Sign in to follow this  
ComputerDirect

Ransomware .ntfs extension appended

Recommended Posts

One of our clients has been infected with ransomware from an unknown source.

All of their HDD data files have been encrypted and .ntfs has been appended to the end of the file names.

I have attached the sample emails.txt.ntfs encrypted file as well as their decrypted emails.txt file.
Every directory on the drive has a file named info.txt added into it, including the startup folder.
This ransomware MO looks similar to the reported Stroman or FAT32 one.
Any help would be much appreciated because I am doing this for a friend from a medical practice.
 

[Below is the info.txt file]

Your data set are encrypted.
We can help decrypted files.
Price for full decrypt all files 700$
You will get decrypt soft + personal key + manual.

For recover your files - contact us email:
[email protected]

Please use public email for contact: gmail etc.

For you to be sure, that we can decrypt your files
You can send us 1-2 encrypted files and we will send back it in a decrypt format FREE.
For download files use only dropmefiles.com not more then 10 Mb

Send us an email:
1.Personal ID
2.link dropmefiles.com
after wait decrypted files and further instructions.

Personal ID:
j2V5H5FAQ9OYZ7CAKAJIZ1AOHaUUu6

Do not rename encrypted files
Not use false encryption key, it cause pernament data loss

You must pay within 72 hours, or the price will be more.
 

[Below is the response to my email with a sample encrypted file provided]

your files
http://dropmefiles.com/rG1Ua

if you want get soft and personal key for decrypt all files, you need pay 0.067 btc ~ $700

wallet for payment:
1FJZU2o7EgMekErp3enPnpLpMU1cBHhAcv

after payment, I send you soft,personal key,instruction for decrypt all files.

The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins
or by any other means.

if you not pay within 72 hours, price will be more.
 

emails.txt

emails.txt.ntfs

info.txt

Share this post


Link to post
Share on other sites

This appears to be a new ransomware. Let's start by getting FRST logs from the effected computer, and see if there's anything we can learn from it. You can find instructions for downloading and running FRST at the following link:
https://helpdesk.emsisoft.com/Knowledgebase/Article/View/274/55/running-a-scan-with-frst

Share this post


Link to post
Share on other sites

Have attached the requested files.
PostDecrypt was run in Safe Mode with Networking after applying the decryption key on the affected PC.
PreDecrypt was run in Safe Mode with Networking prior to applying the decryption key on the infected PC.

Decrypt Soft.exe is the decryption program that we were provided.
key.txt is a text file I copied the key to, from the email we received.

Hope this helps.

Addition_PostDecrypt.txt

Addition_PreDecrypt.txt

FRST_PostDecrypt.txt

FRST_PreDecrypt.txt

decrypt soft.exe

key.txt

Share this post


Link to post
Share on other sites

You seem to have something called "ScreenConnect Client" installed, which appears to be some form of remote access software. Was that something that you had installed?

Share this post


Link to post
Share on other sites

OK.

I don't see anything that looks like the ransomware itself in the logs, however from what I am seeing it's a pretty stupid ransomware and it probably just encrypts everything that isn't in the Windows folder. I'll put everything you attached here into a ZIP archive and send it to our malware analysts and to Michael Gillespie (a third-party ransomware expert who works with us and Bleeping Computer to pick apart ransomware and make decryption tools, as well as maintain the ID Ransomware website/database). I don't know if we'll be able to make anything out of their decryption tool, as we usually need a copy of the ransomware itself to analyze how it encrypts files so that we can look for flaws, but we'll see what we can do with what we have.

If you want me to take a closer look at any effected systems, then please let me know. I can use remote access software to poke around and see if anything was left behind that shouldn't be.

Also, since we don't know if this ransomware was spread via some sort of remote access breach, then I'll leave my standard instructions for dealing with that below just in case (it's good advise for any business):

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open.

After that, change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.