Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


sanchomdv last won the day on July 6 2019

sanchomdv had the most liked content!


1 Neutral

1 Follower

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Hello, This night one of my computers has been encrypted with a ransomware that rename all the files in te format correctfilename.correctfileextension.[5391F333][email protected] a note was showed in my desktop and in all folders with the title: WE CAN RECOVER YOUR DATA.txt the note start with this text: ========================================================= Hello my dear friend Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted If you want to restore them,write to our skype - Pipikaki Decryption Also you can write ICQ live chat which works 24/7 @PIPIKAKI Install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @PIPIKAKI https://icq.im/PIPIKAKI If we not reply in 6 hours you can write to our mail but use it only if previous methods not working - pi[email protected] ========================================================== I suspect thas has been a brute force attack against a rdp user with a weak password i submit to you a zip file contaning the note, a encripted txt file and his decrypted versión pair https://www.dropbox.com/s/azysnd4zutzvkcq/pipikakifilessamples.zip?dl=0 Curiously all the encryped files ended with the chain 5391F333MONSTER where 5391F333 is the apparently description key in every encrypted file name I come here from emsisoft forum where they give me this code: 900364e587f4c56c9c582c28cabe143add9d3ce31651145281 CAn you help me? Thanks a lot sanchomdv Barcelona (SPAIN) pipikakifilessamples.zip
  2. Hello, I find a good filepair of encrypted and unencrypted file. I submit it to my dropbox. https://www.dropbox.com/s/6rfmz9skguwbz49/190712_basilisquelocker_filepair.zip?dl=0 Maybe it helps, thanks a lot!! Francisco Sancho Barceiona (Spain)
  3. Thanks a lot!! I dont have access to any executable .. I suspect that it was a remote access and no trace of commands in NAS filesystem or attacheds local network computers 😞 Really, i dont had certainty about the correction of the filepair i submitted. But your discovery of the base64 encoding of the filenames (really great!!) give a clue in order to attempt looking for a good filepair. If i obtain a good filepair i will submite here Thanks, you make a great job!! Francisco Sancho
  4. I suspect that it was an external attack against a WD MyCloud connected directly to internet exploiting a default password or a samba exploit The pcs on the local network are clean of any infection
  5. Hello, A WD my cloud NAS from one of my clients was attacked last month with a ransomware called Basilisque Locker. The Ransomware Note is called "HOW_TO_DECRYPT.txt" https://www.dropbox.com/s/d58mrnql1wgc523/HOW_TO_DECRYPT.txt?dl=0 And the files attacked are his filename rename to a encrypted string with the extension: [email protected]_com A sample encrypted file (174Kb): https://www.dropbox.com/s/987qw6xpeqzmhvp/bnVldm9zIGNvbG9yZXMgYWR1bHRvcy5wZGY%3D.basilisque%40protonmail_com?dl=0 A pair of encrypted- unencrypted files (edit: really dont pair 😞 ) https://www.dropbox.com/s/w8bx2o7x9qpqaft/190626-ransomwaregiral.7z?dl=0 In my investigations it seems a Megalocker variant but i can't decrypt files with the decrypt_MegaLocker.exe by emsisoft.. retouching the ransomware note (maybe its not a good practice) I obtain the message: "Unfortunately, we were unable to find a key to decrypt your files" Do you know something about this thread? some help? Thanks in advance Francisco Sancho From Barcelona (Spain)
  • Create New...