Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nozelesn Ransomware Support & Help Topic -.nozelesn & HOW_FIX_NOZELESN_FILES.htm


  • Please log in to reply
54 replies to this topic

#46 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:17 AM

Posted 11 July 2018 - 05:50 AM

Yes...most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain.

There is never a guarantee decryption will be successful or that the decrypter provided by the cyber-criminals will work as they claim...and using a faulty or incorrect decryptor may damage or corrupt the files even further. The criminals may even send you something containing more malware...so why should you trust anything provided by those who infected you in the first place.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#47 djf-bfi

djf-bfi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 11 July 2018 - 08:18 AM

One of our work computers in Syracuse Ny became infected with this on July 2nd. Currently I have all the infected files that are of high importance saved on a thumb drive. It was going to cost us around $6000.00 to unlock the files, which we have been advised and read not to do. Is there any chance someone will be able to decrypt them?



#48 yourguide

yourguide

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 11 July 2018 - 05:19 PM

I have uploaded samples of encrypted files and the ransom note to https://www.nomoreransom.org/en/index.html  
I am still hoping someone will find a cure for this as my client has a lot of files I need to decrypt that were not backed up on a NAS shared volume....  so no shadow copy. :(


Edited by yourguide, 11 July 2018 - 05:20 PM.


#49 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:17 AM

Posted 11 July 2018 - 05:20 PM

We have no way of knowing when or if a free decryption solution will ever be available and we can never guarantee if any ransomware can be decrypted without paying the ransom to the criminals or by paying them. Decryption depends on what ransomware infection you are dealing with, the type of encryption used by the malware writers and a variety of other factors as explained here and the fact that the criminal's key is not generated on the victim's computer ensuring it is much harder to break. In most cases, unless the criminals are found and arrested by the authorities, and/or the keys are recovered then provided to the public, there is no possibility that anyone can provide a decryption tool. However, there have been a few instances where the cyber-criminals, for whatever reason, chose to release the master keys after a period of time but that too is not a guarantee.

There are a lot of dedicated people who research, analyze and investigate crypto malware as well as provide expert assistance to victims of ransomware infections...Grinler (the site owner of Bleeping Computer), Fabian Wosar (the head of Emsisoft's malware lab), xXToffeeXx (who works with Fabian), Demonslay335, BloodDolly, and Nathan (DecrypterFixer) to name a few.

Each of them have created or been involved in creating various decryption tools which have helped many victims recover their files but they can't perform miracles.

When or if a decryption solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the Bleeping Computer front page.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#50 Missduck

Missduck

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 11 July 2018 - 06:22 PM

I have been hit with Nozelesn on all of my files. I am on Windows 10. I dont know how I received this Ransomware. They are asking for .5 bitcoin. I received the Nozelesn yesterday. All files were appended with .nozelesn. Today all files have music notes as their description without Nozelesn. If I click on the file, iTunes tries to open. 2 questions. Has anyone paid and successfully removed this threat. And does anyone have the music note iTunes experience that I am having. I neee help. Thank you.

#51 KGTKyleG

KGTKyleG

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 12 July 2018 - 02:14 PM

INSTANCE REPORT:  7/12/2018  JAMESTOWN, NY

 

Instance appears to have originated from an email, received today from [savings4u786{at}gmail]. Files have been "encrypted" into [.nozelesn] filetype and the [.htm] instruction file is on the Desktop, with a creation date of 6/1/2018. Email has been reported to Google for violation of Policies and Usage Terms. Currently attempting offline System Restore to an automatic update point from 7/9/2018, after which we will scan with Malwarebytes, MWB Anti-Exploit, MWB Adware, Spybot, Avast! and CCleaner. Will report back with a progress update on completion.

 

Here is the original source view of the email, our address redacted;

 

<--//-->

 

