Chris70

Ransomware Non identifié du genre Sodinokibi

Recommended Posts

Bonjour, le 22 juin, je me suis fait attaqué par un ransomware, Il a crypté tous les fichiers de toutes mes partitions/disques, (sauf Windows et programmes).
Je pense qu’il est passé par « l’accès bureau distant » de Windows 10, ouvert sur mon pc.

Voici quelques informations
--------------------------------------
Ajout d'extension et cryptage :

(nom_de_fichier.extention).r8b756g899

Tous les fichiers, tous les disques/partitions: Images,Vidéos,Txt,Log,mp3,etc..

 

Ajout d'un fichier r8b756g899-readme.txt dans tous les dossiers

Fichiers détectés par Kaspersky Rescue Tool 18 :

%Users%/Documents/ST/x64/mimikatz.gen : HEUR:Trojan-PSW.win64.Mimikatz.gen

%Users%/Documents/ST/svhost.exe              : HEUR:Trojan.Win32.Generic

%Users%/Documents/ST/sNS.exe                   : not-a-virus:NetTool.win32.Scan.qj

 

Fond d'écran Windows10 modifié.

 

Fichier r8b756g899-readme.txt

---=== Welcome. Again. ===---

 

[+] Whats Happen? [+]

 

Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion r8b756g899.

By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).

 

[+] What guarantees? [+]

 

Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.

To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.

If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.

 

[+] How to get access on website? [+]

 

You have two ways:

 

1) [Recommended] Using a TOR browser!

  a) Download and install TOR browser from this site: https://torproject.org/

  b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/096928D49A205BB0

 

2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:

  a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)

  b) Open our secondary website: http://decryptor.top/096928D49A205BB0

 

Warning: secondary website can be blocked, thats why first variant much better and more available.

 

When you open our website, put the following data in the input form:

Key:

 

