Jump to content

Ransomware attack


Recommended Posts

I'm not sure if this is the best place to start, but I'm new here--so please be kind....

Several of our computers were attacked last week--Monday night/Tuesday morning.  A lot of data was encrypted by (if you can believe the ransom note) "«Nemesis decryptor»".  After noticing the first encrypted files, I ran MB3.  While running MB3, it reported that it had blocked an RDP access.  Since I'm the only one who generally uses that service when I'm away, I realized that it had been compromised, so I started shutting down RDP.  Based on update-times of some of the encrypted files, I believe the hackers were still working when I shut down RDP.

I ran MB3 on another affected computer, and it detected the "Ransom.Cerber" program, along with its registry entry.  They're currently quarantined.  When I looked in the directory containing the program (which was hidden among a dozen or so new user profiles that the hackers had created), I also found an unencrypted file with a name that looks strangely like a possible key sequence--it's a string of 17 random capital letters.  The files contains only the text of the ransom note.

So we have the encrypting program here, along with what might be the key used to encrypt. How do we go about finding someone who can help us try to decrypt our affected files?

Link to post
Share on other sites

Sorry for the delay; I was expecting an e-mail that a reply had posted to this thread.  I didn't realize that I had to set the e-mail-me option after each of my own replies.

I uploaded the requested files to ID-Ransomware.  The response I got was:

=============================================================================

1 Result

Cry36

This ransomware has no known way of decrypting data at this time.
It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • ransomnote_filename: ### DECRYPT MY FILES ###.txt
  • sample_extension: .id-<id>_[<email>].<random5>
  • sample_bytes: [0x4796E - 0x47991] 0x000000000000000000000000000000000000000000000000000000000000002C713499

Not enough information is public about Cry36. Please check back later.

=============================================================================

Should I upload the encryption program to anywhere?

-Joe G.

 

Link to post
Share on other sites

Quote

Sorry for the delay; I was expecting an e-mail that a reply had posted to this thread.  I didn't realize that I had to set the e-mail-me option after each of my own replies.

I think that by default, you follow automatically every thread you create or post in. If not, enable the "Automatically follow content" options in the Notification Settings page.

https://forums.malwarebytes.com/notifications/options/

Yes, upload that program to the link below so I can check it out and pass it around to my colleagues who specializes in Ransomware.

http://www.bleepingcomputer.com/submit-malware.php?channel=194

Link to post
Share on other sites

Looks like the lock.exe was the payload. Sadly since you are infected with Cry36, there's no way to decrypt your files for free for now. The best thing you can do is back them up somewhere safe, and hope that a free decryption solution will be released in the future.

Apparently, Kaspersky got their hands of some keys used by Cry36, so you could contact them and see if by any chances they have yours.

https://support.emsisoft.com/topic/27569-help-my-pc-is-infected/?do=findComment&comment=172316

Though this was posted on June 14th and I guess you got infected around the 20th so the chances are slim.

Link to post
Share on other sites

No problem Joe, you're welcome :)

Also, BleepingComputer and Emsisoft Forums are two good forums to monitor for any kind of news regarding Ransomware: new strains, decryption keys being released, decrypters being released, etc. if that helps.

https://support.emsisoft.com/forum/83-ransomware-first-aid/
https://www.bleepingcomputer.com/forums/f/239/ransomware-help-tech-support/

Link to post
Share on other sites

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.