Recommended Posts

Hello, my mother's computer was infected with .vir ransomware. 
Looks like it uses AES-256 encoding.
Text message name is "READ_TO_DECRYPT.html"
I looked through all the available databases, but it looks like new (though READ_TO_DECRYPT message was used in few occasions)
Sadly, right now i cannot provide file examples (only a few screenshots), but will do tomorrow if it is needed.
Hope for your help.

Share this post


Link to post
Share on other sites

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post


Link to post
Share on other sites
11 hours ago, pteradon said:

Sadly, right now i cannot provide file examples (only a few screenshots), but will do tomorrow if it is needed.

Yes. This can help. Give us screenshot of encrypted files in folders and screenshot of a ransom note. 

We know only CryptGh0st Ransomware with the same name READ_TO_DECRYPT.html of the note.

More specify: after encryption files got the extension .vir?

Share this post


Link to post
Share on other sites
11 hours ago, pteradon said:

Text message name is "READ_TO_DECRYPT.html"

Place this file in the archive and attach to the message. It is necessary to do so, otherwise the file will be automatically changed and will be useless.

Encrypted files can be attached in any way.

Share this post


Link to post
Share on other sites

Much of what we see here points to CryptGh0st Ransomware. But for almost a year we have not seen its intermediate variants.
I had too little information to compare in very detail. We need a sample of the malicious file so that can be said more precise.

Download the Emsisoft Emergency Kit and check the system for malicious files. Perhaps among them will be the encrypter.

Just do not delete the files from Quarantine until you give our specialists a look at it.

You can take a screenshot of a maximized window or save report to a text file from the Quarantine window. 

 

 

Share this post


Link to post
Share on other sites

Used EMK and checked the system
Found baidu installer, 2 Trojan Toolbars, some adware crossriders, but nothing that looks like Encryptor
Will try to see, maybe this thing has some traces in Autorun, but i doubt that i'll find anything

Share this post


Link to post
Share on other sites

Let's try getting a log from FRST, and see if it shows any signs of the ransomware. You can find instructions for downloading and running FRST at the following link:
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.

Share this post


Link to post
Share on other sites

Here's the FRST result files
Another interesting thing about this ransomware, that it apparently cannot encrypt non-Unicode named files. 
We had some files named both in Latvian and russian and none of them were crypted 

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

I highly recommend that you review all extensions/add-ons installed for Internet Explorer, Firefox, and Google Chrome. Remove anything that isn't absolutely necessary.

 

I didn't see much in the logs that was bad, but I did see some Scheduled Tasks and such to run adware that I think had already been removed. Those Scheduled Tasks can be removed, along with any other associated entries, by using FRST. Please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/2019-07July-25/pteradon/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

Share this post


Link to post
Share on other sites

@pteradon

You have many files in the "Downloads" folder. I think that you can just delete all it without trying to restore.

So I see that you know Russian, so if you need my help with security settings and anti-virus protection, you can contact me personally and in Russian.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.