[email protected]

[none]

so, it seems a new ransom is hiting .

 

extension .ares666

mail to contact  : [email protected]

"HOW TO BACK YOUR FILES.txt"

 

NOTE:

 

Quote

                   YOUR FILES ARE ENCRYPTED !!!

TO DECRYPT, FOLLOW THE INSTRUCTIONS:

To recover data you need decrypt tool.

To get the decrypt tool you should:

1.In the letter include your personal ID! Send me this ID in your first email to me!
2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!
3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 
4.We can decrypt few files in quality the evidence that we have the decoder.

 DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:

[email protected]

                   ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:

E6 Op Vy XB cw r8 tH km yT wN ID Cz ZQ oR zb By
SC mk zP 4W qM sd XO 6F Zf QE 0B Vg MH JT FT 7O
6j VP b8 8K 6J 5e Y1 yY pd DP yZ vT T0 wX yb KC
As c7 tQ 0+ wf nM /5 Y3 Cm AC et Wt P2 +C OS +o
wi 8D PB xM 14 br aj M7 4F Uk 0p wZ Lf ZQ Ht JJ
IE MR uJ cg Fk Js VS X8 7n DW EQ N/ /y DO 4a uj
k/ Sc +1 i4 Wb Kj k9 cI cX Y0 ya Rk +H U4 BS Nu
h6 /O nD XD XU Co d8 uL PF nS yr 8F Rd DF Bl vU
4k pq V4 gB Zf lt F3 7a sd 6w gL Kn k8 cN tB Qi
Z8 Ae U2 Hr XC Z3 Nm Rp kc kJ As iw bm v/ xm pk
Sw 7P Hl Iy jv Zu 2t D+ el wg A4 i4 82 Fw ko tJ
TK oA cU v7 JV 7q In E2 dR R1 U5 Wz ff nJ JC Bo
gr +v yX j8 kP VF PV XW Fn QI xZ P6 Aw O2 4T Z0
h8 7a Hz b2 0P Fc dt LU eh 9n U1 ei Px q5 rM Dr
L1 tl GB 0e 7p 7m /N h3 Pi xX df 86 G3 uS d2 AT
Nm UH ql x3 yV 9i Zc Qo F9 AA K5 iF 3h 9+ Rd tq
wv CL IA e0 5/ NT ab hq wn 00 u7 jP iQ b7 V+ wf
Z0 ds E0 Yn 4e AY hc wi ZD EC 1C Cg tJ gH eH XO
NQ vu Ve lU x8 m2 D3 w/ OQ GS wD Ro Wl P2 8e Wy
mQ ms tD 3u m3 Np sC W4 v5 PC c2 4G wm l6 mo PK
0i tQ 5O SK G+ fw 9v um SP 5C rZ 75 T6 G2 SK qW
Px Er P7 f3 Yg s= 

 

all files were encrypted  , 

a file  .DF7ADA61E0284DDD4F1E  was created aswell in each directory .

i think its an crypted excutable .

NOTE: 

