DrAries77

NEW RANSOMWARE NEW RANSOMWARE 28 APRIL - gebdp3k7bolalnd4.onion._

Recommended Posts

Dear All,

my PC (windows 7) was affected by a ransomware that encrypt all files (but the PC is still usable). All file has been changed to .onion._ and there are some TXT files that report instruction for paying bitcoins.

" *** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

To decrypt your files you need to buy the special software. To recover data, follow the instructions! "

I try to execute the decrypt_Cry128 but the programs hasn't found the key to decrypt. Do you have any information about this ransomware? 36bytes are the diff size from the encrypt and the original one file.

 

 

Thank you.

 

 

hpcpu155.cfg.id_XXXXXXXX_gebdp3k7bolalnd4.onion._

hpcpu155.cfg

Share this post


Link to post
Share on other sites

Same Issue Here: it is identified as cry128 but the decrypter is not finding a key.

I Also noticed:

  • When infected i was also infected by a crypto miner that mines to cryot-pool.fr for a specific user.
  • The encrypted files have only the beginning of the file encrypted - without the end of the file such as Cry9.
  • My files has .onion.to._ ext.
  • The encrypted files are 36 bytes bigger.

Please help us:

 

jquery.dataTables.js

jquery.dataTables.js.id_1344909006_2irbar3mjvbap6gt.onion.to._

Share this post


Link to post
Share on other sites

All of us are already in the thread here.  Have been for a while.  Some of us have the .onion.to_, some have .onion, some have .onion.to.

But we guess they're all Cry9/Cry128 variations.  I think anyway.  Emsisoft has released one Cry128 decryptor Here.  Which may or may not work for your variant.

Sarah has said they are working on different versions of the cry128 decryptor.  So there is a slight chance that your files might get recovered.  Some ransomware is impossible to decrypt right from the start.

We also have a thread over at bleepingcomputer's site here.

The most important thing, I would think, is getting the virus and affected files away from your system.  Backup encrypted files someplace offline and get your computer a fresh install of windows.  Then change all your passwords and financial info because that could have been compromised during the attack.  Get yourself a good AntiMalware and a backup program like Macrium.  Then just check back to the threads to see if there's been any progress.

You can try to use System Restore, then a data recovery program like EaseUS Data Recovery to get some important files back if you want.  These attacks usually wipe your restore points and your shadow copies though.  We've noticed some .zip files can be renamed to reclaim them.  .iso files also.

Share this post


Link to post
Share on other sites

Hi all,

We are currently still looking into seeing whether the ransomware is decryptable or not. We will let you know if we find out whether it is or not.

There may be a cryptocoin miner on the system (a program which uses your CPU to mine a cryptocurrency for the criminal, in this case), so if you want to check whether the system is clean then you can use our product; Emsisoft Anti-MalwareIf you like our product and it is of help then please consider buying itthe price is discounted and we protect against ransomware such as this one.

Some other advice is that investing in a good backup procedure is very important and well worth it. I would suggest having two or more backups, at least one disconnected. 

Regards,

Sarah

Share this post


Link to post
Share on other sites

At the local office one computer got infected, files got gebdp3k7bolalnd4.onion._ extension.

Now, at the same office, two other computers got infected, but getting fgb45ft3pqamyji7.onion as extension.

The structure is really similar to the first one (gebdp3k7bolalnd4):

- First part of the file is changed

- Some data appended to the end

- 36 bytes bigger

Installed the Emisoft Anti-Malware, but it did not find anything.

See files attached

DelZip190.dll.id_1498108995_fgb45ft3pqamyji7.onion

DelZip190.dll

Share this post


Link to post
Share on other sites

Hi RaZoR,

To secure the system, please make sure to either close RDP if you do not want to use it, or if you do, secure it with a strong password. You will also want to do windows updates as there have been vulnerabilities fixed which allowed attackers to access your system. I forgot to mention this before, you can try file recovery tools in the meantime as some users have had success with them.

Regards,

Sarah

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.