Paully

Ransomware identification

Recommended Posts

Hello Gracious Emsisoft Folks,

Virus hit a workstation Friday (Jan 07 '17) via email .zip attachment. It encrypted the workstation and several mapped-drive server files.

At this point:

  • Workstation has been formatted and received fresh installs of OS, etc., unfortunately before we knew to grab any file the virus may have left on the desktop.
  • The virus did not rename the corrupted/encrypted files
  • Several encrypted files on server have been archived in their current, unfortunate state and are ready for decryption attempts.
  • Attached is a pic of ransomware note that popped up on the workstation.imageproxy.php?img=&key=b42a2553258c1fc4
    Download Image
  • I still have the original offending email, with the .zip attachment, in my email software's (Thunderbird) "trash" folder.
  • I tried to upload a pair of files (one encrypted and one not encrypted) to this post although the encrypted file's upload failed
  • A local outfit identified it as Nemucod, somehow based on the attached screen shot. They pointed me towards your Nemucod decryptor, but I did not have success ( the "no key found" message blossoms). It seems the local folks could be wrong on the identification though as your decrypt page states that Nemocod renames with a *.crypted suffix, and this was not the case with my files.
  • I haven't yet tried the identification tools your "first steps" page recommends because:

I very much appreciate any help you can offer. I look forward to supporting you in any way I can.

Best Regards,

Paul

IMG_20170707_111335.jpg
Download Image

Share this post


Link to post
Share on other sites

I see on the https://decrypter.emsisoft.com/ page the NemucodAES showed up today. This seems quite similar to what hit us. The visual formatting of the ransom note is identical, but there are a couple differences in the note content (e.g. the bitcoin amounts, the browser links, etc.). I've gone through the other ransom ware descriptions on that page and nothing matches exactly. The couple that don't rename affected files, seem to have very different looking ransom notes than ours. (Are major ransom note differences that conclusive?)

Yeesh, I hope it's not NemucodAES as we already formatted the workstation (AAAHHHHHH...!!!!).  But assuming it is for moment:

At this point it is files in a mapped server folder that we wish to decrypt. Would the decryption key and data from these files still be on the infected workstation? And so lost to me?

EDIT:

I believe I've answered the 2nd question.  Numerous "Thumbs.db" are the only *.db files on the server. I doubt it's any of those. Just grasping at this point really.  

The first question regarding ransom note differences remains.

Edited by Paully

Share this post


Link to post
Share on other sites

I'm afraid if you did not backup the .db file from the infected system (it has the filename of the Bitcoin address usually, and I think its in %TEMP%), then there will be no way to decrypt the data; even the criminals cannot decrypt without it. The ransomware stores the actual encrypted bytes in that file, and overwrites the first 2048 of the original file with utter garbage.

When dealing with ransomware, reloading should be the last thing you do until you have had the ransomware properly identified. If in doubt and you absolutely need to wipe the system, it's usually a good idea to make an image of the system before-hand.

Share this post


Link to post
Share on other sites
16 hours ago, Demonslay335 said:

I'm afraid if you did not backup the .db file from the infected system (it has the filename of the Bitcoin address usually, and I think its in %TEMP%), then there will be no way to decrypt the data; even the criminals cannot decrypt without it. The ransomware stores the actual encrypted bytes in that file, and overwrites the first 2048 of the original file with utter garbage.

When dealing with ransomware, reloading should be the last thing you do until you have had the ransomware properly identified. If in doubt and you absolutely need to wipe the system, it's usually a good idea to make an image of the system before-hand.

So you believe that it is the new variant NemucodAES then? It all hinges on the diagnosis doesn't it.

Share this post


Link to post
Share on other sites

Yes, it is. If you had typed the Bitcoin address or any one of those URLs into ID Ransomware, it would have already identified them even though you don't have the note. The Bitcoin address is unique per campaign, and there's tons of URLs of compromised websites they use, so you can't just go off of matching against the one screenshot in the Emsisoft blog.

Share this post


Link to post
Share on other sites
24 minutes ago, Demonslay335 said:

Yes, it is. If you had typed the Bitcoin address or any one of those URLs into ID Ransomware, it would have already identified them even though you don't have the note. The Bitcoin address is unique per campaign, and there's tons of URLs of compromised websites they use, so you can't just go off of matching against the one screenshot in the Emsisoft blog.

Thank you for your input. Now I can confidently release my last sliver of hope and move on.  :)

I've learned much from this. I appreciate everyone here's contribution to battle.

Best of luck,

Paul

Share this post


Link to post
Share on other sites

An additional question, and please pardon me if my nomenclature is off.

Is NemucodAES known to worm (if i'm using that correctly)? 

The workstation that was hit, did damage a few dozen (60 or so) files on a shared network folder. The workstation has been formatted, reinstalled. We are still picking through and replacing affected network files. 

Should I be concerned that it could become active from the network machine? Or was active software removed when I formatted the workstation?

Two weeks now since the attack, and there has been no sign of additional activity, but I thought I would ask in case some dormant period is typical.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.