Ouroboros (Zeropadypt) Ransomware (.limbo, .lazurus) Support Topic

Any files that are encrypted with the original Ouroboros (Zeropadypt) Ransomware will have an ID=random 10][Mail=<email> followed by one of several known extensions to include .limbo, .Lazarus, .Lazarus+ appended to the end of the encrypted data filename as explained here by Amigo-A (Andrew Ivanov). These are examples.

.[ID=lz4ac3t2AC][Mail=legion.developers72@gmail.com].limbo
.[ID=PdlZmTcS4u][Mail=recoveryunknown@protonmail.com].Lazarus
.[ID=6UcENb3ezh][Mail=ScorpionEncryption@protonmail.com].Lazarus+
.[ID=SbPOa46zNc][mail=jacdecr@tuta.io].Lazarus+

.Email=[jacdecr@tuta.io]ID=[OQ0U8dJHt23zahK].KRONOS
.Email=[Datarest0re@aol.com]ID =[mHYdZEKBMUqbaCs].lol 
.Email=[Recoveryhelp2019@protonmail.com]ID=[PJBVFUMYG54DAJ3].odveta
.Email=[filedownload2020@protonmail.com]ID=[pUTxt45EeSBMs8L].rx99
.Email=[vashmail@protonmail.com]ID=[THXIOLUTWVAKONNWOEON].vash

Update 10/10/19:

I have noticed a new version of Ouroboros ransomware with extension ".odveta" today. It seems these cyber terrorists unfortunately figured out how to use cryptography and crypto++ library correctly. This new variant is using RSA+AES 256 GCM correctly and currently I cannot decrypt this variant.

It makes me wonder if extension "odveta" is only coincidence or they show some effort and look to slovak dictionary, because word "odveta" means "retaliation" in slovak. If this was intentional, then I still can't understand why this criminals and cyber terrorists think that we are attacking them and they have to retaliate back.

Because new version is not using old flaws I am releasing my Ouroboros decoder with find key function enabled. Please read README.txt file before using this function.

Post #131

 

Hello,
 
I had the perfect storm of issues after I upgrade my PC. I had gotten a license code to upgrade my Windows 10 Home PC to Windows 10 PRO. I turned on "RDP" and enabled port forwarding for port 3389 to my desktop so I can remote to in while I was out of the house. Before I had a chance to use Bitlocker to encrypt all of my files, I had an issue with my router when upgrading the firmware. By the time I got it resolved, it was late and I went to sleep.
 
Apparently that was enough time for Ransomware to use the 3389 port and encrypt all of my files (including 10 years of photos of my children).
 
All of the files now have an extension of   recoveryunknown@protonmail.com.lazurus
 
I get a .txt file that pops up telling me I have been infected and to send them money (which I will not do).
 
 
What do you suggest I do to remove the ransomware, identify the specific variety and possibly decrypt my files?
- I uploaded the ransom .txt file and a sample encrypted file to ID Ransomware and it wasn't able to identify the specific ransomware variant.
 
Because I had just upgraded Windows 10 from Home to Pro I don't even have a "System Restore" that I can go back to.
 
Any help will be greatly appreciated.
 
-Randy

Edited by quietman7, 22 November 2023 - 10:30 AM.

Not seeing any submissions with that extension. If ID Ransomware could not identify it, you need to give me the Case ID it gave you for me to manually inspect the files.

Demonslay 335,

Thank you.  When I get home this evening I will run the tool again and provide the Case ID. I will also include the actual .txt file with the ransom message in this email thread.

Randy

Thank you. 

When I get home this evening I will run the tool again and provide the Case ID. I will also include the actual .txt file with the ransom message.

Also attach 2-3 encrypted files and a ransom note to the message.

Put them in the archive.

Do not pull the time -1 day, no more.

Edited by Amigo-A, 05 August 2019 - 01:18 PM.

The case SHA1 IDR  gives should look similar to this example.


 

Below is the ransome message:

Your All Files Encrypted With High level Cryptography Algorithm
If You Need Your Files You Should Pay For Decryption
You Can Send 1MB File For Decryption Test To Make Sure Your Files Can Be Decrypted
After 48 hour If You Dont contact us or use 3rd party applications or recovery tools   Decryption fee will Be Double
After Test You Will Get Decryption Tool
Your ID For Decryption:SbPOa46zNc
Contact Us: RECOVERUNKNOWN@protonmail.com

Below is the case SHA1 from ID Ransomware...

Please make sure you are uploading a ransom note and encrypted sample file from the same infection.

This can happen if this is a new ransomware, or one that cannot be currently identified automatically.

You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.

Please reference this case SHA1: 76899f26d9f582c962be57ab555ab8d355c06f0e

Edited by reweiss, 05 August 2019 - 04:21 PM.

Also attach 2-3 encrypted files and a ransom note to the message.

Put them in the archive.

Do not pull the time -1 day, no more.

AmigoA,

Thank you. How do I upload my infected files to the archive?

-Randy

I can attach the ransom message but the other files won't upload. I think because the extension was changed.

How can I upload a couple of infected .jpgs?  Read-Me-Now.txt   440bytes   8 downloads

The filename pattern looks a lot like Zeropadypt: https://twitter.com/Amigo_A_/status/1123573512667652096

Picture1.jpg.[ID=SbPOa46zNc][Mail=RECOVERUNKNOWN@protonmail.com].Lazarus

​

 

The filename pattern looks a lot like Zeropadypt: https://twitter.com/Amigo_A_/status/1123573512667652096

Picture1.jpg.[ID=SbPOa46zNc][Mail=RECOVERUNKNOWN@protonmail.com].Lazarus

Demonslay335,

Thank you.

What are my best options for removing the ransomware and possibly decrypting/salvaging my files?

Randy

...What are my best options for removing the ransomware and possibly decrypting/salvaging my files?

I've tried several different anti-malware tools (Malware Bytes, Emisoft, Farbar Recovery Scan Tool (FRST)) and they have not found very much in the way of malware or viruses. I quarantined what little they found. Is there any hope of me trying to recover my files or do I just call it a huge loss and reformat / reimaged the desktop?

Look in my article === BLOCK OF UPDATES ===

Beginning since version with the .limbo extension, files are encrypted.

---

It has been 3.5 months since the writing of the article about 1st version. 

A newer version (Zeropadypt NextGen or LimboCrypt) already 1.5 months encrypts the data and there are no more zeros at now in the encrypted files.

Give me the 2-3 encrypted files and I tell how much 'a pound of meat' is now in files and from what it 'ranch'.  

In another topic about the same ransomware, we were not given files for analysis and cataloging.

Edited by Amigo-A, 06 August 2019 - 01:08 PM.

Look in my article === BLOCK OF UPDATES ===

Beginning since version with the .limbo extension, files are encrypted.

---

It has been 3.5 months since the writing of the article about 1st version. 

A newer version (Zeropadypt NextGen or LimboCrypt) already 1.5 months encrypts the data and there are no more zeros at now in the encrypted files.

 

Give me the 2-3 encrypted files and I tell how much 'a pound of meat' is now in files and from what it 'ranch'. 

 

In another topic about the same ransomware, we were not given files for analysis and cataloging.

Amigo-A,

I cannot find a link to your article on === BLOCK OF UPDATES ===.

I cannot tell if you really want 2 - 3 files or if you're being sarcastic. If you want 2 -3 files, please tell me specifically where you want me to send them.

Else, are you trying to tell me to give up and just re-image my PC because there is no hope of decrypting my files?

-Randy