bflmpesseveze

Encrypted files "theva"

By bflmpesseveze, in Help, my files are encrypted!

Recommended Posts

bflmpesseveze    0

bflmpesseveze
Posted (edited)

Greetings,

Our customer get some new ransomware and all data  are encrypted and named "filename.[[email protected]].theva" and in every folder is #_README_#.inf file with some info from the ransomware creators. I did not find anything on google except two logs from some malicious scan logs. I can send encrypted and decrypted files. Also I attach logs but I think there will be no notice about any ransomware. Malwarebytes didnt find anything, nor bitdefender . The ransomware uninstalled ESET antivirus somehow.

Edit: I found it should be some BTCware and now I am trying decrypting tool, will update soon.

Sorry for my bad english

Greets Martin V.

Addition.txt

FRST.txt

scan_170509-103057.txt

PB095682.JPG.[[email protected]].theva

PB095682.JPG
Download Image

#_README_#.inf

Edited by bflmpesseveze
found new info

Share this post

Link to post
Share on other sites

Sarah W    26

Sarah W
Posted

Hi bflmpesseveze,

We just found a sample of this ransomware, so if the current decrypter doesn't work then we will hopefully cover this variant soon.

Regards,

Sarah

Share this post

Link to post
Share on other sites

itatecomputers    0

itatecomputers
Posted
On 5/9/2017 at 1:30 PM, Sarah W said:

Hi bflmpesseveze,

We just found a sample of this ransomware, so if the current decrypter doesn't work then we will hopefully cover this variant soon.

Regards,

Sarah

Sarah.  Just got called into one of my customers that have by hit by this as well.  Which tool should I try or use or should I wait for an updated one?  This is a small town lawyer with no backups so she is up **** creek without a paddle as of now.

Brian Tate

iTate Computers & Tech Services

[email protected]

 

Share this post

Link to post
Share on other sites

Demonslay335    25

Demonslay335
Posted

@bflmpesseveze @itatecomputers @Icetech

I'm currently working on an update to the decrypter to support .theva. I've about got it ready for release.

Could you share a pair of encrypted files with their originals so I can test? Worst-case, an encrypted PNG will do.

The malware copies itself to %APPDATA%, try checking for a randomly named .exe in there. Most samples I have are around 270KB. Having a sample of it would be good as well if you can find it.

 

Share this post

Link to post
Share on other sites

Icetech    1

Icetech
Posted
37 minutes ago, Demonslay335 said:

@bflmpesseveze @itatecomputers @Icetech

I'm currently working on an update to the decrypter to support .theva. I've about got it ready for release.

Could you share a pair of encrypted files with their originals so I can test? Worst-case, an encrypted PNG will do.

The malware copies itself to %APPDATA%, try checking for a randomly named .exe in there. Most samples I have are around 270KB. Having a sample of it would be good as well if you can find it.

 

 

Sadly this is a machine from a doctors office.. i can't share any files even a png. and they also have zero backups.. I was unable to find the exe itself.. this particular machine was never used for anything files serving, and no one goes online with it. their IT guy things it bounced from another machine but he hasn't been able to find a trace either..  will double check myself though.. 

 

Share this post

Link to post
Share on other sites

Demonslay335    25

Demonslay335
Posted
12 minutes ago, Icetech said:

 

Sadly this is a machine from a doctors office.. i can't share any files even a png. and they also have zero backups.. I was unable to find the exe itself.. this particular machine was never used for anything files serving, and no one goes online with it. their IT guy things it bounced from another machine but he hasn't been able to find a trace either..  will double check myself though.. 

 

If I get the new decrypter to work on other victim's files, I'll be able to release it and you can try it for yourself. Still working out some bugs.

Any chance that system had RDP open? We think that is the vector of infection for this variant.

Share this post

Link to post
Share on other sites

Icetech    1

Icetech
Posted

I will check.. i know their IT uses pcanywhere but they might have left RDP open.. they don't seem to bright honestly.. they haven't had it backing up since 2014.. just wtf... and it's foxpro database.. not real hard to backup

  • Upvote 1

Share this post

Link to post
Share on other sites

bflmpesseveze    0

bflmpesseveze
Posted
11 hours ago, Demonslay335 said:

@bflmpesseveze @itatecomputers @Icetech

I'm currently working on an update to the decrypter to support .theva. I've about got it ready for release.

Could you share a pair of encrypted files with their originals so I can test? Worst-case, an encrypted PNG will do.

The malware copies itself to %APPDATA%, try checking for a randomly named .exe in there. Most samples I have are around 270KB. Having a sample of it would be good as well if you can find it.

 

 
 

I can send you encrypted and decrypted files. Is JPG alright? I have few of them PDF also. PM or post it here? But with those exe files I'm sorry, bitdefender deletes it all. 