Return-Path: savings4u786@gmail.com
Received: from mx08.aqua.bos.sync.lan (LHLO mx.windstream.net) (10.80.44.48)
by md01.aqua.sync.lan with LMTP; Thu, 12 Jul 2018 11:55:47 -0400 (EDT)
Return-Path:
X_CMAE_Category: , ,
X-CNFS-Analysis: v=2.2 cv=ZrWvEJzG c=1 sm=1 tr=0 a=oCO1Z5GD4lDFvIgABZT88g==:117 a=x7bEGLp0ZPQA:10 a=fw05-dlVrhcA:10 a=R9QF1RCXAYgA:10 a=pGLkceISAAAA:8 a=nve3eLd05VS1FAXI4QQA:9 a=QEXdDO2ut3YA:10 a=f8GgLdF9ijIA:10 a=Dx_Y9rmMTZIA:10 a=7qa4SiS-WIYA:10 a=ewIitsSyzYqgakYlDTkA:9 a=H0vwJqlGNs-OWHwX:21
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
X-Received-HELO: from [209.85.161.182] (helo=mail-yw0-f182.google.com)
Received: from [209.85.161.182] ([209.85.161.182:39892] helo=mail-yw0-f182.google.com)
    by mx.windstream.net (envelope-from )
    (ecelerity 3.6.25.56547 r(Core:3.6.25.0)) with ESMTP
    id EA/6F-10667-30A774B5; Thu, 12 Jul 2018 11:55:47 -0400
Received: by mail-yw0-f182.google.com with SMTP id r184-v6so5251735ywg.6
for ; Thu, 12 Jul 2018 08:55:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=CVPXFWHH8Q5UEok7HJQHKSpcXi6XAhxdBswrJF5Ad1g=;
b=WZDqPnXiJyUYw5Onv+XVyIstnTTP1dFot0vAQNx0cXMxRKWYrK3SfCsvs13qxHCHeG
Z2Y+JTYH1HQy8ULSpVYRDLiYCY6bVx/cR4huMFNE2cErLjpQHfWOM2MBZI51YRk+ok7r
iHj+xu+Rej1PZLNLTAIQLp+s8p+u1ZZYVP03sbAU2pg66EypTsmIOh6Ow/s6q5zyICdD
cVb6wbTcamYgfYL5nTncGykASfjAYZ6WI1kIsbTRAXRytrbceJ7LMHYSZQUv1MusHxDo
XebDy31Ch9tii6hr8WlbeZgOkKk8PaK1FIFxwGW8JtaUiRzZOfzprGguSXOM6stCVEvE
2FEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=CVPXFWHH8Q5UEok7HJQHKSpcXi6XAhxdBswrJF5Ad1g=;
b=e6/tKwCv7CoH8gbBLIS+BBEd0zHYrmDu52pCLu3g/llesDqTsSExNOfHUrxBo3hRTK
4GtrAjnDOABFFH7TTpJuAed71Osnsy6WO92VDv/3zLPDb44Kdrnr6jR2DFhZjfVhOIb5
7WEY24+Aifeoy7N8j0VuRXrcVPrhOARwgBlZcAdj9C967vwU894+2wKFp1PO2w/9s3aP
rKZyBiFjXCT9gNf2eav+eKu98smD2zDA+biyNOFjkIUqdcmTGF0Fb3kk2xfM5EhDqPmb
c3Z5sLDCgbGwsV1Etdd9btQv15w0LwpokZ6nH2aDBQdxHhywtEUzlG+GIPxK707Zu3pd
fU4w==
X-Gm-Message-State: AOUpUlE9BuqaOZr/CjFWVmhXDb8Q4X2wUkrDjr29A+xUf7bnbOzvjdVV
    8sOt8NtQbsvtG7UMn2qITEaQ1PpySVypiPwXQ4o=
X-Google-Smtp-Source: AAOMgpdcchR6UBt0h6ffRRmnmxftrVp9fIdWDCzGA28xOhhqjl710vo327KynTE6dlBg0oRJtTvoryJwNcXfIXGG0eM=
X-Received: by 2002:a81:7905:: with SMTP id u5-v6mr1391200ywc.285.1531410947075;
Thu, 12 Jul 2018 08:55:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a25:8705:0:0:0:0:0 with HTTP; Thu, 12 Jul 2018 08:55:46
-0700 (PDT)
From: Mubina Ladak
Date: Thu, 12 Jul 2018 11:55:46 -0400
Message-ID:
Subject: Setting up a retail account
To: xxxxxxx@windstream.net
Content-Type: multipart/alternative; boundary="0000000000008173b30570cf65d3"

--0000000000008173b30570cf65d3
Content-Type: text/plain; charset="UTF-8"

Hello,

My name is Mubina Ladak from Savings 4 You in Elmont, NY. We are
interested in setting up an account with your company. We are currently
primary Amazon re-sellers and are looking to expand to selling on other
platforms in the near future. Please let me know what paperwork is
required for me to get started. Any questions please call me at
(516)503-1388.

Thank you in advance for our assistance.

Mubina Ladak
Savings 4 You
Savings4u786@gmail.com
(516)503-1388

--0000000000008173b30570cf65d3
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable+zvt0ueowq0wh2x034qtanr-jmy1ubpec4q@mail.gmail.com>@gmail.com>@windstream.net>@gmail.com>@gmail.com>
 

Hello,
 
My name is Mubina Ladak from Sav=
ings 4 You in Elmont, NY.=C2=A0 We are interested in setting up an account =
with your company. We are currently primary Amazon re-sellers and are looki=
ng to expand to selling on other platforms in the near future.=C2=A0 Please=
let me know what paperwork is required for me to get started. Any question=
s please call me at (516)503-1388.
 
Thank you in ad=
vance for our assistance.
 
Mubina Ladak
S=
avings 4 You
 

--0000000000008173b30570cf65d3--+zvt0ueowq0wh2x034qtanr-jmy1ubpec4q@mail.gmail.com>@gmail.com>@windstream.net>@gmail.com>@gmail.com>

 

<--//-->



#52 onewhoknocks123

onewhoknocks123

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 12 July 2018 - 05:05 PM

Made an account to post this... This ransomware affected a majority of our companys files. We are an engineering company that deals with construction. It made all our drawings and calcs inaccesible. We also didnt backup for the last couple months so theyre alot of files that we have updated that we do not have access too... 



#53 Missduck

Missduck

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 15 July 2018 - 03:49 PM

Good Evening,
 
Against DemonSlay335's recommendation, we paid the Bitcoin ransom and after some fear and anxiety, we received the decryption program and key. If you'd like me to do a writeup off step by steps that you can expect, I can.
 
However, I want to point out, as DemonSlay335 pointed out to me, just because I was successful, it doesn't mean that it is the best thing to do. Also, it encourages more of the same behavior in the future.
 
I'll give a summary shortly about how the process went after I share all of my files with DemonSlay335.
Thank you.



#54 Missduck

Missduck

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 15 July 2018 - 03:50 PM

2 questions

How long did it take to receive the decryption key after paying

How long after infection did you pay?

Thank you.

#55 onewhoknocks123

onewhoknocks123

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted Yesterday, 12:27 PM

The decrpytion key came within 30 minutes after paying. 

We paid after 5 days. Initially they asked for .5 bit coins but after 3 days it rose to .7

2 questions

How long did it take to receive the decryption key after paying

How long after infection did you pay?

Thank you.






3 user(s) are reading this topic

1 members, 2 guests, 0 anonymous users


    Bama4u