Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Critical flaw in NVIDIA Container Toolkit allows full host takeover

Featured Deal: A three-year subscription to WindScribe VPN is now down to $79

Latest Buyer's Guide: PureVPN review: How good is it in 2024?

N3ww4v3/Mimic Ransomware ([random 5-15 char] or <email> ext) Support Topic

Started by carlister , Jul 31 2022 09:55 PM

Next
»

Please log in to reply

265 replies to this topic

#1 carlister

Members
3 posts
OFFLINE

Local time:03:42 PM

Posted 31 July 2022 - 09:55 PM

Files that are encrypted with many N3ww4v3/Mimic Ransomware variants will have a random 5-15 alpha-numerical character extension appended to the end of the encrypted data filename as explained here by Amigo-A (Andrew Ivanov). These are some examples of random character extensions.

.n3ww4v3
.g0eI9
.r0Qp@3M
.1cy931cn9v
.h777XRgNVM777xM
.2n1d4b4fv3

Other variants of N3ww4v3/Mimic append a specific extension or an email address to the end of the encrypted data filename to include the following.

.crypt, .hicrypt, .HONESTBITCOIN, .Fora, .Hairysquid, .PORTHUB, .QUIETPLACE, .bigspermhorseballs, .KASPERSKY, .shiverer, .darth, .Indianguy, .HONEYHORSELIKESMONEY, .dataland. .processcrypt, .FreeWorldEncryption, .PISCOSTRUI, .PANIN, .PODSTAVLIAIPOPKU, .0nk1udlu, .TeaMp0ison, .GREEDYFATHER, .Telegram@datadecrypt, .exe, .NEEDTOPAYTOMYHORSE, .WORM, .ELPACO-team 
.
.damarans@mail.ru.damarans, .pisunellakonososeila@onionmail.org, .anilorak@onionmail.org, .showrans@mail.ru.show, .thaihorsebleepers@onionmail.org, .nemorans@mail.ru.NemoRans, .backmydata@inbox.ru.1000USD, .getmydata@list.ru.3000USDAA, .backmydata@inbox.ru.2000USD, .decryptboss@gmail.com.terminator

N3ww4v3/Mimic Ransomware typically will leave files (ransom notes) with various names to include How-to-decrypt.txt, Instructions.txt, What_happened_read_me.txt, HOW_TO_DECRYPT.txt, How-to-Decrypt.txt, === Readme.txt, README.txt, ----Read-Me-----.txt, Decrypt_me.txt, ---IMPORTANT---NOTICE---.txt, Contact-Note.txt, CONTACT.txt, Comunicacin.txt, READ_ME_MY_FRIEND.txt, Instruction.txt, DECRYPTION_INFO, NEED_PAYMENT_README.TXT, OMO_OMO_Decryption.txt, ---BILGILENDIRME----NOTU---.txt, Amigodainapasik_Decryption.txt, rtmlocker_DECRYPTION.txt.

A few variants use ransom notes which include the encrypted data extension as part of it's name.

Bigspermhorseballs_Decryption.txt
Kaspersky_Decryption.txt
INDIANGUY_DECRYPTION.txt
Anilorak_Decryption.txt
FreeWorld-Contact.txt
PISCOSTRUI.txt
Decrypt_ELPACO-team_INFO.txt
Datadecrypt.txt

In addition, some N3ww4v3/Mimic Ransomware variants create special files such as info.txt, hashlist.txt, and MIMIC_LOG.txt.

N3ww4v3/Mimic ransom notes are known to include a long string of alpha-numerical-special characters comprising a DECRYPTION ID/CODE (decrypt ID, unique ID, personal ID, Encryption Number, Contact number, REFERENCE CODE) with an asterisk (*) followed by the same extension which is appended to encrypted data files as shown in these examples.

Your decrypt ID is: lpQdH_qHD4LmEC7Hrrt208Pc5ce_aNHNF98mJEeDkwI*9niOpX
Your unique ID is: O28KRMGjKkx_zW7J2TdbdzDe7VluLemi5bv_C9vu7Ww*giapk33vw
Your personal ID: AeqHaNqpUgaHkbEGl7YUpt-e3DTpEWVzY5Q5xus9-kI*ul8dlsj86v
Your decryption ID is J_KD34VkcUChOpAtpmdZzyVD4BzO6NPlIfAjJwa3N28*ELPACO-team
YOUR PERSONAL DECRYPTION ID - n7EJLCWmjqOlSi_BzAUDAwfnFqL8LjRjmAOQkgCXcmU*GREEDYFATHER
Encryption Number : 4L3hC49ng92fRIFuIipkrUXTTVy4v4J8rLPwCELRDlI*dataland
Contact number : NyCu17SY6OqCw60FvjvYTpaKQn0zGQwXY9Uwj_sXDjI*FreeWorldEncryption

