Ramsy

Apocalypse (new variant)

Recommended Posts

I was affected from a Ramsomware that creates files extension:

- .missing

- .Contact_Data_Recovery.txt

 

The mail reported in the txt file is [email protected]

 

I can send all these files including the unencrypted version in PM.

I have in addition the "Windows Reparation Smart Decrypter.exe" that requires an unknow Activation Key to start the decryption.

 

Can anyone help me?

 

Thank you

 

Share this post


Link to post
Share on other sites
11 hours ago, GT500 said:

I recommend uploading a copy of the ransom note and an encrypted file to ID Ransomware to see if it can identify which ransomware has encrypted your files:
https://id-ransomware.malwarehunterteam.com/

You can post a link to the analysis here if you'd like for us to review it.

https://id-ransomware.malwarehunterteam.com/identify.php?case=bd13428dbf93d86e1de85eebf2a2e4b7ff329bdc

Here all additional things I have, I don't know if the exe file is a fake decryptor software but it was provided from them.
https://drive.google.com/open?id=1-mqgfviV3CGj9zavLH0OuR-4H6BE3t2j
Can you inform me when you have downloaded all the files you need so I can set them back to private.

Thank you

Share this post


Link to post
Share on other sites

I've asked our malware analysts if they need any additional information about this ransomware. For now, let's try getting a log from FRST, and see if it shows us anything we don't already know. You can find instructions for downloading and running FRST at the following link:
https://helpdesk.emsisoft.com/Knowledgebase/Article/View/274/55/running-a-scan-with-frst

Share this post


Link to post
Share on other sites
On 14/12/2017 at 1:10 AM, GT500 said:

I've asked our malware analysts if they need any additional information about this ransomware. For now, let's try getting a log from FRST, and see if it shows us anything we don't already know. You can find instructions for downloading and running FRST at the following link:
https://helpdesk.emsisoft.com/Knowledgebase/Article/View/274/55/running-a-scan-with-frst

can I eventually send you privately the log generated (as it contains data I don't want to reveal publicly)? 

Share this post


Link to post
Share on other sites

Sure. Just hover your mouse over my screen name on the forums, and click on Message in the box that pops up. That should allow you to send me a private message.

Share this post


Link to post
Share on other sites

Hey Guys, have we had any further options to decrypt this file.  I am in the same situation the smart Decryter requires a key that has to be purchased from the hacker.

Share this post


Link to post
Share on other sites

I haven't heard anything new about it. What we really need is a copy of the ransomware itself so that we can analyze the way it encrypts files and look for weaknesses. If you want to help, then I recommend starting with logs from FRST so that we can see if there's any sign of the ransomware having been left behind after encrypting your files. You can find instructions for downloading and running FRST at the following link:
https://helpdesk.emsisoft.com/Knowledgebase/Article/View/274/55/running-a-scan-with-frst

Note that if you happen to know where the ransomware came from, then that would be helpful as well. For instance, if you have a link to something you downloaded that you feel may have been malicious, then feel free to scan it on VirusTotal and then post a link here to the scan results. If you have a copy of a file that you believe is malicious, then you can upload it to VirusTotal and post a link to the scan results here.

Note: Anyone with access can download files from VirusTotal, so don't upload anything to VirusTotal that needs to remain private.

Share this post


Link to post
Share on other sites

Hey Arthur,  have attached the FRST files.

Did a little checking on the Tool the Ransomware guy supplies "Windows Reparation Smard Decrypter.exe" with IDR it looks for the following files .encrypted .crypted_file and .missing.  As far as I can see it the first file is apocalypse the second is Kangaroo ransomware and the last one is the new one.

On the terminal server the main attacker was ip 5.8.33.107 kept on logging in and disconnecting every hour or so during the time of the encryption.  There where a few others 88.204.157.55, 185.130.227.35 and 185.129.148.165 but they only logged in once or twice.

Will keep looking around.

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

I'm not seeing any evidence of the ransomware being left behind on the system. Can you check the %AppData% and %LocalAppData% folders for each user profile, in addition to the %ProgramData% folder to see if there are any files in those folders? Any executable files (.exe, .cmd, .bat, .com, .scr, .pif, etc) or script files (.vb, .vbs, .js, etc) would be suspicious.

Share this post


Link to post
Share on other sites

The odds are fairly good that the ransomware deleted itself after it finished encrypting files. That's fairly standard, as it makes it more difficult for analysts and researchers to get copies of the ransomware for analysis.

If you manage to figure out where the infection came from, then let me know. You can easily share malicious links or files with us using VirusTotal. Just scan them on VirusTotal, and post the link to the analysis here. Just keep in mind that we aren't the only ones who can download files from VirusTotal, so don't upload anything that needs to remain confidential.

Share this post


Link to post
Share on other sites

Thank you. I have forwarded that to our malware analysts in case they want to take a look at it.

From the file name, it appears to be the decryption tool they send after you pay the ransom?

Share this post


Link to post
Share on other sites

Yes it is was called Windows Reparation Smart Decrypter.exe, it was easier to type in virus.

when we paid they wanted money for the key.

Share this post


Link to post
Share on other sites

OK, thanks. If our malware analysts tell me anything new, then I'll let you know.

Share this post


Link to post
Share on other sites

Hey GT500,  My boss has decided to pay the second ransom.

Unfortunately they are claiming we have to now pay a late fee of .2 BTC  not sure we will get the key to decrypt.

Share this post


Link to post
Share on other sites

You can try negotiating with them, and see if they would be willing to lower the price. After all, if you can't pay, then they get nothing.

That being said, keep in mind that the decryption tools that the criminals who make ransomware send don't always work. With most of these criminals, once you've paid them they have no incentive to actually help you. If you absolutely have to go that route, then see if they can decrypt one file for you for free so that you know you'll get your files back. There are a number of ransomwares that actually offer to recover one file for free as proof that they would decrypt your files if you paid the ransom, so it's not unreasonable to ask for such an example even if it wasn't offered.

Share this post


Link to post
Share on other sites

There's not much information out there about that e-mail address. I did find your topic on BleepingComputer, but with limited information available about this particular ransomware there's really no good recommendations we can make.

The only possibility (and it's a remote possibility) is to try a tool such as ShadowExplorer, however ransomware usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Share this post


Link to post
Share on other sites

Thanks GT500, the post at BleepingComputers was mine they closed it in an hour of posting.

Have tried a few of the file recovery programs but no luck.

Thanks anyway.

Share this post


Link to post
Share on other sites

There's still no known way to decrypt files encrypted by this ransomware for free.

Share this post


Link to post
Share on other sites

Our Behavior Blocker is capable of automatically quarantining any ransomware we've encountered, even if the anti-virus engines we use are not capable of detecting them.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.