Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WhiteRose Ransomware Support Topic (HOW-TO-RECOVERY-FILES.TXT)


  • Please log in to reply
62 replies to this topic

#1 Unzzy

Unzzy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 03 April 2018 - 01:52 AM

If you have been hit by this ransomware, please PM Demonslay335 to receive help

 

 

 

 

Hi. Today my PC has been infected with Whiterose.
Can you help me? Thanks.
links on files:
https://www.sendspace.com/file/0bmx78
https://www.sendspace.com/file/j0yt4c
https://www.sendspace.com/file/7s1dwq
https://www.sendspace.com/file/h6ove0


Edited by xXToffeeXx, 11 April 2018 - 08:27 AM.
Added contact for help


BC AdBot (Login to Remove)

 


#2 Amigo-A

Amigo-A

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:07:36 PM

Posted 03 April 2018 - 03:58 AM

 
For researchers are also needed the exe-files of encryptor.
Try find them until you reinstalled of the system.
These are possible paths of their location in Windows.
AppData is a hidden directory. You must first enable display of hidden files.
 
Only DO NOT CLICK THESE FILES to see what is it !!! 
The collected files must be submitted to specialists.
Please, use only a special form for sending malware on the BleepingComputer.
 
%APPDATA% - Application Data files
➤ Windows Vista/7/8:
Disk:\Users\User_Name\AppData\Local\ =>
Disk:\Users\User_Name\AppData\Roaming\ =>
➤ Windows NT/2000/XP: 
Disk:\Documents and Settings\User_Name\Application Data\ =>
Disk:\Documents and Settings\User_Name\Local Settings\Application Data\ =>
---
%TEMP% - Temporary files
%WinDir%\Temp\ =>
Disk:\Windows\Temp\ =>
%TEMP%\<random_name>\ 
%TEMP%\<random_name>.tmp\ 
%TEMP%\<random_name>.tmp\<random_name>\ 
Disk:\Users\User_Name\AppData\Local\Temp\ =>
Disk:\Users\User_Name\AppData\LocalLow\Temp\ =>
---
%WinDir% - Windows files
Disk:\Windows\ =>
Disk:\Windows\system32\ =>
---
Program files
Disk:\Program Files\ =>
Disk:\Program Files (x86)\ =>
Disk:\ProgramData\ =>
Disk:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ =>
---
Users files
Disk:\Users\User_Name\Desktop\ =>
Disk:\Users\User_Name\Documents\  =>
Disk:\Users\User_Name\Documents\Downloads\ =>
Disk:\Users\User_Name\Downloads\ =>
---
Recycler files
Disk:\Recycler\              
Disk:\$RECYCLE.BIN\   
Disk:\$RECYCLE.BIN\s-1-5-21-**********-***********-**********-1000   
---
Temporary Internet Files of Internet Explorer: 
➤ Windows Vista/7/8:
Disk:\Users\User_Name\Local\Microsoft\Windows\Temporary Internet Files\
Disk:\Users\User_Name\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
Disk:\Users\User_Name\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\<random_name>\ (a-z, 0-9)
➤ Windows NT/2000/XP: 
Disk:\Documents and Settings\User_Name\Local Settings\Temporary Internet Files\ 
---
Temporary Internet Files of Google Chrome и Chromium:
➤ Windows 8, 7 или Vista
Google Chrome: 
Disk:\Users\User_Name\AppData\Local\Google\Chrome\User Data\Default\
Chromium: 
Disk:\Users\User_Name\AppData\Local\Chromium\User Data\Default\
➤ Windows XP:
Google Chrome: 
Disk:\Documents and Settings\User_Name\Local Settings\Application Data\Google\Chrome\User Data\Default\
Chromium: 
Disk:\Documents and Settings\User_Name\Local Settings\Application Data\Chromium\User Data\Default\
---
Temporary Internet Files of Opera:
➤ Windows 8, 7:
Disk:\Users\User_Name\AppData\Local\Opera Software\Opera Stable\
Disk:\Users\User_Name\Roaming\Opera Software\Opera Stable\
---
Temporary Internet Files of Firefox:
➤ Windows 8, 7:
Disk:\Users\User_Name\AppData\Roaming\Mozilla\Firefox\Profiles\
---
Temporary Internet Files of Microsoft Edge
Disk:\Users\User_Name\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\

