Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Ransomware, please help! (filename.ypkwwmd)


  • This topic is locked This topic is locked
11 replies to this topic

#1 0x38F

0x38F

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 05 July 2018 - 03:38 AM

My computer was hacked by ransomware which encrypted my file and added ".ypkwwmd" at the end of the file name.

I uploaded the file to the "ID Ransomware" website which determined that the file was encrypted by a kind of ransomwares. The result page could not determine which kind of the ransomware the file had but gave the following case reference number "SHA1: 98359b095c892e488d6ded2811c935a6e407f334".

Could you please help to solve this problem?



BC AdBot (Login to Remove)

 


#2 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:06:06 AM

Posted 05 July 2018 - 03:52 AM

Hello,

 

Do you find a rzansom note file on your computer ? Please use https://wetransfer.com  to post a link here with 3-4 crypted files and the ransom note file to have a look on your issue.

 

Kind regards,

Emmanuel emte@adc-soft.com

--

Emmanuel Teillard d'Eyry – Support Manager
Dr.Web Partner :
https://partners.drweb.com/find_partner?mode=search&country=64&city=1161&searchByName=&lng=en



#3 0x38F

0x38F
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 05 July 2018 - 04:05 AM

I have already uploaded to wetransfer and the ransom note file name is "readme.txt".

https://wetransfer.com/downloads/9924e4f1a3dfe7a2755d3ee19d9f33fc20180705080416/b668c1



#4 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:06:06 AM

Posted 05 July 2018 - 04:13 AM

I have already uploaded to wetransfer and the ransom note file name is "readme.txt".

https://wetransfer.com/downloads/9924e4f1a3dfe7a2755d3ee19d9f33fc20180705080416/b668c1

We are analysing your files.

Can you check with your antivirus quarantine and malwarebyte if you can find the trojan of this Ransomware ?



#5 Amigo-A

Amigo-A

  • Members
  • 510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:09:06 AM

Posted 05 July 2018 - 04:29 AM

Probably, this is Magniber Ransomware

All visual identifiers say this. 


Edited by Amigo-A, 05 July 2018 - 04:36 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:06 AM

Posted 05 July 2018 - 05:29 AM

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in this topic.

When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 0x38F

0x38F
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 05 July 2018 - 05:41 AM

The antivirus software did not find any Trojans or viruses. I used "symantec endpoint protection 12.1".
The adwcleaner scan results are as follows, only some unrelated records are found in the registry.

# -------------------------------
# Malwarebytes AdwCleaner 7.2.1.0
# -------------------------------
# Build:    06-26-2018
# Database: 2018-07-03.1
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    07-04-2018
# Duration: 00:00:17
# OS:       Windows 7 Professional
# Scanned:  41361
# Detected: 9


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy             HKU\S-1-5-21-345157456-4010830905-286325228-1170\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ttdetect.staticimgfarm.com
PUP.Optional.Legacy             HKU\S-1-5-21-345157456-4010830905-286325228-1170\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\staticimgfarm.com
PUP.Optional.Legacy             HKU\S-1-5-21-345157456-4010830905-286325228-1170\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\v.qq.com
PUP.Optional.Legacy             HKU\S-1-5-21-345157456-4010830905-286325228-1170\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\qq.com
PUP.Optional.Legacy             HKU\S-1-5-21-345157456-4010830905-286325228-1170\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mp.weixin.qq.com
PUP.Optional.Legacy             HKU\S-1-5-21-345157456-4010830905-286325228-1170\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\tianqi.2345.com
PUP.Optional.Legacy             HKU\S-1-5-21-345157456-4010830905-286325228-1170\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\2345.com
PUP.Optional.Legacy             HKU\S-1-5-21-345157456-4010830905-286325228-1170\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\st.chatango.com
PUP.Optional.Legacy             HKU\S-1-5-21-345157456-4010830905-286325228-1170\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\chatango.com

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########
 



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:06 AM

Posted 05 July 2018 - 05:45 AM

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 0x38F

0x38F
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 05 July 2018 - 06:01 AM

Can you provide decryption software? Thank you for your help.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:06 AM

Posted 05 July 2018 - 06:11 AM

Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with, the type of encryption used by the malware writers and a variety of other factors as explained here. All crypto malware ransomware use some form of encryption algorithms, most of them are secure, but others are not. The possibility of decryption depends on the thoroughness of the malware creator, what algorithm the creator utilized for encryption, discovery of any flaws and sometimes just plain luck. Many ransomware variants use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key is stored on a central server maintained by the cyber-criminals and not available unless the victim pays the ransom or at some point, law enforcement authorities arrest the criminals...seize the C2 server and release the private RSA decryption keys to the public.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Amigo-A

Amigo-A

  • Members
  • 510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:09:06 AM

Posted 05 July 2018 - 07:25 AM

0x38F
 
 
Specialists AhnLab managed to decrypt the files. Links to support articles and decoders:

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:06 AM

Posted 05 July 2018 - 05:32 PM

Since the infection has been identified/confirmed, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users