Posted 31 August 2016 - 02:46 AM
Posted 31 August 2016 - 04:54 AM
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
Posted 31 August 2016 - 06:26 AM
I saw the submissions to ID Ransomware last night and set out a hunt based on it.
The files had "_nullbyte" appended as an extension, e.g. "picture.jpg_nullbyte". They were also submitted with what looks like a decrypter from the criminals - this is very useful for writing a decrypter if we are able to find a weakness in the malware, but we will need the malware itself to assess.
If you have the malware that caused this, please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168
If you have a ransom note too, I'd like to see that as well.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 31 August 2016 - 06:57 AM
Apparently there really seems to be a new variation of cerber, called #cerber3. It is not clear, however, if this version of the ransowmare is a new impersonating virus or is actually Cerber ransomware. Some researchers are positive that it is the same Cerber, only using a new file extension and several "fixes".
Posted 31 August 2016 - 07:04 AM
Apparently there really seems to be a new variation of cerber, called #cerber3. It is not clear, however, if this version of the ransowmare is a new impersonating virus or is actually Cerber ransomware. Some researchers are positive that it is the same Cerber, only using a new file extension and several "fixes".
This has nothing to do with Cerber.
The malware sample has been found and hopefully we will be able to look into it, to figure out whether it's secure or not.
xXToffeeXx~
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here
~Twitter~ | ~Malware Analyst at Emsisoft~
Posted 31 August 2016 - 09:33 PM
Good news, this ransomware is decryptable.
This decrypter requires the full path to the user profile that was infected, so please make sure it is correct. If decrypting files from another computer, you will need to provide the original path to the profile via Settings -> Set Profile Path (e.g. "C:\Users\yourusername").
https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip
For informational purposes, this ransomware uses AES to encrypt files, and appends "_nullbyte" to the filename of encrypted files. The following screen is displayed to the victim.
This ransomware is currently known to be spread via a repacking of the PokemonGo cheating program Necrobot, calling itself "Necrobot.Rebuilt". This program asks for credentials to an account to cheat with; it will actually take your credentials and upload them to an FTP server, then generously start encrypting your files.
Edited by Demonslay335, 31 August 2016 - 09:49 PM.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 01 September 2016 - 09:21 AM
Symantec says that it CryptXXX.
Edited by Amigo-A, 01 September 2016 - 09:53 AM.
My site: The Digest "Crypto-Ransomware" + Google Translate
Posted 04 September 2016 - 10:40 AM
Symantec says that it CryptXXX.
https://www.virustotal.com/ru/file/f70abab659c6490b21164d91c0e262b11448c7bbf728a425b00fe832a95fc8f9/analysis/
Going off names is generally a bad idea unless multiple antiviruses all agree on one. This is definitely not CryptXXX, however.
xXToffeeXx~
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here
~Twitter~ | ~Malware Analyst at Emsisoft~
Posted 04 September 2016 - 04:17 PM
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
Posted 05 September 2016 - 12:33 PM
Ya, it's quite annoying. CryptXXX and Genasom are most definitely not written in .NET.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
0 members, 0 guests, 0 anonymous users