Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware infection and files are encrypted


  • This topic is locked This topic is locked
11 replies to this topic

#1 arahman007

arahman007

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 07 September 2018 - 01:59 AM

Hi, 
 
My computer is attacked by ransomware. All the files are encrypted with .no_more_ransom
 
Is there any way  decrypting my files
 
Thanks
Atiq

Edited by Al1000, 07 September 2018 - 02:03 AM.
moved from Win 10 Support


BC AdBot (Login to Remove)

 


#2 Amigo-A

Amigo-A

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:43 PM

Posted 07 September 2018 - 03:04 AM

There are several Ransomware who use this extension.
 
We need to see at least a ransom-note. 
 
Since August 2018 spread new variant of Rapid Ransomware with extension .no_more_ransom with e-mails: 
hersgory@india.com, auditt@cock.li
dataprof@cock.li, wolksvagen@protonmail.com
Note: How Recovery Files.txt
 
Sample of content: 
Hello, dear friend!
All your files have been ENCRYPTED
Do you really want to restore your files?
Write to our email - hersgory@india.com or auditt@cock.li
and tell us your unique ID - ID-XXXXXXXX
 
 

Look for your PC, it's possible that you have the same variant.


Edited by Amigo-A, 07 September 2018 - 12:58 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:43 AM

Posted 07 September 2018 - 07:23 AM

The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment and the malware file responsible for the infection.

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. This is a service that helps identify what ransomware may have encrypted your files, whether it is decryptable and then attempts to direct you to an appropriate support topic where you can seek further assistance. ID Ransomware can identify ransomwares which add a prefixs instead of an extension and detects ransomwares by filemarkers if applicable.

Uploading both encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals together provides a more positive match and helps to avoid false detections. Any email addresses or hyperlinks provided by the criminals may also be helpful with identification. If there is no known way of decrypting your files, IDR will ask if you'd like to opt-in for notification if there is any solution in the future. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Without the above information or if this is something new (or there is no extension or filemarker in encrypted files), our crypto malware experts most likely will need a sample of the malware file itself to analyze before the type of infection can be confirmed. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Cataldo67

Cataldo67

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 13 September 2018 - 10:52 AM

Hello

I have the same kind of infection, with a  .no_more_ransom  encryption, i posted the zip with a sample, i have a file not encrypted, the same file encrypted and the request in the cataldos.zip file.

Please give me same help.

GRAZIE



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:43 AM

Posted 13 September 2018 - 02:29 PM

Did you find any ransom notes and if so, what is the actual name of the note?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Did you submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Cataldo67

Cataldo67

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 14 September 2018 - 02:45 AM

dear quietman7, i posted a zip with an encrypted file the same file not encrypted and the txt with the mail, i resend the file now, cataldos.zip.

Grazie

I think is important to have the original file and the encryted, or not is the case?



#7 Cataldo67

Cataldo67

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 14 September 2018 - 11:22 AM

I hope you can give me an help for this case with .no_more_ransom.

Grazie



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:43 AM

Posted 15 September 2018 - 07:28 AM

An encrypted file and unencrypted file is not enough. As noted previously, we need to see at a ransom-note and know what email address the criminals provided for you to send payment.

Again I ask...Did you submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Cataldo67

Cataldo67

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 17 September 2018 - 03:44 AM

Buongiorno

Yes I submitted the ransom note and te sample, and uploaded a zipped file at the bleepingcomupet upload channel, IDR returned me three possible source of ransomware,

Rapid,  Troldesh / Shade , Rapid 2.0 / 3.0

this is the note

 

Hello, dear friend!
All your files have been ENCRYPTED
Do you really want to restore your files?
Write to our email - returnthefile@cock.li
and tell us your unique ID - ID-B2D9Y5HR



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:43 AM

Posted 17 September 2018 - 08:24 AM

...this is the note
 
Hello, dear friend!
All your files have been ENCRYPTED
Do you really want to restore your files?
Write to our email - returnthefile@cock.li
and tell us your unique ID - ID-B2D9Y5HR

That appears to be a Rapid Ransomware ransom note.

Unfortunately, there is no known method to decrypt files encrypted by Rapid Ransomware without paying the ransom and obtaining the private RSA keys from the criminals. The encryption process generates an RSA-1024 pair per run and encrypts the private key with a hard-coded RSA-2048 public key...see here.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 marco992

marco992

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 28 November 2018 - 09:52 AM

Hello. My PC was infected yesterday by ransom that changed all computer files with extension ".no_more_ransom"

 

Can somebody help me to decrypt them? I have found both public key and private key from windows registry. 

 

When antivirus blocked it, the virus name was "ransom.rapid.e".

 

If can help i can upload here a file encrypted and the instruction left by extortionist.


Edited by marco992, 28 November 2018 - 10:08 AM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:43 AM

Posted 28 November 2018 - 10:53 AM

Any files that are encrypted with Rapid Ransomware will have the .rapid, .paymeme, .RPD or .no_more_ransom extension appended to the end of the encrypted data filename and leave files (ransom notes) named !!! README !!!.txt, ! How Recovery Files.txt, ! How Decrypt Files.txt, ! Of Recovery files.txt, HOW TO RECOVER ENCRYPTED FILES.TXT, recovery.txt as explained here and here.

Any files that are encrypted with Rapid 2.0 Ransomware will have an 8 character plus a 4 character randomly generated string extension appended to the end of the encrypted data filename (i.e. 16152000.GJLLW, 16152125.GJLLW, 16152171.GJLLW, etc) and leave files (ransom notes) named DECRYPT.[4-random-characters].txt (i.e. DECRYPT.GJLLW.txt) as explained here and here.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users