Quote

䴤ࠤ両᪲轰钹鮧󁆺붗縡⇬⻠롋솪臵⤂髯섂㡔㯪ᇑ倓팻ꭏӵ㚎䠪Ǐ힡ึ뤎焯╜ꑶ숿뀇遮꪿䉻ᄝ忷ʛ戓㼵訽胒ㅮ棾쩣춐ࣕ䀺泮훒왡䜱⒉썡俚暖엀㑬๳銠髀楒蟞ഝ廀ȫў䣼엫ꖧ✄򊧓썴鳭蔴ϕ덽됡꘣緀嶜ᄟ邁齤蜤笁ᩭ䁃垯᜺຤扤䮵୧柦ꈳ䀷𤼵誊壶䶙򆵰⧑읒곊컨䅘頝飀ꑡ웱璋엣晾⍙Ƀ񇈽骠긗㐙꾒鲅뿄傘光慨啝ᣝﴙ⟥颐乏ㄻ↙鮊顔ଓ轟츮論낯㩒玠编祝᥽ｪ壩큄熙沛숼㘾᤽㛓彉镋䳙凭崚ῌ활ﯻ鼲〦ݦꝂ鐭悃✜෧Ꮦ咢僋豠멨띍缏硽⨔軕-ⓘ恜㯞풷䋌䛯ꁀ奟ꔗ媕첞漂鄊俀⤈暆㡈퐄箦썸䵳簆皍췟䁪໔멶⣰񓼰錹􅮜璢▘썾ꤲ쮮יּᖮΎ扷魍늷񔔴霬ᄮ礆ㄙ䫣󓉸௺嚬轷靰চ䏐츅⎶槡퍺벎ḥ䇏鮾ἣ块델෮䞡┝蜽렆퇊讧ၱ󿘒㪒⺿Ψ𬯙᤾㗂񹔖既筧벩󴄖唬ೖ઱퀴気ۛ꿛⥆䆉⨟ᑫ礽᥏授렐򪦶ΰ㺾貆몶넑淈ᅑែ哣睤測ꭗ㈽嫼୊颅鴡য়戗续ᕩ漐娷꾝퀊␨轊䠞콆﷢魐⪺陉亭폘치ୗꑫ焕〭䧑쏶⊪雛轻Ares666                         HOW TO BACK YOUR FILES.txt                      ߣ 9͞ᗰĴ

 

multiple pcs on the same network got hit, im not sure how contamination went , the files begin to be modified (encrypted) at night around 2am  , im checking how the contamination started .
since it was around 2 am no one could have clicked a file to infect themself 

files in the active directory got also encrypted, and the owner seems to be Administrator (builtin) same for all station on the network.

i have yet find the file who infected everything.

some pcs in the network seems to have the sys version above "6.1.7601.23689"  meaning they couldnt be infected via enternal blue right ?

[stapp]

Please give the info shown from here when you upload the asked for files

https://id-ransomware.malwarehunterteam.com/

[none]

so after abit of research heres my conclusion .

above 4  pcs (the dc server aswell) were infected , some of them are windows 7 and some are windows 10.

the server itself is a windows server 2012 R2

all pcs had their sys version above  eternal blue version, meaning they did not transfer this way.

i thought about keepblue (since on the windows 7 didn't had the patch), however  that does not answer why win 10s and the server itself got infected.

u could say it infected the active directory files and some one clicked it, however no one was in work at 02:20 AM to click on a file.
when searching on the infected PCs, i saw the first files that showed up with ares666 was  at 02:01 AM (8 jul,19) (reception pc)

on the pc i did the investigation on, the first file show up at 02:20

BUT right before the first file aka ".DF7ADA61E0284DDD4F1E" showed up awhost32 was open.

the most important information is right after this file ".DF7ADA61E0284DDD4F1E" showed up , processhacker.exe was run apparently the ransomware downloaded it and ran it, since i dont have it.

now i've looked something really intresting , no one of the files were crypted right away, FIRST it went into all directory and begun to infect all directory with .DF7ADA61E0284DDD4F1E and the HOW TO text file 

 

 

after a 1 min+-  it begun to crypt the files, now u are asking urself how?

another process was run named ares666.exe which my guess is the file that crypted the files.

 

note that this .DF7ADA61E0284DDD4F1E is an excutable file but crypted, i can that because it runs on startup, 

my thought was if it runs on startup and the file is crypted, than it must have something in the  registery , however i could not find anything (perhaps im lacking of experience )

but i did manage to find something interesting when searching for ares666. 

in PendingFileRenameOperations 

(just to mention it is just an imported hive, system inf= system reg file)   HKEY_LOCAL_MACHINE\system inf\ControlSet001\Control\Session Manager

this what was find there.

