A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13853  by thisisu
 Sun Jun 10, 2012 6:57 am
Just FYI you can run FRST through OTLPE but it is not needed as you have the information required from the OTL log to boot successfully. You can also see some of the encrypted files here. Good luck.
 #13870  by Quads
 Sun Jun 10, 2012 11:24 pm
Does neither of these 2 tools work??

2 Tools available, You have to make sure you have broiken and deleted the actual Ransomware files first before running the drycrypt tools for your personal files.

matsnu1decrypt.exe

When you run it, it asks for an unencrypted file and the corresponding encrypted version, all you need is one unencrypted copy and it's corrosponding encrypted version, whether you get the unencrypted version from another PC or from a backup set . Point it to the relevant files via the usual file selection, once it works out the encryption used for your copy of the wide Fake Police ransom family it will scan the rest of the Hard drive(s) for the rest of the encrypted files and decrypt all of those whether just one more file or over 1,000 files.

But make sure you have enough Hard Drive space available otherwise the output files will = 0kb in size.

Looks like it uses the same random-ish encryption key for all the files that it affects on a particular machine, hence by providing just one original and its corresponding encrypted version the tool is able to decrypt all files on that system..

After you make sure you have all the files back and YAY!!!!!!!! you have to delete the encrpted versions yourself.


Tool number 2 is http://support.kaspersky.com/faq/?qid=208286527
Instructions on that page, for this wider family.

Quads
 #13913  by Crush
 Mon Jun 11, 2012 11:32 pm
Quads wrote:Does neither of these 2 tools work??

2 Tools available, You have to make sure you have broiken and deleted the actual Ransomware files first before running the drycrypt tools for your personal files.

matsnu1decrypt.exe

When you run it, it asks for an unencrypted file and the corresponding encrypted version, all you need is one unencrypted copy and it's corrosponding encrypted version, whether you get the unencrypted version from another PC or from a backup set . Point it to the relevant files via the usual file selection, once it works out the encryption used for your copy of the wide Fake Police ransom family it will scan the rest of the Hard drive(s) for the rest of the encrypted files and decrypt all of those whether just one more file or over 1,000 files.

But make sure you have enough Hard Drive space available otherwise the output files will = 0kb in size.

Looks like it uses the same random-ish encryption key for all the files that it affects on a particular machine, hence by providing just one original and its corresponding encrypted version the tool is able to decrypt all files on that system..

After you make sure you have all the files back and YAY!!!!!!!! you have to delete the encrpted versions yourself.


Tool number 2 is http://support.kaspersky.com/faq/?qid=208286527
Instructions on that page, for this wider family.

Quads
Thanks Quads. I've tried the Kaspersky tool.
 #14774  by DWS94
 Fri Jul 20, 2012 1:02 pm
police virus
National Police
Illegal Activity Detected!
Your operating system is blocked for violation of the laws of the Kingdom of the Netherlands!
Your IP address is: [XXXXXX]. IP address is detected and registered in the National Police of the Kingdom of the Netherlands. The user of this IP address......
Image

Ransom virus-------Korps Landelijke Politiediensten ransomware :!:
Virus infection after you will lose to the system control. The emergence of a window require you to pay the ransom money... ...

https://www.virustotal.com/file/b323846 ... 342786676/
http://blog.teesupport.com/how-to-remov ... val-guide/

MD5: C27BA649EFFC31E73D15D1474EBB7960
Attachments
(114.74 KiB) Downloaded 70 times
 #14786  by Cody Johnston
 Sat Jul 21, 2012 4:57 am
This one is new to me. It looks kinda like Reveton but does not load the same way. No webcam module on this one either. Only MoneyPak accepted as payment. These are in U.S.

Image

Creates 2 exe files -
Code: Select all
%appdata%\<Random.exe>
%userprofile%\<Random.exe>
Loads up via registry instead of ctfmon shortcut:
Code: Select all
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
<Random> = %appdata%\<Random.exe>

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
Windows Update Server = %userprofile%\<Random.exe>

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
<Random> = %appdata%\<Random.exe>

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = %appdata%\<Random.exe>
SHA256: cacdbffd53c111737c6fe8d10bbe5973ab1c0bf5379748156684d3f0a1c251c1
VT: 24/42
https://www.virustotal.com/file/cacdbff ... 342842317/

EDIT: Updated image link
Attachments
Password: infected
(189.8 KiB) Downloaded 131 times
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
  • 14