dasjahn

Server crypted twice?

Recommended Posts

Files have been crypted, their extension is .DECRYPT-ID-63100927 like desktop.ini.DECRYPT-ID-63100927, the note is attached, but on the other side, I found two files named Help_Help_Help.._.hta, which seems to belong to a known Ransomware.

Intrusion point was an unsecured RDP. Any Ideas?

Thanks in advance,

Phil

HOW TO DECRYPT FILES.txt

_HELP_HELP_HELP_PD8ZDVC0_.hta

https://www.virustotal.com/de/file/6e1cc8910ac86be473d2d5059ebc0209c9c76e02a8612745a1fe3fbfd5b8f861/analysis/1488238883/

For the file attached

 

Edit:

I should add that I might found the Software itself.

See pictures

The file backup.exe was detected by Virustotal:

https://www.virustotal.com/de/file/26e590d4faf33f939743974950d92bcdaf986af19823127328a4df016a5c8a85/analysis/1488236849/

 

inside the \x64 folder, I found

See pictures

Virustotal of the minidrv.sys says:

https://www.virustotal.com/de/file/8d4d0e8a874b6b5f5adfa2153a8470b841fee2f27a23c422f9f504c33b262de0/analysis/1488242021/

 

edit2:

backup.exe is packed with UPX and written in C++

Virustotal of unpacked backup.exe:

https://www.virustotal.com/en/file/f6d811a5e1bf79a192e1c3a6362fb3df6ea7e98c0296b00699bcac2816a9af75/analysis/1488243201/

 

edit3:

Analysis of unpacked backup.exe

https://www.hybrid-analysis.com/sample/f6d811a5e1bf79a192e1c3a6362fb3df6ea7e98c0296b00699bcac2816a9af75?environmentId=100

https://sandbox.deepviz.com/report/hash/727d3e8d6958ebcf2aeb6d8057e69bce/

https://www.vicheck.ca/md5query.php?hash=727d3e8d6958ebcf2aeb6d8057e69bce

 

_HELP_HELP_HELP_YAUYKAMI_.png
Download Image1.PNG.634fc9c711721711202c60faba5596c9.PNG
Download Image

2.PNG
Download Image

Share this post


Link to post
Share on other sites

Hi dasjahn,

The Xorist ransomware definitely came via RDP, but it's unlikely that Cerber did (I have not heard of it doing so). Instead, Cerber usually comes via email or through exploit kits. I would try to make sure you have backups of all files and that RDP is either disabled or secured with a strong password (i.e. unable to be dictionary attacked).

Glad our decrypter could help though :)

Regards,

Sarah

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.