Jump to content

Encrypted files "theva"

bflmpesseveze
 Share Followers 1

Recommended Posts

bflmpesseveze

bflmpesseveze 0

Posted
Posted (edited)

Greetings,

Our customer get some new ransomware and all data  are encrypted and named "filename.[[email protected]].theva" and in every folder is #_README_#.inf file with some info from the ransomware creators. I did not find anything on google except two logs from some malicious scan logs. I can send encrypted and decrypted files. Also I attach logs but I think there will be no notice about any ransomware. Malwarebytes didnt find anything, nor bitdefender . The ransomware uninstalled ESET antivirus somehow.

Edit: I found it should be some BTCware and now I am trying decrypting tool, will update soon.

Sorry for my bad english

Greets Martin V.

Addition.txt

FRST.txt

scan_170509-103057.txt

PB095682.JPG.[[email protected]].theva

PB095682.JPG

#_README_#.inf

Edited by bflmpesseveze
found new info
Link to post
Share on other sites
itatecomputers

itatecomputers 0

Posted
Posted
On 5/9/2017 at 1:30 PM, Sarah W said:

Hi bflmpesseveze,

We just found a sample of this ransomware, so if the current decrypter doesn't work then we will hopefully cover this variant soon.

Regards,

Sarah

Sarah.  Just got called into one of my customers that have by hit by this as well.  Which tool should I try or use or should I wait for an updated one?  This is a small town lawyer with no backups so she is up **** creek without a paddle as of now.

Brian Tate

iTate Computers & Tech Services

[email protected]

 

Link to post
Share on other sites
Demonslay335

Demonslay335 26

Posted
Posted

@bflmpesseveze @itatecomputers @Icetech

I'm currently working on an update to the decrypter to support .theva. I've about got it ready for release.

Could you share a pair of encrypted files with their originals so I can test? Worst-case, an encrypted PNG will do.

The malware copies itself to %APPDATA%, try checking for a randomly named .exe in there. Most samples I have are around 270KB. Having a sample of it would be good as well if you can find it.

 

Link to post
Share on other sites
Icetech

Icetech 1

Posted
Posted
37 minutes ago, Demonslay335 said:

@bflmpesseveze @itatecomputers @Icetech

I'm currently working on an update to the decrypter to support .theva. I've about got it ready for release.

Could you share a pair of encrypted files with their originals so I can test? Worst-case, an encrypted PNG will do.

The malware copies itself to %APPDATA%, try checking for a randomly named .exe in there. Most samples I have are around 270KB. Having a sample of it would be good as well if you can find it.

 

 

Sadly this is a machine from a doctors office.. i can't share any files even a png. and they also have zero backups.. I was unable to find the exe itself.. this particular machine was never used for anything files serving, and no one goes online with it. their IT guy things it bounced from another machine but he hasn't been able to find a trace either..  will double check myself though.. 

 

Link to post
Share on other sites
Demonslay335

Demonslay335 26

Posted
Posted
12 minutes ago, Icetech said:

 

Sadly this is a machine from a doctors office.. i can't share any files even a png. and they also have zero backups.. I was unable to find the exe itself.. this particular machine was never used for anything files serving, and no one goes online with it. their IT guy things it bounced from another machine but he hasn't been able to find a trace either..  will double check myself though.. 

 

If I get the new decrypter to work on other victim's files, I'll be able to release it and you can try it for yourself. Still working out some bugs.

Any chance that system had RDP open? We think that is the vector of infection for this variant.

Link to post
Share on other sites
bflmpesseveze

bflmpesseveze 0

Posted
  • Author
Posted
11 hours ago, Demonslay335 said:

@bflmpesseveze @itatecomputers @Icetech

I'm currently working on an update to the decrypter to support .theva. I've about got it ready for release.

Could you share a pair of encrypted files with their originals so I can test? Worst-case, an encrypted PNG will do.

The malware copies itself to %APPDATA%, try checking for a randomly named .exe in there. Most samples I have are around 270KB. Having a sample of it would be good as well if you can find it.

