sanchomdv

Basilisque Locker Ransomware

Recommended Posts

Hello,

 

A WD my cloud NAS from one of my clients was attacked last month with a ransomware called Basilisque Locker.

The Ransomware Note is called "HOW_TO_DECRYPT.txt"
https://www.dropbox.com/s/d58mrnql1wgc523/HOW_TO_DECRYPT.txt?dl=0

And the files attacked are his filename rename to a encrypted string with the extension: [email protected]_com

A sample encrypted file (174Kb):
https://www.dropbox.com/s/987qw6xpeqzmhvp/bnVldm9zIGNvbG9yZXMgYWR1bHRvcy5wZGY%3D.basilisque%40protonmail_com?dl=0

A pair of encrypted- unencrypted files (edit: really dont pair 😞 )
https://www.dropbox.com/s/w8bx2o7x9qpqaft/190626-ransomwaregiral.7z?dl=0

In my investigations it seems a Megalocker variant but i can't decrypt files with the decrypt_MegaLocker.exe by emsisoft.. retouching the ransomware note (maybe its not a good practice) I obtain the message: "Unfortunately, we were unable to find a key to decrypt your files"

Do you know something about this thread? some help?

Thanks in advance

Francisco Sancho

From Barcelona (Spain)

Edited by sanchomdv
update of information

Share this post


Link to post
Share on other sites

Hola @sanchomdv

I looked at it, there are elements that seem familiar to me. This is one of their well-known modified Ransomware or a new one by a number of signs.
If you could remember the place where he came on your PC, then we could imitate the situation and accept the attack in order to obtain samples of malware.

Share this post


Link to post
Share on other sites

I suspect that it was an external attack against a WD MyCloud connected directly to internet

exploiting a default password or a samba exploit

The pcs on the local network are clean of any infection
 

Share this post


Link to post
Share on other sites

We will really need the executable or commands used to encrypt the files in order to analyze it any more.

By the way, the filepair you provided are not the same file before/after the encryption. The encrypted file's filename decodes to "rollup.png". It's just simple base64 encoding on the name.

Share this post


Link to post
Share on other sites

Thanks a lot!!

I dont have access to any executable .. I suspect that it was a remote access and no trace of commands in NAS filesystem or attacheds local network computers 😞

Really, i dont had certainty about the correction of the filepair i submitted. But your discovery of the base64 encoding of the filenames (really great!!) give a clue in order to attempt looking for a good filepair. If i obtain a good filepair i will submite here

Thanks, you make a great job!!
Francisco Sancho

  • Upvote 1

Share this post


Link to post
Share on other sites

Hola @sanchomdv

I sent your files for a free-test decryption via an available channel. Previously, I did not check it myself. Just wondering. I will inform you of the results.

Added later: 

Write the exact name of the NAS model.

Try collect 'listing' the system partition of this disk with the command
# ls -laR / > dwlist.txt 

And attach the file to the message.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.