Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zipper ransomware Help!


  • Please log in to reply
10 replies to this topic

#1 flaNdeRs

flaNdeRs

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 19 June 2018 - 08:54 AM

Hi,

I was recently hit with the “Zipper” ransomware where all my files were zipped. Due to not having a backup, I decided to take the chance in paying the small ransom fee for their decryption.

Surprisingly, I was provided the decryptor and the private key and I was able to unzip all my files. Upon further investigation, I discovered that many files were missing. Going back to the original hard disk that was affected, I can see they were also missing here. I ran a disk recovery scan using one of the many well-known tools available and I can see all the missing files. What I think has happened here is that I managed to stop the ransomware mid encryption and has part of this it encrypts the files and deletes the originals, and therefore files are missing.

After recovering these files, I’ve found that they’re corrupted/damaged. I inspected the file headers of these files as they don’t appear to look correct and look encrypted.

How could I repair decrypt these files? I have the private key.

The decryption software provided originally only decrypts the .zip files so I’m not sure how to explicitly use my private key against some pdf and .doc documents?


Edited by hamluis, 19 June 2018 - 09:06 AM.
Moved from MRA to Ransomware - Hamluis.


BC AdBot (Login to Remove)

 


#2 Harry_Baker

Harry_Baker

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 19 June 2018 - 09:30 AM

Hi flaNdeRs,

 

Not really sure how to fix the files but the worst thing to do really is to pay the ransom. You may have decrypted your files but there is most likely still a back door on your machine that they are going to use to strike again a few months down the line. I suggest running a malwarebytes scan to ensure that there is nothing nasty still lurking on your machine.

 

Make sure your machine is fully clean before trying to get everything back up and running again.



#3 flaNdeRs

flaNdeRs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 19 June 2018 - 10:14 AM

It was a virtual disk so I cloned it, deleted the original and attached the clone to an air-gapped vm not on the network to decrypt the files. This VM has since been deleted also.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:15 PM

Posted 19 June 2018 - 05:23 PM

Did you find any ransom notes and if so, what is the actual name of the note?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Did you submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation?

Without the above information or if this is something new (or there is no extension or filemarker in encrypted files), our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if the encrypted files can even be decrypted. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.

You can also submit the decrypter they sent you to the same link above along with a few encrypted files, the private key and anything else the malware writers provide. Our crypto malware experts may be able to get some information to exploit by analyzing it further.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 flaNdeRs

flaNdeRs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 21 June 2018 - 11:15 AM

Did you find any ransom notes and if so, what is the actual name of the note?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Did you submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation?

Without the above information or if this is something new (or there is no extension or filemarker in encrypted files), our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if the encrypted files can even be decrypted. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.

You can also submit the decrypter they sent you to the same link above along with a few encrypted files, the private key and anything else the malware writers provide. Our crypto malware experts may be able to get some information to exploit by analyzing it further.

Ransom note & email address -
Your files have been compressed!
To recover them, you need a security key.
 
If you're really interested in their recovery, please submit your code for reference: 
For the email: zip@email.tg or to our alternative email: contactfileszip@email.tg
 
Your contact will be responded to as soon as possible, and if necessary offered a guarantee of recovery of the files.
 
Yes I did upload to ID Ransomware and it confirmed one called 'Zipper'
 
I have submitted a damaged/encrypted document along with the key.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:15 PM

Posted 21 June 2018 - 12:20 PM

Can you also provide any decrypter or executables they provided?

 

The key you uploaded is an RSA-2048 private key, but the file looks like it may be almost a zip archive (containing a few PDF and the ransom note according to strings in it). I haven't personally heard of encrypting an archive with RSA using a known tool, so it may be something custom the malware does.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 flaNdeRs

flaNdeRs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 22 June 2018 - 03:44 AM

​

 

Can you also provide any decrypter or executables they provided?

 

The key you uploaded is an RSA-2048 private key, but the file looks like it may be almost a zip archive (containing a few PDF and the ransom note according to strings in it). I haven't personally heard of encrypting an archive with RSA using a known tool, so it may be something custom the malware does.

 

I have uploaded the unzip/decrypt tool provided.



#8 flaNdeRs

flaNdeRs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 26 June 2018 - 05:20 AM

Any feedback on this?



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:15 PM

Posted 26 June 2018 - 05:26 AM

Please be patient. Demonslay335 is a volunteer and he is inundated with numerous support requests and it may take some time to get a reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 flaNdeRs

flaNdeRs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 26 June 2018 - 05:46 AM

Please be patient. Demonslay335 is a volunteer and he is inundated with numerous support requests and it may take some time to get a reply.

 

No worries. Thank you very much :)



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:15 PM

Posted 26 June 2018 - 06:22 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users