Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Any experience with simple_decrypt@qq.com ?


  • This topic is locked This topic is locked
6 replies to this topic

#1 Leeron

Leeron

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 10 June 2018 - 02:36 PM

Got infected with this last week and there's one important file that wasn't backed up. :(

 

Is this new or a variant of a known one?



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:18 AM

Posted 10 June 2018 - 03:59 PM

You need to upload an encrypted file and ransom note to ID Ransomware in order to identify it. Just saying the email address is not enough to know exactly what variant it is, as several actors use the same email address between ransomware variants...


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Leeron

Leeron
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 11 June 2018 - 03:44 AM

Here is the ransom instruction email:

 

1.  Calculation of decoding cost
The cost of decryption for you is "0.6"  bitcoin. (Bitcoin is a form of digital currency)
0.6 bitcoin it`s a fixed cost for first key. 
Every next keys cost 0.05 bitcoin
All externall drives (USB or NAS or another) it`s different keys.
One key can decrypt 1 computer or server.
If you have NAS it`s another 1 key.
If you have USB it`s another 1 key.
Any EXTERNAL DRIVES (USB or NAS or another) it`s another 1 key.
Examples: If you have 1 server. 1 computer with many local disk. 1 Nas and 1 USB. It`s 4 keys.
Total price: 0.6+0.05+0.05+0.05 = .75 bitcoins.

2.  Attention!
Do not rename encrypted files. 
Do not try to decrypt your data using third party software, it may cause permanent data loss. 
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. 

3.  Free decryption as guarantee
You can send us up to 3 files for free decryption. The total size of files must be less than 1 Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) 

4.  Decryption process:
To decrypt the files, transfer money to our bitcoin wallet number: "1EGB5Qqa1Z6LT8LriPY4YQamPGzEwLFxgN". As we receive the money we will send you:
1.     Decryption program.
2.     Detailed instruction for decryption. 
3.     And individual keys for decrypting your files.

5.  The process of buying bitcoins:
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/ 



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:18 AM

Posted 11 June 2018 - 05:35 AM

As noted by Demonslay335, please submit (upload) a sample of encrypted files, the ransom note and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. Post the results in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Leeron

Leeron
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 11 June 2018 - 09:44 AM

It does not appear that I am able to upload documents to this thread.

 

An example of a document name is:

 

NEW PATIENT CHECK IN.doc.id-9ACE3897.[simple_decrypt@qq.com].arrow 



#6 thyrex

thyrex

  • Members
  • 573 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:06:18 PM

Posted 11 June 2018 - 10:15 AM

It's Dharma (CrySis). No chances.


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:18 AM

Posted 11 June 2018 - 12:47 PM

Since the infection has been identified/confirmed, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users