Advice Request !!! YOUR FILES ARE ENCRYPTED !!! - Which ransomware family is this?

Please provide comments and solutions that are helpful to the author of this topic.

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Hello everybody,
My friend is infected with ransomware and this is the message that appeared for him??
Does anyone have an idea about the family of this ransomware ??

1566028676903.png
 
Last edited by a moderator:

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Hello @DDE_Server
Did you find any ransom notes and if so, what is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents?
Did you upload samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware?
 

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
Tell him not to shut down the computer and watch videos can find an effective solution often succeeds in recovering files.




 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
There are some YouTube videos and sites that suggest that you can decrypt this ransomware by using the registry editor, as you may imagine that's not possible.
You will need to wait for a decryption tool from Emsisoft, Bitdefender, Kaspersky or another known company. Changing values in the registry won't help you, and it actually may do more harm than good.
Also, there are some sites which recommend SpyHunter or other anti-malware solutions, and while these may work to remove the infection, they are paid anti-malware programs, so I would recommend that you install Malwarebytes, Emsisoft, or HitmanPro to remove the infection for free (you should back-up the encrypted files first).
 

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
As Jack said the best thing you can do for now is try yo remove the infection and then wait for a decryption tool to be released for that particular ransomware.

I'd run some on demand scanners and, is possible a boot rescue disk such as Kaspersky or Bitdenders rescue disks. I'd make sure connections to you system are as secure as you can make them first. Silly things like using MVPS Hosts file, changing your DNS provider. Then go to work on removing the actual infection. You could also use something like Bitdefender and enter to recovery console, or install Avast and select boot time scan to run at next boot that's if there's no risk of your MBR getting encrypted. I'd also install a firewall that allows you to block unsafe applications from connecting out such as CF or Windows firewall control. The 10 minutes you'll spend making sure you're hosts file, DNS and Firewall are all keeping your systems connections safe will help a lot when you start using on demand scanners.

I'd run:

Eset online scanner.

Kaspersky virus removal tool.

Malwarebytes.

Hitman pro.

And Norton power eraser.

And yes, I'd run them all because that way you can make sure that anything one product misses another will likely catch.

A rescue disk would be a good move. Either Kaspersky's rescue disk or Bitdefenders rescue disk that's if theres no risk of this encrypting your MBR.

Also run Comodo kill switch and check the VT results, and run auto runs.

The very first thing I'd do in your case is use Bleach bit or CCleaner to remove any and all temporary files and obsolete Reg keys. Then, change your Hosts file, change your DNS provider, make sure you've got a firewall installed that can block unknown and/or Malicious files connecting out. Then start with the on demand scanners. Personally I'd start with Eset online scanner or MBAM.

If this Ransomware doesn't encrypt the MBR start with a rescue disk.

I don't know if this is going to be possible in this case or not, but you could also set up another user account as admin, log into that account and change your normal login account to a standard user. The damage is done now, but you can clean your system, get things running properly again and make sure you system is secure and make sure you're using a firewall that will auto block unknown and malicious files such as CF just until you can get your files encrypted then back them up, then wipe your machine.

All the above along with the advice other people have given should get you to the point where you just need to wait for a dycrption tool for this perticluar ransomware. Just make sure that as soon as youve recovered your files and made sure everything you need to back up is clean to wipe your machine. Person8if it was me and this may be a little paranoid but I'd perform a 0 overwrite then a reformat once you've got your files back.

Are there any other systems on your network that could be at risk?

If I can help in anyway just let me know and I'll be more than happy to help you out even if that means me coming in remotely if that's still possible at this point. If it is just let me know.

Where did this ransomware come from? And what security software did you have installed at the time?

I'm typing on my phone at the moment but I'll be home in 30 minutes so I can jump straight onto my main system and see what the latest developments are in this thread.
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
As Jack said the best thing you can do for now is try yo remove the infection and then wait for a decryption tool to be released for that particular ransomware.

I'd run some on demand scanners and, is possible a boot rescue disk such as Kaspersky or Bitdenders rescue disks. I'd make sure connections to you system are as secure as you can make them first. Silly things like using MVPS Hosts file, changing your DNS provider. Then go to work on removing the actual infection. You could also use something like Bitdefender and enter to recovery console, or install Avast and select boot time scan to run at next boot that's if there's no risk of your MBR getting encrypted. I'd also install a firewall that allows you to block unsafe applications from connecting out such as CF or Windows firewall control. The 10 minutes you'll spend making sure you're hosts file, DNS and Firewall are all keeping your systems connections safe will help a lot when you start using on demand scanners.

I'd run:

Eset online scanner.

Kaspersky virus removal tool.

Malwarebytes.

Hitman pro.

And Norton power eraser.

And yes, I'd run them all because that way you can make sure that anything one product misses another will likely catch.

A rescue disk would be a good move. Either Kaspersky's rescue disk or Bitdefenders rescue disk that's if theres no risk of this encrypting your MBR.

Also run Comodo kill switch and check the VT results, and run auto runs.

The very first thing I'd do in your case is use Bleach bit or CCleaner to remove any and all temporary files and obsolete Reg keys. Then, change your Hosts file, change your DNS provider, make sure you've got a firewall installed that can block unknown and/or Malicious files connecting out. Then start with the on demand scanners. Personally I'd start with Eset online scanner or MBAM.

If this Ransomware doesn't encrypt the MBR start with a rescue disk.

I don't know if this is going to be possible in this case or not, but you could also set up another user account as admin, log into that account and change your normal login account to a standard user. The damage is done now, but you can clean your system, get things running properly again and make sure you system is secure and make sure you're using a firewall that will auto block unknown and malicious files such as CF just until you can get your files encrypted then back them up, then wipe your machine.

All the above along with the advice other people have given should get you to the point where you just need to wait for a dycrption tool for this perticluar ransomware. Just make sure that as soon as youve recovered your files and made sure everything you need to back up is clean to wipe your machine. Person8if it was me and this may be a little paranoid but I'd perform a 0 overwrite then a reformat once you've got your files back.

Are there any other systems on your network that could be at risk?

If I can help in anyway just let me know and I'll be more than happy to help you out even if that means me coming in remotely if that's still possible at this point. If it is just let me know.

Where did this ransomware come from? And what security software did you have installed at the time?

I'm typing on my phone at the moment but I'll be home in 30 minutes so I can jump straight onto my main system and see what the latest developments are in this thread.
First of all thanks a lot for your fast response with such detailed procedure
secondly it is not my machine it is my friend and it seems it is non advanced user so making the rules in the firewall and secure boot may not able to perform
for the tools i know most of it so i will tell him
the problem is that the infected machine the interneyt is blocked i donot know hy ??
 

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
Go to control panel and click on internet options, once that opens click the connections tab in the box that pops up, then click LAN settings and then make sure the box 'Use a proxy server' is not checked. The only box that should be checked under that tab is 'Automatically detect settings'
 

cybercrucible

From Cyber Crucible
Verified
Developer
Apr 1, 2020
9
Hello, I'm sorry to hear about the ransomware attack. While our tool works against AES+RSA ransomware variants, we have to be in place before the attack. Any of your experts following or contributing, if you have a hash you wish us to download from virustotal, we can put together a demo video to demonstrate the ransomware running, and also how to decrypt. @DDE_Server - wish we could decrypt AES+RSA after the fact....might be a couple decades for quantum computing to catch up. lol.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top