qZJKK6z+xNi4RaBSHKr7wkJapxQh+HTMR/2lmBPuc7TgZtQxXPG0c9yMw5hHViLs

Ld6YO6xy3d+AHY8qY8MSkCqB7ldRPZsvFiSzbscqHZi3xp1pH0S/lWN4+WlaUKqS

qS7ePC5oaC8H+BV1vty7lHvkJ8GEjaKmywmP+PryWi+Y51Y+TQzdBcYZVQFdarmK

GOVJWHqYmU1bDBYMxhNX5ZmSLvOdDuVG6+lv2syMPQ3VBjwGu0wlZkJhon60oAH8

z6q1rQCvv5Oe3MKHcsAJI+AZ83xp40K3j7STB40cPqFqG+NxUB37hWZlL9D0UvcR

vmHr4g7o4QJFYRkHQU1oWP5Rw6dftfILGCo1ZLYAPXygxfVyaTgWtTopJwBg6AxM

2CarRAuCvr+cwceOSLLjZraPxrzclRRn+WOxKq8zHi3QIAjyK16GGPD0HaKPpJ9g

b2tNXwYiSGP6BslO6ypsQCjABHJB8wUoMqDCNJqi4NLbVehkuPnV+exUt6BVANo6

dvyKbqzMrXSasN7tVZTHCpLbZTWPc27SOQiLO+Jmw5r/0Nm5L4o3CWoelBdq0Otv

sqQ4DXjKU2MlDzN9R9oBpdIGOahbuYxdZWRKy9Sr1lMetAEmlnTYcGydQWRFi4Kd

SB+zN6KSYn91k/bE4Zzl4K1W4PL/QZjuJ5H3Pts5exNYnPH00ANOd8v9oaXYSfa4

8EjjUbxwW3DX0Wo9mPNBwmGaaPRjAPzzituFKIK+vml12cPDwhXCU2Fme/VfM4Jw

3ejaGZVnPipQrF94fS0Axz0mxI4XBAaKHFS7VtUYTNbl90HykXm4C6YUBvdEXe21

+Bpd/WNrsEdfegSQzrQYx0DqY/wCKh4te4qFGgQKxELs+hcwDHZIUBcvDfJ44jzB

B8esxagVNde9Kk6EtEJ9pR5tGbP7rbJGFGROCqca6n/O79PS0N/p3gr98RyZ7e4a

9AqO6pdusPC/lM9y38QnlnqsNwgdpkkO2BISw8wRkaJgeBBjBZ9BssWX03/j2WzT

Xy3Pnc2W40ewjXGmDqnjlAm8cPmxQteDtmtwyh0FoYuDhz4n9oe6aJQZQoeW7Fz9

MWwdc6Ckws+ABW1f+O0usi0Gu9UhZxW1iqnVH6FIDGbgSMGbq3I2qbtBvddhsEAj

+s5FuBUXIxDco2/1qChWaz4m6NHjhByePYJiBEms0IMK0dGCyczeE2AUId4hVBE9

FIptcML47+eL6agOPlj0IIppHAOElPRXMkRUZX3YNNaFIwaLr9LdGoc0SMu7/DAQ

RqNU6nEMYhaGcvmZVC1A47uWg1pAf/M9yec4VE8JrVvvcGXJ8duIb5d+Jz53bD9P

tBYPLyEC7WN1F+xkiEemsqEq3CJgv9LOFJu7DTbRKiO+TNf2/zK909F4xq3Ab0Nb

/Myo0rLG9zx03PC13bAi4LUPsmoEexRPk8cHvrgq4aPlZmcONBVdrigMroTTpHhp

0WiLtyUck86Vy62nTT7bn6hQD2qJbVzIoj38Ty9Gt7bUXzRsNEKDft2IDKK9GXNJ

ZusXLgfFhRiJC0ArW/HfiUfYlvg3YFs0vFhtrhLXNx8Xt9FGCOyXpOJUg5Z/6ziT

A1i6H2Qd8nggZILBzJxAfP6z3eHgqiMh91WmQy61P/QFIaN1HZ/bayOCuyYeN+V4

i8duY5rihz04lUt62l7zdsCLNfm3Vc1vbauxjWJaPuzYSHAr

 

 

 

Extension name:

 

r8b756g899

 

-----------------------------------------------------------------------------------------

 

!!! DANGER !!!

DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.

!!! !!! !!!

ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.

!!! !!! !!!

Fin du fichier r8b756g899-readme.txt


Avez-vous une solution de décryptage ?

Afin de vous aider à lutter contre ces attaques, je suis à votre disposition, si vous avez besoin de fichiers, copies d’écrans ou autres informations.

 

Merci

Share this post


Link to post
Share on other sites

Hello @Chris

The Sodinokibi Ransomware is still under research and not a single file decryption tool has been released. 

For proper identification, you need to upload a note and one encrypted file. Sodinokibi is identified by a number of known signs. 

Share this post


Link to post
Share on other sites
1 hour ago, Chris70 said:

Comment savoir quel ransomware  ?

For proper identification, you need to upload a note r8b756g899-readme.txt and one encrypted file. Sodinokibi is identified by a number of known signs. 

Attach files here or upload to service ID Ransomware.

Share this post


Link to post
Share on other sites

Je confirme. C'est bien Sodinokibi!
Mais une variante, je n'ai pas de fichier Sodinokibi.exe.
Voici ce que j'ai trouvé, création d'un dossier:  \ Utilisateurs \ Chris \ Documents \ ST \
Contenu :

\ST\X64\6b9e05c6.lock
\ST\X64\Advanced_port_scanner_2.5.3680.exe
\ST\X64\Config.txt.r8b756g899
\ST\X64\mimidrv.sys.r8b756g899
\ST\X64\mimikatz.exe
\ST\X64\mimilib.dll.r8b756g899
\ST\X64\Pass.bat.r8b756g899
\ST\X64\pass.txt.r8b756g899
\ST\ X64\r8b756g899-readme.txt
\ST\6b9e05c6.lock
\ST\LogDelete.bat.r8b756g899
\ST\r8b756g899-readme.txt
\ST\Shadow.bat.r8b756g899
\ST\sNS.exe
\ST\svhost.exe

Si cela peut vous aider, j'ai tous les fichiers, j'ai rajouté une extension  " .VIRUS "à tous les dossiers et fichiers.
Je peux vous envoyer un dossier contenant le dossier ST. Voulez-vous?

 

Share this post


Link to post
Share on other sites

FAIT , RESULTAT :
 

1 résultat

Sodinokibi

 Ce ransomware est toujours en cours d'étude.

Pour plus d'informations, veuillez, s'il vous plait, vous réferer au guide approprié. Des échantillons de fichiers chiffrés ou fichiers malicieux sont nécessaires pour poursuivre l'identification.

config.txt.r8b756g899 r8b756g899-readme.txt

Share this post


Link to post
Share on other sites

Oui, vous pouvez maintenant voir que vos fichiers sont cryptés avec Sodinokibi Ransomware. Mon identification est vérifiée.
---
Yes, now you can see that your files are encrypted with Sodinokibi Ransomware. My identification is verified. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.