Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unkown ransomware


  • Please log in to reply
8 replies to this topic

#1 mmhamdan

mmhamdan

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 26 April 2018 - 03:12 PM

Hello !

 

Greeting from Jordan, Please we need advise from you, recently we have infected with some unknown ransomware we tried  search on ID-ransomware website but nothing found. noting that ransomware has changed file name to be as the same as the old name but followed by .EmailAddress only as example old name was test.bat new became --> test.bat.greystars@protonmail.com ONLYY!!!  and leave an html file name as HOW-TO-RECOVER-YOUR-FILES.HTML.

 

 

 

Waiting your feedback



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:51 AM

Posted 26 April 2018 - 05:54 PM

If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

Samples of encrypted files, ransom notes, any related files or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to zip (compress) all files before sharing. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Amigo-A

Amigo-A

  • Members
  • 585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:51 PM

Posted 26 April 2018 - 08:44 PM

mmhamdan

 

Most likely, I know which encryptor has attacked your server.
 
Please download the HOW-TO-RECOVER-YOUR-FILES.HTML at the service https://www.sendspace.com/
Next you will this link paste here in a new message.  

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#4 mmhamdan

mmhamdan
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 28 April 2018 - 09:43 AM

Thank you for your reply Kindly find SHA Key as below

 

SHA1: 6b8060ed73e39006b55c37e2f04a81191d241533

 

I have uploaded ransomware note with sample of infected file to the mentioned link

 

 

 

Thank you in Advance



#5 mmhamdan

mmhamdan
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 28 April 2018 - 09:47 AM

Dear Amigo-A

 

appreciate your response to this topic. please check link as below.

 

www.sendspace.com/file/lo5rwr

 

Thank you in advance



#6 Amigo-A

Amigo-A

  • Members
  • 585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:51 PM

Posted 28 April 2018 - 01:05 PM

mmhamdan
Thank you. Now I'm sure.
This coincided with the data that I received from the victims from China.
 
It is most likely that this is a new iteration of SamSam Ransomware, which attacks the computers around the world.
This is already in the 'Block of update' in this my article. I got it from the Chinese victims.

 

The same bitcoin-wallet
 
But experts need to check everything - find a encoder's sample to add an update to the SamCam group or to a new one group.
 
Until now, there is no known other ransomware who uses the jboss vulnerability to penetrate and attack around the world.
Jordan and China are far from each other and not have of common borders. But this Ransomware attack links them with a common problem. 

Edited by Amigo-A, 28 April 2018 - 02:47 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:51 AM

Posted 28 April 2018 - 04:25 PM


If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AllUserProfile%\
  • %AppData%\
  • %AppData%\Local\Temp\
  • %LocalAppData%\
  • %ProgramData%\
  • %Temp%\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:51 AM

Posted 29 April 2018 - 04:39 PM

I have to disagree, this doesn't look like SamSam at all, unless you can find a malware sample that matches.

 

I do not have that BTC address listed under SamSam, they've been operating the same known address since February. All known versions of SamSam prepend a wide-format XML node containing the encrypted key and IV to the encrypted file. Also, the note always mentions a price per machine versus a price for all machines, since they move laterally and encrypt every system on the network that they can. SamSam also has victims go thru a Tor page, never just an email address. The ransom note looks nothing like it either.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 Amigo-A

Amigo-A

  • Members
  • 585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:51 PM

Posted 30 April 2018 - 03:21 AM

Since three visual elements do not coincide and the relation with it is not confirmed, I compiled a separate description for this Ransomware.

 

This descripted under Greystars Ransomware

 

In this case, the victims received one chance to return their files. :)


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users