Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Cerber Infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 Vincus86

Vincus86

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 25 June 2018 - 03:40 PM

We were compromised and the ransomware variant did not change the filenames. I have what i believe to be the deployment package in RAR far as I was able to interrupt the bad actor mid act. Please advise what information is needed to further this investigation and see if a possible decryptor is available for the files that were effected.



BC AdBot (Login to Remove)

 


#2 Vincus86

Vincus86
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 25 June 2018 - 03:47 PM

Further information:

XORIST is what is detected off of ID Ransomware for the note but no match found with the file upload and the decrypter from emisoft did not work on the server.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:54 AM

Posted 25 June 2018 - 05:35 PM

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AllUserProfile%\
  • %AppData%\
  • %AppData%\Local\Temp\
  • %LocalAppData%\
  • %ProgramData%\
  • %Temp%\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Vincus86

Vincus86
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 25 June 2018 - 07:21 PM

Malware was located as we literally caught the bad actor during deployment. I have uploaded the payload as requested. Please let me know if any additional information is required.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:54 AM

Posted 25 June 2018 - 07:57 PM

Ok. After our volunteer experts have examined submitted files, they typically reply in a support topic if they can assist or need further information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 thyrex

thyrex

  • Members
  • 586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:06:54 PM

Posted 25 June 2018 - 11:46 PM

@Vincus86

Please upload any encrypted doc or docx file onto https://sendspace.com and send download link here


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#7 Vincus86

Vincus86
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 25 June 2018 - 11:57 PM

Please see the attached.

 

https://www.sendspace.com/filegroup/kDFm%2BSOF5uWbaejsW6Jh9C84PkN%2FUZ7j

 

There are very few with altered extensions as the first file. Most effected files still have the original filename/extension intact.



#8 thyrex

thyrex

  • Members
  • 586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:06:54 PM

Posted 26 June 2018 - 12:18 AM

Yes, it's Xorist. It isn't necessary to delete new extension.


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#9 thyrex

thyrex

  • Members
  • 586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:06:54 PM

Posted 26 June 2018 - 02:35 AM

Your decryption key https://www.sendspace.com/file/nqui39
 
Before decryption you need manually to change extension for encrypted files to ...FILES_ARE_SAFE_THE_SIGNLE_AND_UNIQ_WAY_TO_RECOVER_YOUR_FILES_IS_TO_BUY_THE_CERBER_DECRYPTOR_PROGRAM_YOU_NEED_TO_MAKE_THE_PAYMENT_IN_MAXIM_24_HOUR_OR_ALL_YOUR_FILES_WILL_BE_LOST_FORVER_PLEASE_BE_REZONABLE_AND_MAKE_THE_PAYMENT_URGENTLY


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:54 AM

Posted 26 June 2018 - 05:24 AM

Since the infection has been identified/confirmed, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users