AbleTech

New variant of ransomware

Recommended Posts

Hello, I work for an MSP and several of our clients have been struck by ransomware, and it appears to be a new variant that uses .encryptedS and .encryptedL for files extensions,  and the ransomware writer or 9hacker) is using AllZData.cockli as his contact address; has anyone seen this variant yet, and also does anyone know of a decryptor? It seems to be of the Dharma ilk if that is helpful, and thank you! We really could use some help out here today, we operate a lot of non profits and this is a hard day for them. Thank you all!!

Share this post


Link to post
Share on other sites

Hello @AbleTech,

 

Welcome to the Emsisoft Support Forums.

 

If it is Dharma, then decryption is not possible.

 

Let's make sure of what we're dealing with.

 

Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note simultaneously for proper identification, and send me the information it provides:

 

https://www.emsisoft.com/ransomware-decryption-tools/

 

Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.

 

If the identification process shows ransomware that is not decryptable, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice.

Share this post


Link to post
Share on other sites

Thank you very much for the quick response; I uploaded the files, but it was unable to determine the type of ransomware unfortunately. I was a hopeful that it was a close variant perhaps to other recent ransomware infections that originated form that domain (cock.li) but that was hopeful more than technically sound on my part. I did also check nomoreransoms.com but dont see a possible decryptor, and this is so recently released I am not sure if one has yet been written...

Thank you!!

Chris

Share this post


Link to post
Share on other sites

It may be something new, I've not seen a ransom note use that type of victim ID pattern before. We would need the malware executable in order to analyze any further.

Share this post


Link to post
Share on other sites
11 hours ago, AbleTech said:

.encryptedS и .encryptedL

I have already seen such extensions, but this ransomware option was not described in my digest in a separate article.
And it will not be described until I receive a ransom note  and the executable file or its equivalent.

The first step is to attach a note or any other evidence of penetration with the demands of extortionists. Without this, there is no extortion in essence.

Share this post


Link to post
Share on other sites

@AbleTech

No need to run at dubious sites and look for something that does not help you. You are just wasting time. Answer in this thread.
Indicate the exact date of penetration, attach encrypted files of different formats and a ransom note.

Share this post


Link to post
Share on other sites
11 hours ago, AbleTech said:

Thank you very much for the quick response; I uploaded the files, but it was unable to determine the type of ransomware unfortunately. I was a hopeful that it was a close variant perhaps to other recent ransomware infections that originated form that domain (cock.li) but that was hopeful more than technically sound on my part. I did also check nomoreransoms.com but dont see a possible decryptor, and this is so recently released I am not sure if one has yet been written...

Do you know the source of the malicious file that encrypted data? If we can get a copy of it, then our malware analysts can take a look and see what kind of encryption it uses.

Share this post


Link to post
Share on other sites

Thank you all very much for the response; I uploaded the ransom note and encrypted file as well as the contact email for the bad actor as well to https://www.emsisoft.com/ransomware-decryption-tools/ I can also try and get a copy of the executable file (it was named ssvchost.exe if that is helpful) and send it to you if that would help. Thanks again!

Share this post


Link to post
Share on other sites

Perfect. Confirmed that is the ransomware. Good news is we should be able to break it. :) It may take awhile though.

Can you provide me with an encrypted file and it's original? Specifically an ".encryptedS" file please.

Also, fun fact: the ransomware uses extension ".encryptedL" for files larger than 50,000,000 bytes, and extension ".encryptedS" for files smaller. Must stand for "Large" and "Small" respectively.

image.png.ef1b0439893e8ad56244c6db24d443e5.png
Download Image

Share this post


Link to post
Share on other sites

Thanks so much! I am though having a hard time uploading the files here, is there a better place for me to upload the encrypted and non encrypted file? We appreciate your efforts more than you could know today.

Share this post


Link to post
Share on other sites

You can zip the files together and use any third-party sharing site such as WeTransfer, SendSpace, Dropbox, Google Drive, etc. Just paste the link here.

Share this post


Link to post
Share on other sites

Thank you again, to all of you for the help you have provided so far; I will endeavor also to help fight this everywhere I see it and can be considered a resource to you if there is anything that I can do in my normal day to provide information about the threats I see out here. I have used Emsisoft and in particular the EEK for years, and I am as impressed with the people who are involved with Emsisoft as I am the product line. A very sincere thanks, win lose or draw. 

Share this post


Link to post
Share on other sites

Hello and thanks again for the help with the decryption of the server last night; it went well and we are extremely grateful for the hard work; we were able to restore all but two additional servers and I am hoping you don't mind helping with those as well  if you are inclined; this came from the same executable as earlier (ssvchost.exe), and here is a link to the encrypted and non encrypted file pair as well as the ransom note if you don't mind helping us further, and all of our thanks here for certain!

https://drive.google.com/file/d/1W9KbbwoNqE9gPcvUeMBNKsh_53vNY06r/view?usp=sharing

Share this post


Link to post
Share on other sites

@AbleTech

Now you need to protect the server and computers, otherwise you can skip the attack of other malware that will not allow you to return files.

Share this post


Link to post
Share on other sites

Thanks Amigo-A, we are doing everything we can to lock down our servers and tighten up our securities, and we do have more files to submit but we are making good progress and are as grateful as could be to you and the team you work with, and will adhere to the best practices possible moving forward, thats for sure! Thanks again!!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.