User avatar
Jared
Forum Admin
Posts: 3492
Joined: Mon Jan 12, 2015 12:32 pm
Location: Providence, RI
Contact: Website Facebook Twitter Skype YouTube Google+

Need Help Identifying Ransomware!!! URGENTLY!

Tue Jun 07, 2016 11:48 am

I have a client hit with a ransomware virus that encrypted all his data and converted it all to the following format:

(filename)[email protected]

I know this is a Russian virus, and I know that the BAA14811 part is the unique infection ID. However I've been unable to find the HTML files it generates upon completion. Perhaps the virus never completed its work. Anyway, the client's entire law firm is stored on this drive, all backups failed, so they are willing to pay.

Anyone know where the website to pay this ransom is? Or have a sample HTML file from one like this?

Many thanks!

jol
Data Recovery Pro
Posts: 641
Joined: Thu Jan 29, 2015 11:31 pm

Need Help Identifying Ransomware!!! URGENTLY!

Tue Jun 07, 2016 12:25 pm

Jared wrote:Perhaps the virus never completed its work

Make a clone of the drive or save whats left to save, and let it complete

User avatar
Jared
Forum Admin
Posts: 3492
Joined: Mon Jan 12, 2015 12:32 pm
Location: Providence, RI
Contact: Website Facebook Twitter Skype YouTube Google+

Need Help Identifying Ransomware!!! URGENTLY!

Tue Jun 07, 2016 12:28 pm

OK, looks like you have to actually email these guys. That explains why I can't find any reference to a website.

User avatar
Jared
Forum Admin
Posts: 3492
Joined: Mon Jan 12, 2015 12:32 pm
Location: Providence, RI
Contact: Website Facebook Twitter Skype YouTube Google+

Need Help Identifying Ransomware!!! URGENTLY!

Tue Jun 07, 2016 12:30 pm

jol wrote:
Jared wrote:Perhaps the virus never completed its work

Make a clone of the drive or save whats left to save, and let it complete


Unforutnately this was a VM, and a foolish tech accidentally cloned some data the wrong way wiping out the VMFS file table and beginning of the VMDK file. Only by analyzing the NTFS, was I able to build a partial file/folder structure. Besides the the drive I have wasn't even the infected machine, just all the network shares that it took out.

User avatar
pclab
Forum Moderator
Posts: 1588
Joined: Tue Jan 13, 2015 4:55 pm
Contact: Website Facebook

Need Help Identifying Ransomware!!! URGENTLY!

Tue Jun 07, 2016 12:39 pm

www.pclab.com.pt
facebook.com/PCLAB.Assistencia.Tecnica

User avatar
Jared
Forum Admin
Posts: 3492
Joined: Mon Jan 12, 2015 12:32 pm
Location: Providence, RI
Contact: Website Facebook Twitter Skype YouTube Google+

Need Help Identifying Ransomware!!! URGENTLY!

Tue Jun 07, 2016 1:45 pm

I tried that and it can't help with encryption. However it does ID it as Troldesh. Oddly it took a few files before it recognized which one it was.

jol
Data Recovery Pro
Posts: 641
Joined: Thu Jan 29, 2015 11:31 pm

Need Help Identifying Ransomware!!! URGENTLY!

Tue Jun 07, 2016 3:32 pm

Jared wrote:and a foolish tech accidentally cloned some data the wrong way wiping out the VMFS file table and beginning of the VMDK file.

:( every mistake who can be done was done ?! very unfortunate

Return to “Cyber Security & Malware”

Who is online

Users browsing this forum: No registered users and 0 guests