ComputerDirect 0 Report post Posted December 5, 2017 One of our clients has been infected with ransomware from an unknown source. All of their HDD data files have been encrypted and .ntfs has been appended to the end of the file names. I have attached the sample emails.txt.ntfs encrypted file as well as their decrypted emails.txt file. Every directory on the drive has a file named info.txt added into it, including the startup folder. This ransomware MO looks similar to the reported Stroman or FAT32 one. Any help would be much appreciated because I am doing this for a friend from a medical practice. [Below is the info.txt file] Your data set are encrypted. We can help decrypted files. Price for full decrypt all files 700$ You will get decrypt soft + personal key + manual. For recover your files - contact us email: [email protected] Please use public email for contact: gmail etc. For you to be sure, that we can decrypt your files You can send us 1-2 encrypted files and we will send back it in a decrypt format FREE. For download files use only dropmefiles.com not more then 10 Mb Send us an email: 1.Personal ID 2.link dropmefiles.com after wait decrypted files and further instructions. Personal ID: j2V5H5FAQ9OYZ7CAKAJIZ1AOHaUUu6 Do not rename encrypted files Not use false encryption key, it cause pernament data loss You must pay within 72 hours, or the price will be more. [Below is the response to my email with a sample encrypted file provided] your fileshttp://dropmefiles.com/rG1Ua if you want get soft and personal key for decrypt all files, you need pay 0.067 btc ~ $700 wallet for payment: 1FJZU2o7EgMekErp3enPnpLpMU1cBHhAcv after payment, I send you soft,personal key,instruction for decrypt all files. The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins or by any other means. if you not pay within 72 hours, price will be more. emails.txt emails.txt.ntfs info.txt Quote Share this post Link to post Share on other sites
GT500 841 Report post Posted December 5, 2017 This appears to be a new ransomware. Let's start by getting FRST logs from the effected computer, and see if there's anything we can learn from it. You can find instructions for downloading and running FRST at the following link:https://helpdesk.emsisoft.com/Knowledgebase/Article/View/274/55/running-a-scan-with-frst Quote Share this post Link to post Share on other sites
ComputerDirect 0 Report post Posted December 7, 2017 Have attached the requested files. PostDecrypt was run in Safe Mode with Networking after applying the decryption key on the affected PC. PreDecrypt was run in Safe Mode with Networking prior to applying the decryption key on the infected PC. Decrypt Soft.exe is the decryption program that we were provided. key.txt is a text file I copied the key to, from the email we received. Hope this helps. Addition_PostDecrypt.txt Addition_PreDecrypt.txt FRST_PostDecrypt.txt FRST_PreDecrypt.txt decrypt soft.exe key.txt Quote Share this post Link to post Share on other sites
GT500 841 Report post Posted December 7, 2017 You seem to have something called "ScreenConnect Client" installed, which appears to be some form of remote access software. Was that something that you had installed? Quote Share this post Link to post Share on other sites
ComputerDirect 0 Report post Posted December 7, 2017 They have a remote support client system running for support from an offsite technical contact, so yes that is legitimate. Quote Share this post Link to post Share on other sites
GT500 841 Report post Posted December 7, 2017 OK. I don't see anything that looks like the ransomware itself in the logs, however from what I am seeing it's a pretty stupid ransomware and it probably just encrypts everything that isn't in the Windows folder. I'll put everything you attached here into a ZIP archive and send it to our malware analysts and to Michael Gillespie (a third-party ransomware expert who works with us and Bleeping Computer to pick apart ransomware and make decryption tools, as well as maintain the ID Ransomware website/database). I don't know if we'll be able to make anything out of their decryption tool, as we usually need a copy of the ransomware itself to analyze how it encrypts files so that we can look for flaws, but we'll see what we can do with what we have. If you want me to take a closer look at any effected systems, then please let me know. I can use remote access software to poke around and see if anything was left behind that shouldn't be. Also, since we don't know if this ransomware was spread via some sort of remote access breach, then I'll leave my standard instructions for dealing with that below just in case (it's good advise for any business): First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. After that, change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses. Quote Share this post Link to post Share on other sites