=> REFERENCE ID <=

WJ0p65ktdcOdTrV7wZ8n1aMJQ4ap8RRVag2ejxKQjDI*decryptboss@gmail.com.terminator

=> YOUR REFERENCE CODE <=
fgUT3IBc6PpX0s890hZs5N6BXQ4WTyuwIGoH60mAmVs*getmydata@list.ru.3000USDAA

Has anyone come across this new ransomware, the file extension is .n3ww4v3?

It leaves a text file named "How-to-decrypt" that pops up when you login.

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Amigo-A

Security specialist and Ransomware expert

Members
3,107 posts
ONLINE

Gender:Male
Location:Bering Strait
Local time:10:42 AM

Posted 01 August 2022 - 02:10 AM

A ransom note and several encrypted files must be attached to the message in the zip archive.

My site: The Digest "Crypto-Ransomware" + Google Translate

Back to top

#3 quietman7

Bleepin' Gumshoe

Global Moderator
62,347 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:01:42 AM

Posted 01 August 2022 - 07:22 AM

Can you provide (copy & paste) the ransom note contents in your next reply.

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click

Back to top

#4 carlister

Topic Starter

Members
3 posts
OFFLINE

Local time:03:42 PM

Posted 01 August 2022 - 07:41 AM

|!!!| Hello |!!!|

---> DON'T ignore this and check ALL INFO carefully!!!

*** About situation:

ALL your important files have been encrypted and ALL sensitive information also leaked!

This modification is reversible and data remain safe!

Encrypting your data is only proof , we only interested money, we don't want to damage your reputation , don't want to harm your work, not make a DDOS attack on your infrastructure - we only check and uploaded your files!

*** IF WE DO NOT FIND A COMMON LANGUAGE:

---> All encrypted data be irretrievably lost.

---> Leaked data will be published or sold on black-market (or to competitors).

This will be followed by serious consequences and all your customers\partners and special services will be notified about it!

!!! FOLLOW INSTRUCTIONS TO AVOID IRREVERSIBLE CONSEQUENCES !!!

!!!YOU NEED ASAP CONTACT WITH US TO DEAL THIS!!!

---> You don't have another way.

Our contacts will be provided below!

****************************************

!!! WARNING !!!

DON'T use any third party software for restoring your data or antivirus solutions!

DO NOT MODIFY ENCRYPTED FILES!

DO NOT RENAME ENCRYPTED FILES!

- it's may entail damage of the private key and, as result - you loss all data.

!!!No software and services available on internet can help you!!!

!!! Decryption of your files with the help of third parties may cause increased price (they add their fee to our and they usually fail) or you can become a victim of a scam.

________________________________________

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

REMINDING:

It's in your interests to get your files back and safe all lost files,docs,bases.

We have your highly confidential/personal data. These data are currently stored on a private server(cloud)!

---> After payment this cloud will be deleted and your data stay safe!

We guarantee complete anonymity and can provide you with proof and guaranties from our side and our best specialists make everything for restoring, but please should not interfere without us.

|!!!| IF YOU DON'T CONTACT US WITHIN 48 HOURS FROM LOCK YOUR DATA - PRICE WILL BE HIGHER. |!!!|

________________________________________________________________________________

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

*** HOW TO CONTACT US:

Just write us an email to this mail(s):

sendr@onionmail.org

sendr@tutanota.com

* To ANONIMOUS contact with us, create a new free email account on the site: tutanota.com (recommended) , onionmail.org , protonmail.com

* To avoid having your email blocked and get spam filters, send private information (such as your private key) with the private notes service:

privnote.com

If you do not receive a reply within 24 hours or do not receive a response to your following messages, contact us with another email or through qTox!

! add our mails to contacts so as not to lose letters from us !

!!! check your spam sometimes, our emails may get there !!!

Your decrypt ID is: ydSr4J56mcJbJ-ABSUzl31J-EtjTnZIkebzT5_2s9wk*n3ww4v3

----------------------------------------

!!! for a quick contact with us or if you will not receive our letters !!!

download qTox and ADD our TOXID.

our individual key(TOXID):

9E7B8EE126E712BECE1D6A84DD776F25646C13B1E7CDBF00169078EE6EAC653E9B455D71BEC0

How to download qTOX messenger:

https://tox.chat/download.html

https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe

Back to top

#5 Amigo-A

Security specialist and Ransomware expert

Members
3,107 posts
ONLINE

Gender:Male
Location:Bering Strait
Local time:10:42 AM

Posted 01 August 2022 - 10:09 AM

Copy-pasting the note does nothing.

