Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Could not find Ransomware - Anyone can help to find out type and solution?


  • This topic is locked This topic is locked
3 replies to this topic

#1 riyajuweb

riyajuweb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 25 March 2018 - 02:02 PM

One of new ransomware virus affect our system and encrypted all files, 

 

Here with attached encrypt files and demand txt files for reference,

 

But we could not find which version is this and also what version of it.

 

Can anyone help us to find out solution of it?

 

 

Content of Demand txt Files:

 

====================================================================================================
decrypts@airmail.cc
====================================================================================================
Your files are encrypted!
Your personal identifier:
6A020000000000004CC802151D92C901C43008035B02C4D97F6319E793C45E40D2B056ADDCCA4997672A6D3C72C4F3AC3DC7
5A5677A7984EF3E35EE1B17B745CE87AA92F4DD55C6478768F59D831A0AE73382F22CA72B735746A99E6DD6D36EA9377997C
EC1AD92AB9357D8E27CA42615D33739BCD19879A314D9E2AAFCC9FFD405A0CCB759E9AD35868B9E67D13CA73063F03F714EE
7C3AA2D498AC42706C72666D2B3A1812E69D98ACE4E78C1ADBBCDCEB4320BADFB0ACF105C97650B32EA3D5E97C49F2969203
8B1CA5040976C1B2D3D0AA87D3282EA7FB089294F37DD9DEB6078F02F19C9182AFD2B6FFC4213F06D08B661D896537199136
D884269AE5C4B9A4684881F1792E9D28237BB163B8C38118232AA3E119B1D52BB976D8EB6474ED1F11DB0DB11439A6912A5C
12E5296265980DB1E65FB1077EAE7537FBBAE0CBF9E203
====================================================================================================
To decrypt files, please contact us by email:
decrypts@airmail.cc
====================================================================================================

 

File Attachment:

 

Demand Text File: https://ufile.io/liunb

Encrypted File:      https://ufile.io/35l8m

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:13 PM

Posted 25 March 2018 - 04:30 PM

A couple other victims reported the same here and here. We are still trying to confirm the infection.

Did you submit (upload) any samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Amigo-A

Amigo-A

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:13 AM

Posted 29 March 2018 - 03:13 AM

This is Scarab! I am 90% sure now that this is one of the new iterations of Scarab.

 

They cheat, change the note, but according to the files presented in the Russian forums, but is Scarab.

ID is calculated in an analogous way. 

 

I have compiled a separate description - Scarab-Decrypts Ransomware, since many different visual data.
Probably, this is not one, but several different groups for different countries. 

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:13 PM

Posted 09 April 2018 - 02:41 PM

@riyajuweb

Please do not use the Report Button to ask about updates...always ask in the topic you started.

Dr.web may be able to decrypt some variants of Scarab Ransomware but they need the ransom note HOW TO RECOVER ENCRYPTED FILES - decrypts@airmail.cc.TXT and 3-4 encrypted files with a the .doc extension as indicated here.

Updated Dr.Web policy regarding the recovery of ransomware-corrupted files (03/28/17): ...free data recovery is now only available to users of commercial Dr.Web licenses provided that the Dr.Web components responsible for reducing the risk of Trojan.Encoder-caused infections were properly configured and running at the moment of infection.If you're not a licensed user for a Dr.Web product you will have to pay for their services (Rescue Pack). Fees may vary depending on the infection and amount of data to be decrypted.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users