Grishka

NEW Ransomware with no ID

Recommended Posts

I've never seen this one before. The files have a unique ending to my ID ( 36 characters and numbers). It looks like that for example
: filename.jpgXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX I've checked everywhere but nobody seems to have an encryptor to that. The .txt that comes with it is titled !!! YOUR FILES ARE ENCRYPTED !!!

Please help anyone!

Share this post


Link to post
Share on other sites
Quote

This identification is incorrect or there is a relationship between encoders.

---

BURAN has appeared recently. It is promoted at underground forums. It takes time to explore his work and then try to make a decoder (decrypter).

Share this post


Link to post
Share on other sites

Only extortioners currently have a paid decrypter.

We need samples of the encrypted files and the original ransom note for research and detail identification.

 

Share this post


Link to post
Share on other sites

OK. Thanks

This will be sufficient to summarize the available information and compile a description. Later I will add a link to the article.
But to try to decrypt,  need to find and investigate a sample of the malicious file.

Let there be two different places where you placed the information. Since not all researchers visit both forums.

Share this post


Link to post
Share on other sites

I don't have the file (it was deleted from Pirate Bay). 
All I know it was a zip file with setup.exe in it falsely named "AutoCAD_Architecture_2018.1.1___Keygen_-_[CrackzSoft]" . The link to that torrent is gone now but all I remember was that the size of it was no more than 24MB.

Share this post


Link to post
Share on other sites
2 hours ago, Grishka said:

I don't have the file (it was deleted from Pirate Bay). 
All I know it was a zip file with setup.exe in it falsely named "AutoCAD_Architecture_2018.1.1___Keygen_-_[CrackzSoft]" . The link to that torrent is gone now but all I remember was that the size of it was no more than 24MB.

Thanks for the info. I may have found the torrent (or at least a lot of similar torrents). I've forwarded the info to our malware analysts, although I've been told they already have this ransomware under analysis and have yet to determine if it uses secure encryption.

Share this post


Link to post
Share on other sites

Grishka

How can you carelessly visit these sites?
Even when opening a page of computer suffer attacks JS, fake flash player and something else.

Today, torrent files can certainly be malicious 90%. This 10 years ago it was still possible to safely download a torrent file and launch it with the hope that it would download exactly what you wanted. And then there were already attacks with opening and substitution content.

 

GT500

Quote

xxxxs://crackzsoft.com/tag/autodesk-autocad-architecture-full-version-with-crack/

 

Share this post


Link to post
Share on other sites

@Grishka

Our malware analysts would like some information about the ransomware from you. Would it be possible to do the following?

  1. Hold down the Windows logo key on your keyboard and tap R to open the Run dialog.
  2. Copy and paste the contents of the following box into the Run dialog:
    REG EXPORT HKEY_CURRENT_USER\Software\Vega\Service %UserProfile%\Desktop\Ransomware_Info.txt
  3. Click OK to run the command.
  4. Attach the Ransomware_Info file that is now on your Desktop to a reply for us to review.

Share this post


Link to post
Share on other sites

@Amigo-A

I know, it was a stupid thing to do. I should have know just by how small the file size is.  I'm usually very careful with what I download. And now I have some of the important work files encrypted... 😭

 

@GT500

I did this but nothing happened, there is no file on Desktop. 

 

Share this post


Link to post
Share on other sites

@Grishka they sent me the wrong registry key. Paste the following into the run dialog instead of the above (the rest of the instructions are the same):

REG EXPORT HKEY_CURRENT_USER\Software\Buran\Service %UserProfile%\Desktop\Ransomware_Info.txt

 

Share this post


Link to post
Share on other sites
Just now, Grishka said:

I did this but nothing happened, there is no file on Desktop. 

I think that's because the registry key was incorrect. Try it again with the new command I just posted, and it should work this time.

Share this post


Link to post
Share on other sites

Well, we could export everything from HKEY_CURRENT_USER/Software, however that will include everything in that registry key. It's generally used by software to store profile-specific settings, however not all software uses it, so it's impossible to say exactly what it will contain. Only staff, forum moderators, and trusted experts will be able to download any attachments in this section of the forums.

I'll leave the decision as to whether or not to do it up to you. If you're OK with it, then here's the command to run:

REG EXPORT HKEY_CURRENT_USER\Software %UserProfile%\Desktop\Ransomware_Info.txt /Y

 

Share this post


Link to post
Share on other sites
1 minute ago, Grishka said:

@GT500

Unfortunately nothing happened, same result. Only the black command prompt screen blinked for a split second. No file on the desktop.

Do you know how to export things in the Windows Registry Editor?

Share this post


Link to post
Share on other sites
7 minutes ago, GT500 said:

REG EXPORT HKEY_CURRENT_USER\Software %UserProfile%\Desktop\Ransomware_Info.txt /Y

My file was created with first time. 😏

Share this post


Link to post
Share on other sites
2 minutes ago, Amigo-A said:

My file was created with first time. 😏

As was mine. Maybe @Grishka just needs to click on their Desktop and press F5 to refresh? Sometimes Windows can be a bit flaky.

Share this post


Link to post
Share on other sites

@GT500

I do everything you mentioned, I press windows key + R, and I get Run box where I just paste the text and press Enter. The black command prompt blinks for a split second and that's it, no file on desktop. 

Is there a manual way to export it?

Share this post


Link to post
Share on other sites
1 minute ago, Grishka said:

Is there a manual way to export it?

Yes, you can manually export registry information using the Windows Registry Editor. Just type regedit into the Run dialog and click OK, and the Registry Editor will open. Here's a few links to articles about the Registry Editor with explanations about how to export registry keys:

https://www.bleepingcomputer.com/tutorials/how-to-export-registry-key-in-windows/
https://www.tenforums.com/tutorials/125696-export-import-registry-keys-windows.html
https://www.thewindowsclub.com/tips-work-windows-registry-bit-easily-safely (ignore the stuff about changing/adding/renaming keys and taking ownership, as you do not want to do that)

Share this post


Link to post
Share on other sites
1 minute ago, Grishka said:

@GT500

Thanks, now I get it.  There's a lot of  stuff under HKEY_CURRENT_USER/SOFTWARE/ .       Do you want me to export it all?

If you can't find the ransomware's key, then you may have to. We expect it's probably called Buran, but we can't know for certain without actually being able to check.

Share this post


Link to post
Share on other sites

@GT500

Yes, I was expecting to find it there too but the only time you can see the word Buran is when you drag the encrypted file into notepad.

Anyway, here is the .reg file. 

Edited by GT500
Removed link.

Share this post


Link to post
Share on other sites
2 minutes ago, Grishka said:

Anyway, here is the .reg file. 

Thanks. I've forwarded the link to our malware analysts, and removed it from your post so that no one else downloads it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.