Thurmus

Files Encrypted with .cheetah Extension

Recommended Posts

Hi guys and girls,

 

I am wondering if you can assist me with a server that has become encrypted. All of the files have had .cheetah added at the end and [id=XXXXXXXX] appended.

I have tried a couple of online ID sites. One of them detects it as BigBobRoss but your and Avast's decrypting tool do not work with either a before and after file or the ransom note. The EEK Kit and a site which checks against multiple vendors detects it as Gen:Variant.Ransom.Stop.2 and a couple of other types.

I have saved the following which are available at the link below as I couldn't work out how to attach them as per your guide.:

1. A zipped before and after file

2. The EEK and FRST logs zipped

3. A copy of the encryption message text file

4. The file that the EEK kit detected as infected zipped

5. A screen shot from the multi-site detection

6. A screen shot of the MAC address information

https://1drv.ms/f/s!AvxCaWVUudYwvTPFX9Huw5ZRP0Z6

 

Thanks in advance for your time.

 

Share this post


Link to post
Share on other sites

 

Hello. Ransomware with .cheetah and [id=<XXXXXXXX>] is BigBobRoss Ransomware - it's not STOP Ransomware!

Detections on VT are incorrect. The extortionists tried very hard to make detection AV-engines VT wrong regarding this instance, but we will not here go into the technical details.

I described his early version this ransomware as BigBobRoss Ransomware back in January 2019, then he did not have a name and I gave him this name (by login email of [email protected]). Later this name stuck to this extortionist, since then he has already changed several times.

The variant with .cheetah extension also exists in several variants.

Emsisoft released a firm decrypter for three variants of BigBobRoss Ransomware, among them only the first variant   with .cheetah extension.

In your case, you probably got a newer version, with other keys, so the decoder did not work.

Wait for a response from the support service.

Share this post


Link to post
Share on other sites
10 hours ago, Amigo-A said:

In your case, you probably got a newer version, with other keys, so the decoder did not work.

That's more than likely the case, however I've asked for confirmation to be certain.

Share this post


Link to post
Share on other sites

We're still looking over new ransomware samples to determine exactly what has changed. With luck, we'll be able to update the decrypter to account for any differences.

Share this post


Link to post
Share on other sites
10 hours ago, GT500 said:

We're still looking over new ransomware samples to determine exactly what has changed. With luck, we'll be able to update the decrypter to account for any differences.

It BigBobRoss-Cheetah, which was decrypted (link)

This is probably his newer variant (link)

I do not know for sure, but this is most likely, if look at the detections of anti-virus engines. This speaks in favor of the fact that they can be deceived if someone wants to do this.

Share this post


Link to post
Share on other sites
13 hours ago, Amigo-A said:

I do not know for sure, but this is most likely, if look at the detections of anti-virus engines. This speaks in favor of the fact that they can be deceived if someone wants to do this.

Detection names are mostly meaningless. ;)

Share this post


Link to post
Share on other sites

Yes. Well, many, looking at such "names", make conclusions about the element being analyzed and the impossibility of decoding. There were many cases when seeing such "names" of samples on the forums, the helpers did not even look further. But the stubborn user-victim go to for help elsewhere, and he found real help, the result of which was decryption of files.
Today time with the power of enthusiasts and independent researchers can decrypt files after an attack very by well-known encryptors. 

Share this post


Link to post
Share on other sites

Thanks gents for casting an eye over this for me. I will keep an eye out for any updates but I believe with how BigBobRoss works and the fact the victim machine had internet access that the likelyhood of decrypting is remote. Would this be fair to say?

 

 

Share this post


Link to post
Share on other sites
On 5/19/2019 at 7:28 PM, Thurmus said:

... I believe with how BigBobRoss works and the fact the victim machine had internet access that the likelyhood of decrypting is remote. Would this be fair to say?

Not necessarily. It just depends on what kind of flaws the new variants of the ransomware have. We may find a way to update the decrypter at some point in the future.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.