The encrypted files themselves are harmless. It will be impossible to ever identify without a ransom note or the malware itself though. You have to know what strain you are dealing with to know whether decryption is possible even if decrypters are released in the future.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 Amigo-A

Amigo-A

  • Members
  • 416 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:57 PM

Posted 03 April 2018 - 04:20 AM

alineduard

Possible that the encryption work was not completed correctly, he did not have time to do something, for example, he did not add the extension to the files and did not left you the ransom-note.

 

For researchers are also needed the exe-files of encryptor.
Try find them until you reinstalled of the system.
Use the files paths in Windows that I gave in this post
 
Only DO NOT CLICK THESE FILES to see what is it !!!
The collected files must be submitted to specialists.
Use a special form for sending malware on the BleepingComputer.

Edited by Amigo-A, 03 April 2018 - 11:57 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users