Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got Hit by .bid ransomware


  • This topic is locked This topic is locked
10 replies to this topic

#1 EngMarine

EngMarine

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 14 May 2018 - 02:13 PM

Hi all 

 

today was the worst day in my job ever

 

we got hit by ransomware with file extension .bid with mail restoresales@airmail.cc

 

i've searched the internet for that extension but i found no solution 

 

we've got all our work encrypted  

 

there is no discussion about that type here so i made new thread 

 

any ideas what should we do except paying ?

 

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,743 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:22 PM

Posted 14 May 2018 - 03:37 PM


The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment and the malware file responsible for the infection.

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to
ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files, whether it is decryptable and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals together provides a more positive match and helps to avoid false detections. Any email addresses or hyperlinks provided by the criminals may also be helpful with identification. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

Without the above information or if this is something new (or if there is no extension or filemarker in encrypted files), our crypto malware experts most likely will need a sample of the malware file itself to analyze before the type of infection can be confirmed. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 EngMarine

EngMarine
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 15 May 2018 - 02:25 AM

The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment and the malware file responsible for the infection.

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to
ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files, whether it is decryptable and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals together provides a more positive match and helps to avoid false detections. Any email addresses or hyperlinks provided by the criminals may also be helpful with identification. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

Without the above information or if this is something new (or if there is no extension or filemarker in encrypted files), our crypto malware experts most likely will need a sample of the malware file itself to analyze before the type of infection can be confirmed. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.

 

 

 

 

i made just like what you said and got this 

 

https://www.screencast.com/t/97JJ1JiDD

 

but it say that the extension is .cezar but the actual extension is .bid



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,743 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:22 PM

Posted 15 May 2018 - 05:24 AM

The Dharma .cezar identification was based on sample bytes and custom rule.

Did you upload (submit) both encrypted files and ransom notes together along with any contact email addresses or hyperlinks provided by the cyber-criminals?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 EngMarine

EngMarine
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 15 May 2018 - 06:13 AM

The Dharma .cezar identification was based on sample bytes and custom rule.Did you upload (submit) both encrypted files and ransom notes together along with any contact email addresses or hyperlinks provided by the cyber-criminals?



Yes i did upload one encrypted file and the txt file

But why it shows extension differant from the actual one ??

#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:22 PM

Posted 15 May 2018 - 07:46 AM

Because that's a family of ransomware. There's like 10 different extensions for that same ransomware. It's Dharma and it is not decryptable. Restore from backups and never expose RDP to the web.

 

Also, you uploaded files with the extension .bipnot .bid. I will add it for future identifications.

 

dGtvdaa.png


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 EngMarine

EngMarine
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 15 May 2018 - 07:54 AM

Because that's a family of ransomware. There's like 10 different extensions for that same ransomware. It's Dharma and it is not decryptable. Restore from backups and never expose RDP to the web.
 
Also, you uploaded files with the extension .bipnot .bid. I will add it for future identifications.
 
dGtvdaa.png


Thanks for help

But is there any hope it may be decrepted ?? Soon or later ?

I'm totally frustuated

#8 Amigo-A

Amigo-A

  • Members
  • 583 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:22 AM

Posted 15 May 2018 - 11:25 AM

EngMarine

Decrypting will be possible, if only the police grab extortioners for a "causal place"  out of them asylum and shake out of them it decryption keys.
Even at the very best, a lot of people will not be able to get their files back.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#9 EngMarine

EngMarine
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 15 May 2018 - 11:38 AM

 

EngMarine

Decrypting will be possible, if only the police grab extortioners for a "causal place"  out of them asylum and shake out of them it decryption keys.
Even at the very best, a lot of people will not be able to get their files back.

 

 

 

so can i consider this as "yes there is hope" 

 

i saw many many deception tools for other types of ransomwares 

 

so i'm hoping just someone can release a fix for that soon 



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:22 PM

Posted 15 May 2018 - 12:54 PM

The only way to decrypt Dharma is like I said, with the criminal's RSA keys. Amigo-A is referring to yes, we can decrypt it if law enforcement were to catch the criminals and get the keys from them. But that is the only scenario. The encryption itself and key generation is secure, and has been since the very first iteration of CrySiS, which was only ever "cracked" because the criminals gave up the keys willingly (and randomly).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,743 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:22 PM

Posted 15 May 2018 - 01:58 PM

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users