Share this post

Link to post
Share on other sites

bflmpesseveze    0

bflmpesseveze
Posted
11 hours ago, Demonslay335 said:

If I get the new decrypter to work on other victim's files, I'll be able to release it and you can try it for yourself. Still working out some bugs.

Any chance that system had RDP open? We think that is the vector of infection for this variant.

 

do you think it will scan all ports for the RDP service? Because our infected customer has open RDP but routed from different port, not the default one.

Share this post

Link to post
Share on other sites

Demonslay335    25

Demonslay335
Posted

That'll work. Actually just realized you attached files in your first post, so I grabbed those. Wasn't able to get a key so far, but still working on it. Hoping to get some more dedicated time to work on it this weekend.

Share this post

Link to post
Share on other sites

itatecomputers    0

itatecomputers
Posted
16 minutes ago, Demonslay335 said:

That'll work. Actually just realized you attached files in your first post, so I grabbed those. Wasn't able to get a key so far, but still working on it. Hoping to get some more dedicated time to work on it this weekend.

I may be able to send some files to but since this is a law office, I may be in the same boat that Icetech is in.  I head there now and see if I can find something that I can send out.

 

 

Share this post

Link to post
Share on other sites

lawguyme    0

lawguyme
Posted
2 hours ago, Demonslay335 said:

That'll work. Actually just realized you attached files in your first post, so I grabbed those. Wasn't able to get a key so far, but still working on it. Hoping to get some more dedicated time to work on it this weekend.

All my files are encrypted by the same theva ransomware, and I'm pulling my hair out. Any update?

Share this post

Link to post
Share on other sites

Demonslay335    25

Demonslay335
Posted

@JAN22

Is that the decrypter the criminals gave you after payment? Looks to be for the .cryptobyte variant, which our decrypter already supports. Thanks for sharing though, very odd that their malware is in C++, but the decrypter looks to be Delphi...

Share this post

Link to post
Share on other sites

bruticus0    3

bruticus0
Posted

Thank you JAN22 for helping :P

@Demonslay  Has everyone here tried the decryptor you mentioned?  Could you link to it so everyone can be sure to try it first?  Thanks

Share this post

Link to post
Share on other sites

Demonslay335    25

Demonslay335
Posted

The current decrypter is available here: https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4231977

It currently supports v1, v2, and v3 of the malware in most cases. Still working on v4 (had success with one case), and a new v1.5 we recently discovered. They've been rapidly changing this one.

Share this post

Link to post
Share on other sites

itatecomputers    0

itatecomputers
Posted
48 minutes ago, Demonslay335 said:

The current decrypter is available here: https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4231977

It currently supports v1, v2, and v3 of the malware in most cases. Still working on v4 (had success with one case), and a new v1.5 we recently discovered. They've been rapidly changing this one.

Does this one work on "theva" varient?

 

Share this post

Link to post
Share on other sites

Demonslay335    25

Demonslay335
Posted

Not currently. The in-dev does for the samples we have, but I have only been able to get a key for one out of 4 victims so far, so it may still be buggy. I plan on releasing it anyways soon to let you try since you cannot provide me files to test with, I have to work out some other bugs first though to ensure it has the best chance.

I refer to .theva as v4.

Share this post

Link to post
Share on other sites

itatecomputers    0

itatecomputers
Posted
2 minutes ago, Demonslay335 said:

Not currently. The in-dev does for the samples we have, but I have only been able to get a key for one out of 4 victims so far, so it may still be buggy. I plan on releasing it anyways soon to let you try since you cannot provide me files to test with, I have to work out some other bugs first though to ensure it has the best chance.

I refer to .theva as v4.

I'm going to the client here shortly.  I'll get you a copy of the clean and infected file.  Not all her stuff should be confidential.  Will send within the hour.

 

Share this post

Link to post
Share on other sites

itatecomputers    0

itatecomputers
Posted
1 hour ago, Demonslay335 said:

Not currently. The in-dev does for the samples we have, but I have only been able to get a key for one out of 4 victims so far, so it may still be buggy. I plan on releasing it anyways soon to let you try since you cannot provide me files to test with, I have to work out some other bugs first though to ensure it has the best chance.

I refer to .theva as v4.

Here is an infected and clean copy of a word doc.

DEESE-TPR.docx

DEESE-TPR.docx.[[email protected]].theva

Share this post

Link to post
Share on other sites

Icetech    1

Icetech
Posted

Just curious. as far as an original/encrypted.. seeing as my place never did backups i have been searching and i found tmp files that have a .tmp and .theva and are the exact same size.. i can't see why the tool would leave an original behind though? worth a try?