C:\Users\administrator\Downloads\build\PH 2.39\Ares666.exe

 

thats it about the ares666

but when searching PROCESSHACKER in the registery , u found multiple registery 

LEGACY_KPROCESSHACKER3

HKEY_LOCAL_MACHINE\system inf\ControlSet001\Enum\Root\LEGACY_KPROCESSHACKER3

next was HKEY_LOCAL_MACHINE\system inf\ControlSet001\services\KProcessHacker3

this this reg directory 

ImagePath

C:\Users\administrator\Downloads\build\PH 2.39\x86\kprocesshacker.sys this was find 

 

 

 

inside the build folder, those files were not there (unfortunately ) , i tried to use easus recovery to maybe recover the file but i could not,

instead i found out that. a file named ids.txt was there.

inside of that file, u can find all encrypted files (the path of them)

and the ur "id" probably the pub key.

 

i'd like to mention that user administrator was not in used by anyone.

inside %appdata% i could find "Process Hacker 2" folder funny thing is his files were crypted aswell (extension ares666)

inside %temp% in appdata (of administrator user),  a file named ArmUI.ini was there. can be find here > https://pastebin.com/6aW64w2v

 

thats about it i think.

hope i helped the community with all of this.

 

i gathered some of the files crypted one , and the one that i showed here (register directories and pf files ) and the HOW TO(from a different pc), 

if u'd like the files to investigate or w.e drop ur email here.

 

i have yet found how it got transfer and infected to other pc on the network, and how its possible it reached so many pcs on the network, which they were pretty updated (against eternalblue , and keepblue)
if u could help me to find how and where to look for that would be great .

thanks.

 

 

 

[none]

funny story, node eset end point was installed, and yea, it did not catch it.

 

Virus signature database: 19658 (20190709)
Rapid Response module: 14516 (20190709)
Update module: 1072.1 (20190626)
Antivirus and antispyware scanner module: 1553 (20190617)
Advanced heuristics module: 1193 (20190626)
Archive support module: 1288 (20190606)
Cleaner module: 1195 (20190610)
Anti-Stealth support module: 1151 (20190326)
ESET SysInspector module: 1275 (20181220)
Self-defense support module: 1018 (20100812)
Real-time file system protection module: 1014 (20160223)
Translation support module: 1746 (20190530)
HIPS support module: 1362.3 (20190628)
Internet protection module: 1355.1 (20181204)
Database module: 1107 (20190613)
Rootkit detection and cleaning module: 1019 (20170825)
Cryptographic protocol support module: 1028.1 (20190327)

[David B.]

Please follow Stapp's request to upload a ransom note and an encrypted file to ID Ransomware, and show us the web address of the results.

Otherwise, let's wait for one of our ransomware experts to weigh in, but I think this is probably Maoloa.

Does the machine you were analyzing have PC Anywhere installed? That's what awhost32.exe could be from. I also see TeamViewer and PC Hunter etc. loaded at around the same time. Which if any of those programs are intentionally on the computer, and especially, configured to load on startup or user login?

Process Hacker is a handy and optionally portable task manager replacement. Had you or any other users of the system used Process Hacker in the past?

If you happen to still have ares666.exe, please keep it handy, but don't upload it unless requested by an Emsisoft employee or forum moderator.

[Amigo-A]

This is Maoloa Ransomware, or in the narrower description - a little family Alco Ransomware.

They imitate a notes of GlobeImposter Ransomware and encrypts files.

 

A similar case was analyzed yesterday on the forum BleepingComputer. 

Or is it the same case, which has already been added to IDR under Maoloa Ransomware... 😊

[none]

1 hour ago, David Biggar said:

Please follow Stapp's request to upload a ransom note and an encrypted file to ID Ransomware, and show us the web address of the results.

Otherwise, let's wait for one of our ransomware experts to weigh in, but I think this is probably Maoloa.