 

 
 

I can send you encrypted and decrypted files. Is JPG alright? I have few of them PDF also. PM or post it here? But with those exe files I'm sorry, bitdefender deletes it all. 

Link to post
Share on other sites
bflmpesseveze

bflmpesseveze 0

Posted
  • Author
Posted
11 hours ago, Demonslay335 said:

If I get the new decrypter to work on other victim's files, I'll be able to release it and you can try it for yourself. Still working out some bugs.

Any chance that system had RDP open? We think that is the vector of infection for this variant.

 

do you think it will scan all ports for the RDP service? Because our infected customer has open RDP but routed from different port, not the default one.

Link to post
Share on other sites
itatecomputers

itatecomputers 0

Posted
Posted
16 minutes ago, Demonslay335 said:

That'll work. Actually just realized you attached files in your first post, so I grabbed those. Wasn't able to get a key so far, but still working on it. Hoping to get some more dedicated time to work on it this weekend.

I may be able to send some files to but since this is a law office, I may be in the same boat that Icetech is in.  I head there now and see if I can find something that I can send out.

 

 

Link to post
Share on other sites
lawguyme

lawguyme 0

Posted
Posted
2 hours ago, Demonslay335 said:

That'll work. Actually just realized you attached files in your first post, so I grabbed those. Wasn't able to get a key so far, but still working on it. Hoping to get some more dedicated time to work on it this weekend.

All my files are encrypted by the same theva ransomware, and I'm pulling my hair out. Any update?

Link to post
Share on other sites
Demonslay335

Demonslay335 26

Posted
Posted

The current decrypter is available here: https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4231977

It currently supports v1, v2, and v3 of the malware in most cases. Still working on v4 (had success with one case), and a new v1.5 we recently discovered. They've been rapidly changing this one.

Link to post
Share on other sites
itatecomputers

itatecomputers 0

Posted
Posted
48 minutes ago, Demonslay335 said:

The current decrypter is available here: https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4231977

It currently supports v1, v2, and v3 of the malware in most cases. Still working on v4 (had success with one case), and a new v1.5 we recently discovered. They've been rapidly changing this one.

Does this one work on "theva" varient?

 

Link to post
Share on other sites
Demonslay335

Demonslay335 26

Posted
Posted

Not currently. The in-dev does for the samples we have, but I have only been able to get a key for one out of 4 victims so far, so it may still be buggy. I plan on releasing it anyways soon to let you try since you cannot provide me files to test with, I have to work out some other bugs first though to ensure it has the best chance.

I refer to .theva as v4.

Link to post
Share on other sites
itatecomputers

itatecomputers 0

Posted
Posted
2 minutes ago, Demonslay335 said:

Not currently. The in-dev does for the samples we have, but I have only been able to get a key for one out of 4 victims so far, so it may still be buggy. I plan on releasing it anyways soon to let you try since you cannot provide me files to test with, I have to work out some other bugs first though to ensure it has the best chance.

I refer to .theva as v4.

I'm going to the client here shortly.  I'll get you a copy of the clean and infected file.  Not all her stuff should be confidential.  Will send within the hour.

 

Link to post
Share on other sites
itatecomputers

itatecomputers 0

Posted
Posted
1 hour ago, Demonslay335 said:

Not currently. The in-dev does for the samples we have, but I have only been able to get a key for one out of 4 victims so far, so it may still be buggy. I plan on releasing it anyways soon to let you try since you cannot provide me files to test with, I have to work out some other bugs first though to ensure it has the best chance.

I refer to .theva as v4.

Here is an infected and clean copy of a word doc.

DEESE-TPR.docx

DEESE-TPR.docx.[[email protected]].theva

Link to post
Share on other sites
Icetech

Icetech 1

Posted
Posted

Just curious. as far as an original/encrypted.. seeing as my place never did backups i have been searching and i found tmp files that have a .tmp and .theva and are the exact same size.. i can't see why the tool would leave an original behind though? worth a try?