Share this post

Link to post
Share on other sites

bruticus0    3

bruticus0
Posted

Ya anything's worth a shot.  It doesn't have to come from the actual hard drive.  If there's an encrypted .exe program, you could download the same version again from the internet and use them as a file pair.  Or generic redme files or generic images that come with programs or OSs.  

And I don't know about this particular variant, but some ransomwares could just rename smaller files.  That could be why they are same size.  In the cry9 variant I had, some files just seemed to be renamed.  I also noticed many .iso and .zip files could easily be recovered just by renaming.  It wouldn't hurt to copy an encrypted file and experiment. 

  • Upvote 1

Share this post

Link to post
Share on other sites

Icetech    1

Icetech
Posted
19 minutes ago, bruticus0 said:

Ya anything's worth a shot.  It doesn't have to come from the actual hard drive.  If there's an encrypted .exe program, you could download the same version again from the internet and use them as a file pair.  Or generic redme files or generic images that come with programs or OSs.  

And I don't know about this particular variant, but some ransomwares could just rename smaller files.  That could be why they are same size.  In the cry9 variant I had, some files just seemed to be renamed.  I also noticed many .iso and .zip files could easily be recovered just by renaming.  It wouldn't hurt to copy an encrypted file and experiment. 

Ahhh thank you. i wasn't 100% sure bout it.. 

Share this post

Link to post
Share on other sites

itatecomputers    0

itatecomputers
Posted
22 hours ago, Demonslay335 said:

Not currently. The in-dev does for the samples we have, but I have only been able to get a key for one out of 4 victims so far, so it may still be buggy. I plan on releasing it anyways soon to let you try since you cannot provide me files to test with, I have to work out some other bugs first though to ensure it has the best chance.

I refer to .theva as v4.

Good morning.  Any update on your progress?  I'm only asking because I know my phone is about to blow up any minute from the victim.  Thanks again for working on this.

BT

Share this post

Link to post
Share on other sites

Demonslay335    25

Demonslay335
Posted

This ransomware doesn't rename files past just adding an extension. Some variants have the same filesize before and after because they use RC4; the ones that use AES-192 will pad the encrypted file up to 15 bytes (to round off to 16 byte blocks).

FYI I don't work for Emsisoft and have my own separate day job, so I can only work on ransomware cracking in my free time, which is pretty limited lately.

Share this post

Link to post
Share on other sites

Demonslay335    25

Demonslay335
Posted

@bflmpesseveze

I've sent you a PM with your key. :)

Currently working on the other cases, might be able to get some more keys tonight hopefully. Once I have a few more verified to be working to be safe, I'll release an updated decrypter that everyone else can try on their own for those who cannot share files.

Share this post

Link to post
Share on other sites

Demonslay335    25

Demonslay335
Posted

I've released an updated decrypter with support for a few variants of .theva and .onyon. Please see my release notes over on BleepingComputer for more details.

https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4243422

If you have provided me files either here or in private, and I have not PM'd you a key, then I'm afraid the new decrypter might not support your case yet. We are still actively searching for new samples of the malware, and we'd need them in order to help.

Share this post

Link to post
Share on other sites

Icetech    1

Icetech
Posted
10 hours ago, Demonslay335 said:

I've released an updated decrypter with support for a few variants of .theva and .onyon. Please see my release notes over on BleepingComputer for more details.

https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4243422

If you have provided me files either here or in private, and I have not PM'd you a key, then I'm afraid the new decrypter might not support your case yet. We are still actively searching for new samples of the malware, and we'd need them in order to help.

You are a friggin hero! this last version found the key in seconds and decrypted the files perfectly.. thank you so much

Share this post

Link to post
Share on other sites

Icetech    1

Icetech
Posted
6 minutes ago, Demonslay335 said:

Great! I was a little worried, for some reason I could not get a key for your case... but if it works for you, that's all that matters. :)

Yeah. i used the same files i posted here.. the newest decrypter found the key in seconds... thanks. Doing this fix as a favor.. always seems more stressful than normal customers.. 

Share this post

Link to post
Share on other sites

itatecomputers    0

itatecomputers
Posted

Yep.  Thanks as well Demonslay.  The infected computer was a 32bit windows 7 and the fix did not work on it, but I copied all the infected files off and ran the decrypter on my laptop and it worked like a charm.  :>

 

 

Share this post

Link to post
Share on other sites

Demonslay335    25

Demonslay335
Posted

Odd... my only guess is a possible race condition causing a bug where it skips the correct password somehow. Was the laptop less cores than the infected system by chance?

Oh well, glad it worked for you. You can always acquire the key on the laptop (it gets logged if you didn't keep it), and just load it into the decrypter on the infected system, save you from having to copy everything back and forth.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.