Page 1 of 1

Need Help Identifying Ransomware!!! URGENTLY!

Posted: Tue Jun 07, 2016 11:48 am
by Jared
I have a client hit with a ransomware virus that encrypted all his data and converted it all to the following format:

(filename)[email protected]

I know this is a Russian virus, and I know that the BAA14811 part is the unique infection ID. However I've been unable to find the HTML files it generates upon completion. Perhaps the virus never completed its work. Anyway, the client's entire law firm is stored on this drive, all backups failed, so they are willing to pay.

Anyone know where the website to pay this ransom is? Or have a sample HTML file from one like this?

Many thanks!

Need Help Identifying Ransomware!!! URGENTLY!

Posted: Tue Jun 07, 2016 12:25 pm
by jol
Jared wrote:Perhaps the virus never completed its work

Make a clone of the drive or save whats left to save, and let it complete

Need Help Identifying Ransomware!!! URGENTLY!

Posted: Tue Jun 07, 2016 12:28 pm
by Jared
OK, looks like you have to actually email these guys. That explains why I can't find any reference to a website.

Need Help Identifying Ransomware!!! URGENTLY!

Posted: Tue Jun 07, 2016 12:30 pm
by Jared
jol wrote:
Jared wrote:Perhaps the virus never completed its work

Make a clone of the drive or save whats left to save, and let it complete


Unforutnately this was a VM, and a foolish tech accidentally cloned some data the wrong way wiping out the VMFS file table and beginning of the VMDK file. Only by analyzing the NTFS, was I able to build a partial file/folder structure. Besides the the drive I have wasn't even the infected machine, just all the network shares that it took out.

Need Help Identifying Ransomware!!! URGENTLY!

Posted: Tue Jun 07, 2016 12:39 pm
by pclab

Need Help Identifying Ransomware!!! URGENTLY!

Posted: Tue Jun 07, 2016 1:45 pm
by Jared
I tried that and it can't help with encryption. However it does ID it as Troldesh. Oddly it took a few files before it recognized which one it was.

Need Help Identifying Ransomware!!! URGENTLY!

Posted: Tue Jun 07, 2016 3:32 pm
by jol
Jared wrote:and a foolish tech accidentally cloned some data the wrong way wiping out the VMFS file table and beginning of the VMDK file.

:( every mistake who can be done was done ?! very unfortunate