The note must be attached to the message in a zip archive. Without password!

We only compare original notes. Copy-paste and modified are USELESS!

Edited by Amigo-A, 01 August 2022 - 10:09 AM.

My site: The Digest "Crypto-Ransomware" + Google Translate

Back to top

#6 carlister

Topic Starter

Members
3 posts
OFFLINE

Local time:03:42 PM

Posted 01 August 2022 - 11:20 PM

Amigo-A

Here's the link to the text file

https://mega.nz/file/Ec93jQQZ#e1DhrbKjwTC1YXUvO5okYFOT40L6-tRHppjOU1cnQxs

Back to top

#7 ovitaly

Members
3 posts
OFFLINE

Local time:08:42 AM

Posted 19 August 2022 - 04:03 AM

Hi,

Have any news about this new ransomware ?

Today i face down with this ransomware and searching more info about that.

Back to top

#8 Amigo-A

Security specialist and Ransomware expert

Members
3,107 posts
ONLINE

Gender:Male
Location:Bering Strait
Local time:10:42 AM

Posted 19 August 2022 - 07:36 AM

Just a note file is not enough. Need encrypted files to view.

The previous person did not provide them.

My site: The Digest "Crypto-Ransomware" + Google Translate

Back to top

#9 ovitaly

Members
3 posts
OFFLINE

Local time:08:42 AM

Posted 19 August 2022 - 08:14 AM

I add 3 files like example ( pdf, jpg ) and text file with text "how to decrypt " with all info and decrypt ID, to 7zip archive

We transfer link to download https://we.tl/t-xOB4TlYatw

Back to top

#10 Amigo-A

Security specialist and Ransomware expert

Members
3,107 posts
ONLINE

Gender:Male
Location:Bering Strait
Local time:10:42 AM

Posted 19 August 2022 - 02:27 PM

It's funny that the ransomware note you uploaded is different from the one the previous person uploaded.

I think I can link this case to one of the previous ones, but if the actors is related to the previous extortion group, the ransomware itself may already be different.

My site: The Digest "Crypto-Ransomware" + Google Translate

Back to top

#11 ovitaly

Members
3 posts
OFFLINE

Local time:08:42 AM

Posted 19 August 2022 - 11:28 PM

Yes you right text in note is different that previous person uploaded.

Is there any possibility to get a decrypt tool to this ransomware someday ?

I think is new ransomware because i can't find any information about this encryption with " n3ww4v3 " extension.

Other strange thing is that some folders is missing files just empty, looks like they stolen or hiden.

Back to top

#12 jasonmak

Members
2 posts
OFFLINE

Local time:01:42 PM

Posted 31 August 2022 - 01:37 AM

Reference this case SHA1: c4537ed7c40707d6dea38e5ad9010b57e02a84c2

Please help to have a look.

extension: n3ww4v3

Attached Files

How-to-decrypt.txt 1.27KB 25 downloads

Edited by jasonmak, 31 August 2022 - 01:47 AM.

Back to top

#13 quietman7

Bleepin' Gumshoe

Global Moderator
62,347 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:01:42 AM

Posted 31 August 2022 - 05:23 AM

I have merged your topic into the primary support topic for victims of this ransomware.

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click

Back to top

#14 jasonmak

Members
2 posts
OFFLINE

Local time:01:42 PM

Posted 01 September 2022 - 12:40 AM

Hello, Is there anyone can help on this

Back to top

#15 quietman7

Bleepin' Gumshoe

Global Moderator
62,347 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:01:42 AM

Posted 01 September 2022 - 06:43 AM

Our crypto malware experts most likely will need a sample of the malware file itself to analyze before the type of infection can be confirmed and ascertain if the encrypted files can even be decrypted.

If you can find the malicious executable that you suspect was involved in causing the infection, you can submit (upload) a sample to VirusTotal and provide a link to the results...this is the safest way of sharing malware since only vetted researchers can access it. Doing that may be helpful with analyzing, investigating, identification of the ransomware and possibly finding a flaw which could be useful for decryption of encrypted data. Refer to my comments in this topic for the most common locations malicious executables are know to hide.

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click