Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware - .Backup extension - _HELP_INSTRUCTIONS.txt


  • This topic is locked This topic is locked
7 replies to this topic

#1 JTMSupport

JTMSupport

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Australia
  • Local time:01:11 AM

Posted 30 May 2018 - 01:21 AM

Howdy All,

 

One of our clients got hit last night and we're playing the recovery game.

 

ID Ransomware flags it as Cryptomix Revenge, but the .Backup extension doesn't seem to line up with this.

 

Able to upload both an encrypted and clean file if that would assist.

 

 

Ransom note follows:
Hello!

Attention! All Your data was encrypted!

For specific informartion, please send us an email with Your ID number:

backuppc @tuta.io

backuppc @protonmail.com

backuppc1 @protonmail.com

b4ckuppc1 @yandex.com

b4ckuppc2 @yandex.com

backuppc1 @dr.com

Please send email to all email addresses! We will help You as soon as possible!

IMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!


DECRYPT-ID-85a1747b-672b-4627-8db3-d6b6c598fb2e number



BC AdBot (Login to Remove)

 


#2 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 315 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:05:11 PM

Posted 30 May 2018 - 03:19 AM

Hello,

Please download with wetransfer.com the ransom note file and 2-3 crypted .Backup sample files and writte the wetransfer link here.

We will check and have a look at your case. Regards,

Emmanuel



#3 JTMSupport

JTMSupport
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Australia
  • Local time:01:11 AM

Posted 30 May 2018 - 04:49 AM

Thanks for the reply, Emmanuel_ADC-Soft,
Link below

 

 

https://wetransfer.com/downloads/fd3634ddd77f5bb8e58c6f93514724ce20180530092353/e2e267aa86f95988659f909622dbcec120180530092353/2d22c5


Edited by JTMSupport, 30 May 2018 - 04:50 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:11 AM

Posted 30 May 2018 - 05:48 AM


Our crypto malware experts most likely will need a sample of the malware file itself to analyze before the type of infection can be confirmed and ascertain if the encrypted files can even be decrypted. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AllUserProfile%\
  • %AppData%\
  • %AppData%\Local\Temp\
  • %LocalAppData%\
  • %ProgramData%\
  • %Temp%\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 JTMSupport

JTMSupport
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Australia
  • Local time:01:11 AM

Posted 30 May 2018 - 05:55 AM

Hi quietman7,

 

Our antivirus picked up the infected file in the following directory:

%profiles%\videos\BACKUP.EXE

 

The PC is powered down in our office at the moment, but I will have the file restored and uploaded for you tomorrow when I'm back in the office. Should be up by this time tomorrow at latest.



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:11 AM

Posted 30 May 2018 - 08:33 AM

ID Ransomware is correct, it's CryptoMix, especially since it was matching on the filemarker. You just had a new extension we had not seen with a sample before. We've secured a malware sample that confirms this is CryptoMix.

 

https://twitter.com/malwrhunterteam/status/1001786498428088320


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 315 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:05:11 PM

Posted 30 May 2018 - 09:46 AM

Hello JTMSupport,

Can you send us the trojan or encoder and the the infected file in the following directory: %profiles%\videos\BACKUP.EXE

 

Zip the file with a password and send it with wetransfer.com. We will have a look at it at Dr.Web.

Thank you. Kind regards,

Emmanuel



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:11 AM

Posted 30 May 2018 - 03:19 PM

Since the infection has been identified/confirmed, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the below support topic discussion.


To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users