Link to post
Share on other sites
bruticus0

bruticus0 3

Posted
Posted

Ya anything's worth a shot.  It doesn't have to come from the actual hard drive.  If there's an encrypted .exe program, you could download the same version again from the internet and use them as a file pair.  Or generic redme files or generic images that come with programs or OSs.  

And I don't know about this particular variant, but some ransomwares could just rename smaller files.  That could be why they are same size.  In the cry9 variant I had, some files just seemed to be renamed.  I also noticed many .iso and .zip files could easily be recovered just by renaming.  It wouldn't hurt to copy an encrypted file and experiment. 

  • Upvote 1
Link to post
Share on other sites
Icetech

Icetech 1

Posted
Posted
19 minutes ago, bruticus0 said:

Ya anything's worth a shot.  It doesn't have to come from the actual hard drive.  If there's an encrypted .exe program, you could download the same version again from the internet and use them as a file pair.  Or generic redme files or generic images that come with programs or OSs.  

And I don't know about this particular variant, but some ransomwares could just rename smaller files.  That could be why they are same size.  In the cry9 variant I had, some files just seemed to be renamed.  I also noticed many .iso and .zip files could easily be recovered just by renaming.  It wouldn't hurt to copy an encrypted file and experiment. 

Ahhh thank you. i wasn't 100% sure bout it.. 

Link to post
Share on other sites
itatecomputers

itatecomputers 0

Posted
Posted
22 hours ago, Demonslay335 said:

Not currently. The in-dev does for the samples we have, but I have only been able to get a key for one out of 4 victims so far, so it may still be buggy. I plan on releasing it anyways soon to let you try since you cannot provide me files to test with, I have to work out some other bugs first though to ensure it has the best chance.

I refer to .theva as v4.

Good morning.  Any update on your progress?  I'm only asking because I know my phone is about to blow up any minute from the victim.  Thanks again for working on this.

BT

Link to post
Share on other sites
Demonslay335

Demonslay335 26

Posted
Posted

This ransomware doesn't rename files past just adding an extension. Some variants have the same filesize before and after because they use RC4; the ones that use AES-192 will pad the encrypted file up to 15 bytes (to round off to 16 byte blocks).

FYI I don't work for Emsisoft and have my own separate day job, so I can only work on ransomware cracking in my free time, which is pretty limited lately.

Link to post
Share on other sites
Demonslay335

Demonslay335 26

Posted
Posted

I've released an updated decrypter with support for a few variants of .theva and .onyon. Please see my release notes over on BleepingComputer for more details.

https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4243422

If you have provided me files either here or in private, and I have not PM'd you a key, then I'm afraid the new decrypter might not support your case yet. We are still actively searching for new samples of the malware, and we'd need them in order to help.

Link to post
Share on other sites
Icetech

Icetech 1

Posted
Posted
10 hours ago, Demonslay335 said:

I've released an updated decrypter with support for a few variants of .theva and .onyon. Please see my release notes over on BleepingComputer for more details.

https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4243422

If you have provided me files either here or in private, and I have not PM'd you a key, then I'm afraid the new decrypter might not support your case yet. We are still actively searching for new samples of the malware, and we'd need them in order to help.

You are a friggin hero! this last version found the key in seconds and decrypted the files perfectly.. thank you so much

Link to post
Share on other sites
Icetech

Icetech 1

Posted
Posted
6 minutes ago, Demonslay335 said:

Great! I was a little worried, for some reason I could not get a key for your case... but if it works for you, that's all that matters. :)

Yeah. i used the same files i posted here.. the newest decrypter found the key in seconds... thanks. Doing this fix as a favor.. always seems more stressful than normal customers.. 

Link to post
Share on other sites
Demonslay335

Demonslay335 26

Posted
Posted

Odd... my only guess is a possible race condition causing a bug where it skips the correct password somehow. Was the laptop less cores than the infected system by chance?

Oh well, glad it worked for you. You can always acquire the key on the laptop (it gets logged if you didn't keep it), and just load it into the decrypter on the infected system, save you from having to copy everything back and forth.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Followers 1
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2021 Emsisoft - 03/05/2021 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...