rstockham23

Need Help with Potentially Cry36

Recommended Posts

I have an entire server infected with Ransomware.  None of the tools on your site seem to work with it.  Checked the file online and it appears it may be Cry36.  Attached is an encrypted file, non-encrypted version and the ransom file.  Please help!

Agenda November 27, 2017.docx

Agenda November 27, 2017.docx.id_2556159886_[[email protected]].4se9s

### DECRYPT MY FILES ###.html

Share this post


Link to post
Share on other sites

This looks like it's Cry36 ( the "sample bytes" is a reasonably reliable way to identify this particular ransomware):
https://id-ransomware.malwarehunterteam.com/identify.php?case=2d1a9a69e0b7eccdfaac760fa5d1552eb92cd27e

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Share this post


Link to post
Share on other sites

Thank you for the response.  Unfortunately I only have backups for some of the infected files which we will be restoring, but other files, I do not.  Do you feel there is any chance of a tool being developed to decrypt this soon?  I would be more than willing to help out in any way as far as submitting more files, etc.

Share this post


Link to post
Share on other sites
On 11/27/2017 at 3:46 PM, rstockham23 said:

Do you feel there is any chance of a tool being developed to decrypt this soon?

Cry36 has been around for at least 6 months, and no one has managed to find any vulnerabilities in the encryption method thus far that would allow for decryption without knowing the private key. I don't expect that a free decryption tool will be available any time soon, especially since the criminal behind this ransomware has thus far not released master decryption keys for old variants (meaning he almost certainly won't release them for this variant either).

 

On 11/27/2017 at 3:46 PM, rstockham23 said:

I would be more than willing to help out in any way as far as submitting more files, etc.

I would believe we already have samples of all known versions of Cry36 at this point, so our malware analysts have had a chance to thoroughly analyze the encryption format that it uses.

Share this post


Link to post
Share on other sites

I've been scouring event logs, files, etc on the servers that got hacked with Cry36.  I was able to find some of their executables left behind that they used in the hacking.  One of the servers Antimalware software detected them and it got shut down before the hacker could remove the files.  The MS Antimalware software detected it as: Win32/CryptoLemPiz.A  Not sure if any of this helps, but wanted to share.  Attached are the files I found.  Please let me know if there are other places I need to submit these files.  Thank you.

processhacker.zip

Share this post


Link to post
Share on other sites

ProcessHacker is a legitimate tool that can be obtained from the following link (some of our developers use it for debugging):
http://processhacker.sourceforge.net/

It's a good indication that someone compromised the system through some form of remote access software (RDP for instance), and manually terminated any security software and manually executed the ransomware on the system. I'd recommend making sure that such attacks can't happen again (at least not easily).

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open.

After that, change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Thank you.  Those are all very good suggestions.  I sent you a private message follow up from my last post.  I realized later that what I posted online here at first was just Process Hacker and some encryped exe files of theirs.  I was actually able to break in to their encrypted exe files and access the actual file that spreads the encryption on the file system.  Would that be of use to you?  I've encrypted 2 offline laptops already just exploring it's functionality :-)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.