README.txt, No file extension, ID Ransomware unable to identify

Hi,

 

A computer  has been hit with ransomware, it seems to be every file has been encrypted, even ones of quite peculiar file types, with then a README.txt in every folder.

 

The files are renamed to long alphanumerics with no file extension.

 

In task manager there is a "Windows Updater 4", which is related to a DontSleep.exe in C:\Confused - Windows defender has identified a file (one with a random file name) in this folder as "Genasom".

 

We uploaded a file and the ransom note to ID Ransomware, which was unable to identify the ransomware, the case SHA1 for this was 2c5e0bdd38eeca8bb916b804018a0d187bf1565d.

 

Let me know if you need anything else, any help would be very much appreciated.

 

The text of the ransom note is (I removed the personal ID, let me know if that is needed):

 

Your files are encrypted!

                                        YOUR PERSONAL ID

                                        <ID was alphanumeric string here>

                                        ---------------------------------------------------------------------------------

                                        Discovered a serious vulnerability in your network security.

No data was stolen and no one will be able to do it while they are encrypted.

For you we have automatic decryptor and instructions for remediation.

                                        ---------------------------------------------------------------------------------

                                        You will receive automatic decryptor and all files will be restored

---------------------------------------------------------------------------------

* To be sure in getting the decryption, you can send one file(less than 10MB) to vertw@tuta.io or vertw@keemail.me In the letter include your personal ID(look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 50 USD...

Attention!

Attempts to self-decrypting files will result in the loss of your data

Decoders other users are not compatible with your data, because each user's unique encryption key

---------------------------------------------------------------------------------

 

 

El-ahrairah

Edited by Elil-Hrair-Rah, 31 October 2018 - 05:30 AM.

More information is needed to determine specifically what infection you are dealing with since not all ransomware appends an obvious extension to the end of encrypted filenames or add a known file pattern (filemarker) which helps to identify it. CryptoWall, PClock, Spora, Sigma, CrypMic, DMA Locker, Locker, Matrix V3, AES-Matrix, Microsoft Decryptor (CryptXXX), Cryptofag, TeslaCrypt v4.0, CryptoHost, MotoxLocker (DetoxCrypto), KawaiiLocker, Hermes, Data Keeper, LoveServer, Power Worm, KEYHolder and CryptorBit encrypts files but do not append or change file extensions. Newer variants of Nemucod (Nemucod-AES) and Mobef also do not append any extensions to encrypted filenames.

Some ransomware variants (i.e. DMA Locker, TeslaCrypt, CrypMic) will add a unique hex pattern (filemarker) identifier in the header of every encrypted file so the ransomware can identify the file as one it encrypted. Spora-encrypted files utilize a 4 byte long Crc32 file marker. CryptoWall is identified by how the files are renamed. CryptoWall 3.0 and 4.0 encrypted files typically will have the same 16 byte header which is different for each victim. PClock, Mobef and Cryptofag do not use a filemarker.

CryptConsole, Ishtar, MicroCop, Jager, Unblockupc and a few other ransomwares prepends a prefix to the beginning of the encrypted file name so some victims report encrypted data as not having any extensions.

Further, Many ransomwares use README.txt so the name of the ransom note is not enough.

When there is no extension or filemarker in encrypted files, Demonslay335 (Michael Gillespie) has advised it is impossible to identify the infection without a sample of the malware itself or the ransom note.

Samples of suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

Hi quietman7,

 

Thank you for the quick response. I have Zipped up the "Confused" folder which gave the Windows Defender hits and submitted it. I also added a ransom note, I am not sure if that was correct to do. 

 

Let me know if you need anything else.

 

El-ahrairah

Yes that is ok. Notes and samples of encrypted files can also be submitted to the link I provided above.

Please be patient until Demonslay335 has a chance to review and analyze the submitted files. Bleeping Computer is inundated with numerous support requests and it may take some time to get a reply.

Hi quietman7, 

 

That is fine, I am happy to wait - you guys provide an important service and I think I can say we are all glad you all give your time up to help people.

 

I have found what we think was an Excel file - should I submit that as well?

 

El-ahrairah

Yes you can submit that file too.

Hi quietman7,

 

I have just submitted the encrypted Excel, thank you.

 

El-ahrairah

with then a README.txt in every folder.

The files are renamed to long alphanumerics with no file extension.

In task manager there is a "Windows Updater 4", which is related to a DontSleep.exe in C:\Confused

CryptConsole 3. Not decryptable.

Hi thyrex,

 

That is unfortunate, thank you for identifying it.

 

Thankfully most of the important stuff is backed up. If I format the hard drive and re-install Windows, will that clean everything up?

 

El-ahrairah

Since the infection has been identified/confirmed, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the below support topic discussion.

• CryptConsole (unCrypte@outlook.com_) Support Topic - How decrypt files.hta

To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff