bflmpesseveze 0 Posted May 9, 2017 Report Share Posted May 9, 2017 (edited) Greetings, Our customer get some new ransomware and all data are encrypted and named "filename.[[email protected]].theva" and in every folder is #_README_#.inf file with some info from the ransomware creators. I did not find anything on google except two logs from some malicious scan logs. I can send encrypted and decrypted files. Also I attach logs but I think there will be no notice about any ransomware. Malwarebytes didnt find anything, nor bitdefender . The ransomware uninstalled ESET antivirus somehow. Edit: I found it should be some BTCware and now I am trying decrypting tool, will update soon. Sorry for my bad english Greets Martin V. Addition.txt FRST.txt scan_170509-103057.txt PB095682.JPG.[[email protected]].theva #_README_#.inf Edited May 9, 2017 by bflmpesseveze found new info Quote Link to post Share on other sites
Sarah W 26 Posted May 9, 2017 Report Share Posted May 9, 2017 Hi bflmpesseveze, We just found a sample of this ransomware, so if the current decrypter doesn't work then we will hopefully cover this variant soon. Regards, Sarah Quote Link to post Share on other sites
bflmpesseveze 0 Posted May 10, 2017 Author Report Share Posted May 10, 2017 Dear Sarah, thank you for your answer. I will wait then. Have a nice day. Quote Link to post Share on other sites
itatecomputers 0 Posted May 11, 2017 Report Share Posted May 11, 2017 On 5/9/2017 at 1:30 PM, Sarah W said: Hi bflmpesseveze, We just found a sample of this ransomware, so if the current decrypter doesn't work then we will hopefully cover this variant soon. Regards, Sarah Sarah. Just got called into one of my customers that have by hit by this as well. Which tool should I try or use or should I wait for an updated one? This is a small town lawyer with no backups so she is up **** creek without a paddle as of now. Brian Tate iTate Computers & Tech Services [email protected] Quote Link to post Share on other sites
Icetech 1 Posted May 11, 2017 Report Share Posted May 11, 2017 Hi, i have a computer here with the same .theva stuff.. and of course no backups. If anyone has had any luck please post Quote Link to post Share on other sites
Demonslay335 26 Posted May 11, 2017 Report Share Posted May 11, 2017 @bflmpesseveze @itatecomputers @Icetech I'm currently working on an update to the decrypter to support .theva. I've about got it ready for release. Could you share a pair of encrypted files with their originals so I can test? Worst-case, an encrypted PNG will do. The malware copies itself to %APPDATA%, try checking for a randomly named .exe in there. Most samples I have are around 270KB. Having a sample of it would be good as well if you can find it. Quote Link to post Share on other sites
Icetech 1 Posted May 11, 2017 Report Share Posted May 11, 2017 37 minutes ago, Demonslay335 said: @bflmpesseveze @itatecomputers @Icetech I'm currently working on an update to the decrypter to support .theva. I've about got it ready for release. Could you share a pair of encrypted files with their originals so I can test? Worst-case, an encrypted PNG will do. The malware copies itself to %APPDATA%, try checking for a randomly named .exe in there. Most samples I have are around 270KB. Having a sample of it would be good as well if you can find it. Sadly this is a machine from a doctors office.. i can't share any files even a png. and they also have zero backups.. I was unable to find the exe itself.. this particular machine was never used for anything files serving, and no one goes online with it. their IT guy things it bounced from another machine but he hasn't been able to find a trace either.. will double check myself though.. Quote Link to post Share on other sites
Demonslay335 26 Posted May 11, 2017 Report Share Posted May 11, 2017 12 minutes ago, Icetech said: Sadly this is a machine from a doctors office.. i can't share any files even a png. and they also have zero backups.. I was unable to find the exe itself.. this particular machine was never used for anything files serving, and no one goes online with it. their IT guy things it bounced from another machine but he hasn't been able to find a trace either.. will double check myself though.. If I get the new decrypter to work on other victim's files, I'll be able to release it and you can try it for yourself. Still working out some bugs. Any chance that system had RDP open? We think that is the vector of infection for this variant. Quote Link to post Share on other sites
Icetech 1 Posted May 11, 2017 Report Share Posted May 11, 2017 I will check.. i know their IT uses pcanywhere but they might have left RDP open.. they don't seem to bright honestly.. they haven't had it backing up since 2014.. just wtf... and it's foxpro database.. not real hard to backup 1 Quote Link to post Share on other sites
bflmpesseveze 0 Posted May 12, 2017 Author Report Share Posted May 12, 2017 11 hours ago, Demonslay335 said: @bflmpesseveze @itatecomputers @Icetech I'm currently working on an update to the decrypter to support .theva. I've about got it ready for release. Could you share a pair of encrypted files with their originals so I can test? Worst-case, an encrypted PNG will do. The malware copies itself to %APPDATA%, try checking for a randomly named .exe in there. Most samples I have are around 270KB. Having a sample of it would be good as well if you can find it. I can send you encrypted and decrypted files. Is JPG alright? I have few of them PDF also. PM or post it here? But with those exe files I'm sorry, bitdefender deletes it all. Quote Link to post Share on other sites
bflmpesseveze 0 Posted May 12, 2017 Author Report Share Posted May 12, 2017 11 hours ago, Demonslay335 said: If I get the new decrypter to work on other victim's files, I'll be able to release it and you can try it for yourself. Still working out some bugs. Any chance that system had RDP open? We think that is the vector of infection for this variant. do you think it will scan all ports for the RDP service? Because our infected customer has open RDP but routed from different port, not the default one. Quote Link to post Share on other sites
bflmpesseveze 0 Posted May 12, 2017 Author Report Share Posted May 12, 2017 PDFs:https://uloz.to/!gOklqoTGuB9h/3m77099-rpt-zip JPGs: https://uloz.to/!p5Z3PHToomB7/3m3-0780-kasparova-zip Quote Link to post Share on other sites
Demonslay335 26 Posted May 12, 2017 Report Share Posted May 12, 2017 That'll work. Actually just realized you attached files in your first post, so I grabbed those. Wasn't able to get a key so far, but still working on it. Hoping to get some more dedicated time to work on it this weekend. Quote Link to post Share on other sites
itatecomputers 0 Posted May 12, 2017 Report Share Posted May 12, 2017 16 minutes ago, Demonslay335 said: That'll work. Actually just realized you attached files in your first post, so I grabbed those. Wasn't able to get a key so far, but still working on it. Hoping to get some more dedicated time to work on it this weekend. I may be able to send some files to but since this is a law office, I may be in the same boat that Icetech is in. I head there now and see if I can find something that I can send out. Quote Link to post Share on other sites
lawguyme 0 Posted May 12, 2017 Report Share Posted May 12, 2017 Please give us the decrypter if you have it by now. I'm really in a bad situation right now. Emsisoft is my last hope. Quote Link to post Share on other sites
lawguyme 0 Posted May 12, 2017 Report Share Posted May 12, 2017 2 hours ago, Demonslay335 said: That'll work. Actually just realized you attached files in your first post, so I grabbed those. Wasn't able to get a key so far, but still working on it. Hoping to get some more dedicated time to work on it this weekend. All my files are encrypted by the same theva ransomware, and I'm pulling my hair out. Any update? Quote Link to post Share on other sites
Icetech 1 Posted May 12, 2017 Report Share Posted May 12, 2017 The guy is being nice working on it... doesn't have to at all.. some politeness and patience will go a long way Quote Link to post Share on other sites
JAN22 0 Posted May 14, 2017 Report Share Posted May 14, 2017 decrypter !!README!!.txt decrypt.exe start.exe Quote Link to post Share on other sites
Icetech 1 Posted May 14, 2017 Report Share Posted May 14, 2017 Get an error when trying to download the files.. "Error code: 2C171/1" Anyone know whats up with that? thanks... Quote Link to post Share on other sites
Demonslay335 26 Posted May 14, 2017 Report Share Posted May 14, 2017 @JAN22 Is that the decrypter the criminals gave you after payment? Looks to be for the .cryptobyte variant, which our decrypter already supports. Thanks for sharing though, very odd that their malware is in C++, but the decrypter looks to be Delphi... Quote Link to post Share on other sites
Icetech 1 Posted May 14, 2017 Report Share Posted May 14, 2017 Ah damn.. i thought he was posting a new working fix oops Quote Link to post Share on other sites
bflmpesseveze 0 Posted May 15, 2017 Author Report Share Posted May 15, 2017 You can try Shadowexplorer to recover files from shadow copy. You don't need to have history files enabled. It won't work everytime but you can try it at least. Quote Link to post Share on other sites
bruticus0 3 Posted May 15, 2017 Report Share Posted May 15, 2017 Thank you JAN22 for helping @Demonslay Has everyone here tried the decryptor you mentioned? Could you link to it so everyone can be sure to try it first? Thanks Quote Link to post Share on other sites
Demonslay335 26 Posted May 16, 2017 Report Share Posted May 16, 2017 The current decrypter is available here: https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4231977 It currently supports v1, v2, and v3 of the malware in most cases. Still working on v4 (had success with one case), and a new v1.5 we recently discovered. They've been rapidly changing this one. Quote Link to post Share on other sites
itatecomputers 0 Posted May 16, 2017 Report Share Posted May 16, 2017 48 minutes ago, Demonslay335 said: The current decrypter is available here: https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4231977 It currently supports v1, v2, and v3 of the malware in most cases. Still working on v4 (had success with one case), and a new v1.5 we recently discovered. They've been rapidly changing this one. Does this one work on "theva" varient? Quote Link to post Share on other sites
Demonslay335 26 Posted May 16, 2017 Report Share Posted May 16, 2017 Not currently. The in-dev does for the samples we have, but I have only been able to get a key for one out of 4 victims so far, so it may still be buggy. I plan on releasing it anyways soon to let you try since you cannot provide me files to test with, I have to work out some other bugs first though to ensure it has the best chance. I refer to .theva as v4. Quote Link to post Share on other sites
itatecomputers 0 Posted May 16, 2017 Report Share Posted May 16, 2017 2 minutes ago, Demonslay335 said: Not currently. The in-dev does for the samples we have, but I have only been able to get a key for one out of 4 victims so far, so it may still be buggy. I plan on releasing it anyways soon to let you try since you cannot provide me files to test with, I have to work out some other bugs first though to ensure it has the best chance. I refer to .theva as v4. I'm going to the client here shortly. I'll get you a copy of the clean and infected file. Not all her stuff should be confidential. Will send within the hour. Quote Link to post Share on other sites
itatecomputers 0 Posted May 16, 2017 Report Share Posted May 16, 2017 1 hour ago, Demonslay335 said: Not currently. The in-dev does for the samples we have, but I have only been able to get a key for one out of 4 victims so far, so it may still be buggy. I plan on releasing it anyways soon to let you try since you cannot provide me files to test with, I have to work out some other bugs first though to ensure it has the best chance. I refer to .theva as v4. Here is an infected and clean copy of a word doc. DEESE-TPR.docx DEESE-TPR.docx.[[email protected]].theva Quote Link to post Share on other sites
Icetech 1 Posted May 16, 2017 Report Share Posted May 16, 2017 Just curious. as far as an original/encrypted.. seeing as my place never did backups i have been searching and i found tmp files that have a .tmp and .theva and are the exact same size.. i can't see why the tool would leave an original behind though? worth a try? Quote Link to post Share on other sites
bruticus0 3 Posted May 17, 2017 Report Share Posted May 17, 2017 Ya anything's worth a shot. It doesn't have to come from the actual hard drive. If there's an encrypted .exe program, you could download the same version again from the internet and use them as a file pair. Or generic redme files or generic images that come with programs or OSs. And I don't know about this particular variant, but some ransomwares could just rename smaller files. That could be why they are same size. In the cry9 variant I had, some files just seemed to be renamed. I also noticed many .iso and .zip files could easily be recovered just by renaming. It wouldn't hurt to copy an encrypted file and experiment. 1 Quote Link to post Share on other sites
Icetech 1 Posted May 17, 2017 Report Share Posted May 17, 2017 19 minutes ago, bruticus0 said: Ya anything's worth a shot. It doesn't have to come from the actual hard drive. If there's an encrypted .exe program, you could download the same version again from the internet and use them as a file pair. Or generic redme files or generic images that come with programs or OSs. And I don't know about this particular variant, but some ransomwares could just rename smaller files. That could be why they are same size. In the cry9 variant I had, some files just seemed to be renamed. I also noticed many .iso and .zip files could easily be recovered just by renaming. It wouldn't hurt to copy an encrypted file and experiment. Ahhh thank you. i wasn't 100% sure bout it.. Quote Link to post Share on other sites
itatecomputers 0 Posted May 17, 2017 Report Share Posted May 17, 2017 22 hours ago, Demonslay335 said: Not currently. The in-dev does for the samples we have, but I have only been able to get a key for one out of 4 victims so far, so it may still be buggy. I plan on releasing it anyways soon to let you try since you cannot provide me files to test with, I have to work out some other bugs first though to ensure it has the best chance. I refer to .theva as v4. Good morning. Any update on your progress? I'm only asking because I know my phone is about to blow up any minute from the victim. Thanks again for working on this. BT Quote Link to post Share on other sites
Demonslay335 26 Posted May 17, 2017 Report Share Posted May 17, 2017 This ransomware doesn't rename files past just adding an extension. Some variants have the same filesize before and after because they use RC4; the ones that use AES-192 will pad the encrypted file up to 15 bytes (to round off to 16 byte blocks). FYI I don't work for Emsisoft and have my own separate day job, so I can only work on ransomware cracking in my free time, which is pretty limited lately. Quote Link to post Share on other sites
Demonslay335 26 Posted May 18, 2017 Report Share Posted May 18, 2017 @bflmpesseveze I've sent you a PM with your key. Currently working on the other cases, might be able to get some more keys tonight hopefully. Once I have a few more verified to be working to be safe, I'll release an updated decrypter that everyone else can try on their own for those who cannot share files. Quote Link to post Share on other sites
Icetech 1 Posted May 18, 2017 Report Share Posted May 18, 2017 Found a couple of files i could send.. not sure if you need more for testing.. here ya go Testfiles.rar Quote Link to post Share on other sites
Demonslay335 26 Posted May 20, 2017 Report Share Posted May 20, 2017 I've released an updated decrypter with support for a few variants of .theva and .onyon. Please see my release notes over on BleepingComputer for more details. https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4243422 If you have provided me files either here or in private, and I have not PM'd you a key, then I'm afraid the new decrypter might not support your case yet. We are still actively searching for new samples of the malware, and we'd need them in order to help. Quote Link to post Share on other sites
Icetech 1 Posted May 20, 2017 Report Share Posted May 20, 2017 10 hours ago, Demonslay335 said: I've released an updated decrypter with support for a few variants of .theva and .onyon. Please see my release notes over on BleepingComputer for more details. https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4243422 If you have provided me files either here or in private, and I have not PM'd you a key, then I'm afraid the new decrypter might not support your case yet. We are still actively searching for new samples of the malware, and we'd need them in order to help. You are a friggin hero! this last version found the key in seconds and decrypted the files perfectly.. thank you so much Quote Link to post Share on other sites
Demonslay335 26 Posted May 20, 2017 Report Share Posted May 20, 2017 Great! I was a little worried, for some reason I could not get a key for your case... but if it works for you, that's all that matters. 1 Quote Link to post Share on other sites
Icetech 1 Posted May 20, 2017 Report Share Posted May 20, 2017 6 minutes ago, Demonslay335 said: Great! I was a little worried, for some reason I could not get a key for your case... but if it works for you, that's all that matters. Yeah. i used the same files i posted here.. the newest decrypter found the key in seconds... thanks. Doing this fix as a favor.. always seems more stressful than normal customers.. Quote Link to post Share on other sites
itatecomputers 0 Posted May 23, 2017 Report Share Posted May 23, 2017 Yep. Thanks as well Demonslay. The infected computer was a 32bit windows 7 and the fix did not work on it, but I copied all the infected files off and ran the decrypter on my laptop and it worked like a charm. :> Quote Link to post Share on other sites
Demonslay335 26 Posted May 25, 2017 Report Share Posted May 25, 2017 Odd... my only guess is a possible race condition causing a bug where it skips the correct password somehow. Was the laptop less cores than the infected system by chance? Oh well, glad it worked for you. You can always acquire the key on the laptop (it gets logged if you didn't keep it), and just load it into the decrypter on the infected system, save you from having to copy everything back and forth. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.