pk24

help with ransomeware

Recommended Posts

hi

my pc has been encrypted via ransomware , id ransomware detects as xorist but the decryter tool fails to find a key and keeps asking me to drag the files

the files all have extension .colorit

thanks in advance for any help / support

pk24

Share this post


Link to post
Share on other sites

Hello. It is a pity that such a thing happened.

 

I can look at these files, but I cannot download attachments from your message. 
Send to www.sendspace.com two these ransom notes and give us the download link.
And please replace the two non-informative encrypted ini-files to with txt, doc, jpg, png files.

Share this post


Link to post
Share on other sites

I ran it through ID Ransomware, and I suspect it misidentified it. I've asked our malware analysts for more information.

Share this post


Link to post
Share on other sites

I just heard from one of our malware analysts that this is a new ransomware, and that we're actively looking for a copy of it so that we can analyze it. If you happen to know how your computer became infected, then let us know.

Share this post


Link to post
Share on other sites

Hi GT500

This has been identified as WDM (DCRTR-WDM) Ransomware on a diff forum bleepingcomputer

Below is post I posted there about my situation as stated in the post I have both suspicious files from 1 of my infected computer password zipped if needed to analyse 

 

 

this affected 3 of my PCs , my CCTV computer , My Main PC and my handheld GPD , sort of sums up my year lost my mum / my dog / partner in car crash which wrote of the car and now this and we are only 4 months in :(  

 

I already scan cleaned and removed this from 1 computer and my handheld before reading  to leave in quarantine so managed to save the files in quarantine on last computer

 

One of these seem to be the culprit file

 

c:\users\user\appdata\local\temp\plugins\setup.exe
c:\users\user\appdata\roaming\host process for windows services\svchost.exe
 
I have both password zipped incase needed
 
all my encrypted files have had the extension .colorit added 

the following link has several encrypted files and the ransom note and hta file all these are from the computer I still have the virus file from  www.sendspace.com/file/d11739
 
password is - screwthehackers
 
thanks in advance for any help / support

Share this post


Link to post
Share on other sites

pk24  hello

Both here and there ... 😃

 

GT500
Yes, it is real. We call it WDM or DCRTR-WDM Ransomware
This Ransomware is not new, because we found and identified him back in November last year. Michael also added it to IDR.
ID Ransomware knows the original DCRTR Ransomware and DCRTR-WDM how Dcrtr Ransomware

After that, DCRTR-WDM has changed several times. There are samples in my article, also by link pk24 and by another link in the topic on BleepingComputer.

New link to archive with exe-files of WDM Ransomware: 

https://www.sendspace.com/file/khxctl

The main EXE-file in the archive is a file svchost.exe23.

-------------------------------------------------------------

I hope that after a detailed study by analysts this samples, the detection on VT will be more recognizable. 

And maybe Emsisoft will recognize how to return the files to the victims.

Share this post


Link to post
Share on other sites
13 hours ago, pk24 said:
:\users\user\appdata\local\temp\plugins\setup.exe
c:\users\user\appdata\roaming\host process for windows services\svchost.exe
 
I have both password zipped incase needed

If you believe those are the source of the infection, then yes, please send them. You can attach them to a reply here, as long as the files aren't too large. Only staff and authorized helpers can download them.

Share this post


Link to post
Share on other sites
5 hours ago, Amigo-A said:

New link to archive with exe-files of WDM Ransomware: 

https://www.sendspace.com/file/khxctl

The main EXE-file in the archive is a file svchost.exe23.

Awesome, thanks. Michael actually saw the link before I did, and is already looking over it. ;)

Share this post


Link to post
Share on other sites
4 hours ago, pk24 said:

so below is a link to download them if needed they are password zipped inside a pasworded zip

https://www.sendspace.com/file/soevi9

Thanks, I've forwarded it to our malware analysts.

 

4 hours ago, pk24 said:

tried to attach the culprit files as requested but get error -200 

The error code doesn't actually mean anything to anyone other than Invision Power Services (the company that makes the forum software). It tells them where the error occurred in the code.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.