Edited by Amigo-A, 04 April 2018 - 02:16 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:36 AM

Posted 03 April 2018 - 07:21 AM

WhiteRose is new and was recently reported here by Michael Gillespie (aka Demonslay335).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Unzzy

Unzzy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 03 April 2018 - 07:54 AM

 

 
 
For researchers are also needed the exe-files of encryptor.
Try find them until you reinstalled of the system.
These are possible paths of their location in Windows.
 

 

i found backdoor, but cant find exe of decryptor yet. I`ll try restore deleted files and look among them. I have seen "WHITE" in processlist , but I turned PC off immediately.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:36 AM

Posted 03 April 2018 - 07:59 AM

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:36 AM

Posted 03 April 2018 - 08:37 AM

We've secured a sample, and this looks decryptable. It may take me a few days to make a decrypter, very busy.

 

If you have been hit by this ransomware, please PM me for free assistance in decrypting your files.


Edited by Demonslay335, 12 April 2018 - 06:21 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 manestevez

manestevez

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 03 April 2018 - 04:17 PM

 

Dear do you need help ?



#8 AACC-IT

AACC-IT

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 04 April 2018 - 12:32 AM

I have got infected by this damn ransomware too

Any help appreciated



#9 Unzzy

Unzzy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 04 April 2018 - 12:40 AM

 

Dear do you need help ?

 

 

Yes, but i communicate with Demonslay335, and he started first phase of attack, now i`m waiting for results.



#10 Amigo-A

Amigo-A

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:07:36 PM

Posted 04 April 2018 - 02:32 AM

Those whose computer has suffered, look for files in accordance with post #2, before doing anything with your computer. 
Do not clean the RECYCLER and TEMP-folders. This can be done later.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:36 AM

Posted 04 April 2018 - 06:39 PM

I've been told Dr. Web may be able to help with this ransomware, so I'd advise checking with them. They usually charge a reasonable fee for their services, but they may be able to crack it faster than we can currently.

 

Otherwise I and another researcher are able to help victims for free.

 

Also, a quick note on a bug that was pointed out to me. Sometimes the malware may straight up just delete files instead of encrypting them. There's nothing that can be done about those files except possibly trying undelete software such as Recuva.


Edited by Demonslay335, 11 April 2018 - 08:30 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:36 AM

Posted 04 April 2018 - 07:01 PM

Updated Dr.Web policy regarding the recovery of ransomware-corrupted files (03/28/17): ...free data recovery is now only available to users of commercial Dr.Web licenses provided that the Dr.Web components responsible for reducing the risk of Trojan.Encoder-caused infections were properly configured and running at the moment of infection.

If you're not a licensed user for a Dr.Web product you will have to pay for their services (Rescue Pack) as noted by Demonslay335. Fees may vary depending on the infection and amount of data to be decrypted.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Amigo-A

Amigo-A

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:07:36 PM

Posted 05 April 2018 - 05:39 AM

 

 

The amount of payment within reason, if count in Russian rubles.
The ratio 60R = 1 $ makes this amount even smaller.
 
Dr. Web 

Edited by Amigo-A, 05 April 2018 - 05:40 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:36 AM

Posted 05 April 2018 - 01:05 PM

For those infected with WhiteRose, have you determined how they gained access? Hacked RDP?

#15 Unzzy

Unzzy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 05 April 2018 - 01:42 PM

For those infected with WhiteRose, have you determined how they gained access? Hacked RDP?

 yes






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users