Does the machine you were analyzing have PC Anywhere installed? That's what awhost32.exe could be from. I also see TeamViewer and PC Hunter etc. loaded at around the same time. Which if any of those programs are intentionally on the computer, and especially, configured to load on startup or user login?

Process Hacker is a handy and optionally portable task manager replacement. Had you or any other users of the system used Process Hacker in the past?

If you happen to still have ares666.exe, please keep it handy, but don't upload it unless requested by an Emsisoft employee or forum moderator.

i did upload a file or two, however no link was given.

there is anydesk, not sure if its run the same thing,  i dont remember i've installed pc anywhere.

 

Process Hacker was never installed by me, it was purely the ransom .

 

unfortunately i dont have ares666.exe, i just have the pf file.

 

 

 

 

1 hour ago, Amigo-A said:

This is Maoloa Ransomware, or in the narrower description - a little family Alco Ransomware.

They imitate a notes of GlobeImposter Ransomware and encrypts files.

 

A similar case was analyzed yesterday on the forum BleepingComputer. 

Or is it the same case, which has already been added to IDR under Maoloa Ransomware... 😊

no that wasnt me.

[David B.]

The link isn't given. What we mean is the website address after you upload the files, and the site shows you what the ransomware appears to be.

For instance: https://id-ransomware.malwarehunterteam.com/identify.php?case=0efc985e110efcb8d22bc0d8fbaf066cfd968ede

That's what I get when I recreate the ransom note from your post and upload it. You may get something different, but I suspect that Maoloa is correct, and I see Amigo-A agrees.

[none]

 

1 hour ago, David Biggar said:

The link isn't given. What we mean is the website address after you upload the files, and the site shows you what the ransomware appears to be.

For instance: https://id-ransomware.malwarehunterteam.com/identify.php?case=0efc985e110efcb8d22bc0d8fbaf066cfd968ede

That's what I get when I recreate the ransom note from your post and upload it. You may get something different, but I suspect that Maoloa is correct, and I see Amigo-A agrees.

gotcha
here it is
https://id-ransomware.malwarehunterteam.com/identify.php?case=903544e15a3e26b6351e6b62bde07e2a3098f386

[David B.]

Thanks for confirming. If there's anything more our ransomware experts can provide or need in your situation, they'll post here. Good luck!

[Amigo-A]

Maoloa Ransomware is the main identification for this family (Alco subgroup is included in it also as Maoloa). Only recently, Michael found differences. Until now, all antivirus engines recognize Maoloa as GlobeImposter. We are making an effort, sending new samples so that the detection change. So far, only in ESET and Ikarus detections have changed on names as Maoloa. 

Examples:
https://www.virustotal.com/gui/file/d11567b0e2fd350e14259cb662486a0f4bf6af2a006180285f2ad889d0c3bf65/community 
https://www.virustotal.com/gui/file/6157d40a5c31ecb72b0a65fe2326ed404e1b269382257ee1fb33f07786a9f272/detection 

[Amigo-A]

Interestingly, the .DF7ADA61E0284DDD4F1E file is found on computers of different affected users.

[none]

19 hours ago, Amigo-A said:

Interestingly, the .DF7ADA61E0284DDD4F1E file is found on computers of different affected users.

each folder as it.

 

also it run on startup, as mention above its an encrypted file , i guess it will excute on boot from the registery.

 

if u want it just ask.

[andry79fi]

Hello
I've got the .EXE. You need it for analisys?

[Amigo-A]

Hello @andry79fi

You can upload a file to the services:
https://www.virustotal.com/ 
https://www.hybrid-analysis.com/

And give us a link to the results.

[andry79fi]

https://www.virustotal.com/gui/file/4b007073586ededba08b535b724703e0ac59806fae66bbfdb5a098e4d8cc5d29/detection

https://www.hybrid-analysis.com/sample/4b007073586ededba08b535b724703e0ac59806fae66bbfdb5a098e4d8cc5d29