DesperateTimes 0 Posted June 15, 2016 Report Share Posted June 15, 2016 Been contacted by a company just hit with ransomeware. Looks like they were hacked via remote desktop (weak password) on their server (..!) Files are renamed to .encrypted and there's a matching *.how_to_get_back.txt for each.encrypted file. Text in the note says: Attention! All your data was Encrypted! If you wanna get it back contact via email: [email protected] Your Personal ID: ********** (Removed) WARNING: If you don't contact next 72 hours, then all DATA will be damaged unrecoverably!!! However, have downloaded the apocalypse decrypter tool and tried a single file. The tool reports file doesn't appear to be encrypted then says "skipping file". ID-Malware suggests it's either crypt0locker, keranger, or apocalypse - based on the .encrypted extension. Can't be keranger (OSX), could be crypt0locker, but only ransomnotes are by text file launched on login and paired text file, which seemed typical of Apocalypse. Any way to confirm if this is a new variant or a misidentification? Or if it's decryptable? Thanks Link to post Share on other sites
Kevin Zoll 309 Posted June 15, 2016 Report Share Posted June 15, 2016 This may be a new Apocalypse variant. Could you send me a copy of an encrypted file and a copy of the same file unencrypted (If available), I will make sure our crypto expert gets them for analysis. Link to post Share on other sites
DesperateTimes 0 Posted June 15, 2016 Author Report Share Posted June 15, 2016 Hi Kevin Please see attached zip file containing encrypted and unencrypted versions of a pdf file. Thanks! Sample_files.zip Link to post Share on other sites
Kevin Zoll 309 Posted June 16, 2016 Report Share Posted June 16, 2016 Thanks, I have alerted our crypto expert. Link to post Share on other sites
Recommended Posts