MobuisNZ

New Variant BTC - Master Ransomware

Recommended Posts

One of my clients has been hit with what appears to be a variant of BTC (According to Spywarehunters Ransomware ID)

It has encrypted files and postfixed the following extension(s)

.[[email protected]].master

EG

FILENAME.DOC.[[email protected]].master

The instructions are all in a txt file called

!#_RESTORE_FILES_#!.inf

I'll attach the note.

They got in through Remote Desktop - One pc on the network has remote access with RDP on a non-standard port and they used the credentials of an account called "staff" which made their life a little easier - Probably a dictionary attack.

The very conveniently send the note to the printer so we got 3 copies printed out.

Strangely this one didn't attack network drives or attempt to hop machines via shares as being workstations on a domain it had both available to it - Perhaps it crashed??

I have an encrypted and unencrypted version of a word document but I don't want to submit it here as it has the company involved in the headers - Happy to submit it to emsi developers to look at.

I'll attach the "ransom note"

Because it didn't get the network drives (which were backed up anyway) its more of a massive inconvenience and time waster - Mainly the staff member had stuff saved to his desktop and one document in particular he'd done a few hours work on and the only backup is an old copied sent via email.

It would still make his day if an unencryption tool could be made an obviously would benefit others who might be less lucky in what they lose.

I've told them at this point Bye bye RDP - We usually now at least have them make a PPTP vpn connection with different credentials and then RDP over that (I know PPTP is not "secure" but its fit for purpose unless someone can inform me why not? My belief is that its encryption standard is dated so a session could be captured and unencrypted). For this client they were doing RDP from an IPAD after hours and Ipad won't do PPTP any more so we'll have to look at other VPN options.

Thanks,

Matt

 

!#_RESTORE_FILES_#!.inf

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.