Sign in to follow this  
prestige2326

Nozelesn

Recommended Posts

It is  recommended that you upload a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can then paste a link to the results into a reply if you would like one of our experts to review them.

Share this post


Link to post
Share on other sites

Could you post a link to the results from ID Ransomware so that we can see why it matched for Nozelesn? It's possible that the ransomware just looks like Nozelesn, and isn't actually the same ransomware.

Share this post


Link to post
Share on other sites

Please download the following fixlist.txt file and save it to the Desktop:
https://www.gt500.org/emsisoft/fixlist/prestige2326/2018-Oct-27/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

Also Note: This fixlist file will not direct FRST to make any changes to your computer. It will save some information about abnormal files and folders I saw in your logs to the Fixlog file so that I can get a better idea of what they are.

Share this post


Link to post
Share on other sites

There definitely appears to be an infection still present on the system, however I suspect that what I am seeing happened after the ransomware infection. Let's get that cleaned up before we do anything else.

Please download the following fixlist.txt file and save it to the Desktop:
https://www.gt500.org/emsisoft/fixlist/prestige2326/2018-Oct-29/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

Share this post


Link to post
Share on other sites

I'm trying to help a friend (really!) whose files have been encrypted with the .nozelesn ransomware. Additionally, shadow copies and restore points have been deleted. We can't seem to find much information on possibly decrypting the files, even though this ransomware seems to have been around since July. The reputable sites that claim to have several different decryptors have none for this one. And when they ask for a sample to upload for analysis, it doesn't seem to work, or we get no reply, or it's an invalid address to upload. Is there any hope? Thanks.

Share this post


Link to post
Share on other sites
22 hours ago, prestige2326 said:

Here is the new one

Fixlog.txt

OK, go ahead and run another scan with FRST, and attach the new logs to a reply.

 

46 minutes ago, kmsilver said:

Is there any hope?

We'd need a copy of the ransomware itself in order to analyze it. To my knowledge no one has ever been able to send us a copy, and the ransomware has been fairly rare, so no researchers/analysts have been able to get a hold of a copy on their own. Without a full analysis of the encryption method it uses, it's very unlikely that anyone will be able to figure out whether or not the files can be decrypted for free.

Share this post


Link to post
Share on other sites

It looks like you ran the fix again. FRST didn't find anything that was in the fixlist this time, so that's a good indication that it removed everything I put in the fixlist. I recommend running a scan with Emsisoft Emergency Kit (free for personal/home use), and removing anything dangerous it finds:
https://www.emsisoft.com/en/software/eek/

The download of Emsisoft Emergency Kit is a self-extracting RAR archive, and by default it will put Emsisoft Emergency Kit in a folder named EEK in the root of your C:\ drive. If you want to remove it after running your scan, all you have to do is delete that folder. To run Emsisoft Emergency Kit, just open that folder, and double-click on the file named Start Emergency Kit Scanner (see screenshot below).

image.png
Download Image

Share this post


Link to post
Share on other sites
On 11/3/2018 at 11:18 AM, prestige2326 said:

What should i do after that to decrypt all my files?

Decryption won't be possible. We don't have a copy of the ransomware to analyze, so we don't yet know how its encryption process works, and thus we don't know if there's any vulnerabilities we can exploit to make a decrypter.

 

On 11/3/2018 at 11:27 AM, prestige2326 said:

Here is the scan. I quarantine the one detected item.

scan_181103-111757.txt

I'm rather curious about this file detected in the scan:

C:\Users\EUDM Victor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DPFPYG48\OzmuGJbeh[1].exe

If you already deleted it, then can you look in Emsisoft Emergency Kit's Quarantine (usually C:\EEK\Quarantine) and let me know if there are any files there? If so, you can send them to me, and I can take a look and see what it is.

Share this post


Link to post
Share on other sites

That's the ransom note. We already have copies of that. What we need is the malicious file that infected the computer and encrypted your data.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.