Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Ransomware? Help!


  • This topic is locked This topic is locked
6 replies to this topic

#1 yaminz

yaminz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 15 July 2018 - 05:39 PM

Hi 
 
We have been hit with a Ransomware, they have hacked in and changed file extensions of certain applications/files.  Not sure yet which files they have encrypted. 
 
They also attacked the backup server, the anti-software files. 

 

I could not find a way to attach the screenshot of the ransomware message. I looked here (
 
Help!!! 
 
 
Yamin



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:13 AM

Posted 15 July 2018 - 05:42 PM

What is the extension and is it the same for each encrypted file or is it different? Some types of ransomware will completely rename, encrypt or even scramble file names while others do not append any extensions.

Did you find any ransom notes and if so, what is it's actual name? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Most ransomware will drop a ransom note in every directory/affected folder where data has been encrypted. These notes are often created in multiple file formats (.txt, .html, .png) to ensure that the victim can open them. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a .html, .txt, .png, .bmp, .url file.

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files, whether it is decryptable and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. Any contact email addresses or hyperlinks provided by the criminals may also be helpful with identification. If there is no known way of decrypting your files, IDR will ask if you'd like to opt-in for notification if there is any solution in the future. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

Samples of encrypted files, ransom notes, any related files or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to zip (compress) all files before sharing. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 yaminz

yaminz
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 15 July 2018 - 05:54 PM

Hi 

 

Thank you for the prompt response. I did try couple of sites like https://id-ransomware.malwarehunterteam.com/index.php?lang=en_US and https://www.nomoreransom.org/en/index.html

 

What I have seen is they have changed the file extensions to STG for the machines they wanted to attack. 

 

I am worried they have access to the Admin account or something similar. 

We want to secure the network before starting the fix on certain machines using AV etc. 

On this point is there a good recommendation for a good AV software, I am thinking of using Symantec now as F-Secure didnt do a good job to protect us. 



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:13 AM

Posted 15 July 2018 - 08:06 PM

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Emsisoft Anti-Malware, Malwarebytes 3.0, Zemana AntiMalware, RogueKiller Anti-malware and HitmanPro.

Important: Keep in mind that when dealing with ransomware it is best to quarantine malicious files rather than delete them until you know what infection you're dealing with. In some cases, samples of the malicious files are needed for further analysis in order to identify it properly or create decryption tools.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Amigo-A

Amigo-A

  • Members
  • 614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:13 PM

Posted 16 July 2018 - 02:04 AM

You can upload files using the service

https://www.sendspace.com/

 

You can upload a screenshot of the screen with the files and a ransom note file. 


Edited by Amigo-A, 16 July 2018 - 02:04 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:13 AM

Posted 16 July 2018 - 08:24 AM

If you had uploaded a file with the .STG extension to ID Ransomware, it would have already been identified as GlobeImposter 2.0, and it would give you more details on the ransomware. Every submission to the site with that extension has been correctly identified. GlobeImposter 2.0 is not decryptable.

 

https://www.bleepingcomputer.com/forums/t/644166/globeimposter-20-fix-extension-ransomware-support-topic/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:13 AM

Posted 16 July 2018 - 04:25 PM

Since the infection has been identified, rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users