Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

0XXX (NAS) Ransomware (.0xxx) Support Topic


  • Please log in to reply
252 replies to this topic

#1 Paleskiwi

Paleskiwi

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 19 June 2021 - 09:47 AM

Hello I need help with my Nas WD I have almost all files encrypted with the extension 0xxx .Could you help me with a solution?

I add the readme file Attached File  !0XXX_DECRYPTION_README.TXT   559bytes   42 downloads


Edited by quietman7, 01 August 2021 - 02:52 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:42 AM

Posted 19 June 2021 - 06:47 PM

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses provided by the malware developer to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. ID Ransomware can identify ransomware which adds a prefix instead of an extension and more accurately identifies ransomware by filemarkers if applicable. Uploading both encrypted files and ransom notes together along with any email addresses provided gives a more positive match with identification and helps to avoid false detections. Please provide a link to the ID Ransomware results
 
If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 (Michael Gillespie) to manually inspect the files and check for possible file markers.

Please upload the original ransom note and samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file for comparison to the following third-party file hosting service and provide a link or send a PM with a link to Amigo-A (Andrew Ivanov) so he can inspect them and possibly confirm the infection (and/or add to his database).


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#3 Paleskiwi

Paleskiwi
  • Topic Starter

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 20 June 2021 - 08:23 AM

Hello. I have looked at it and have PNG and WEBM Video File (.webm) files that have not been encrypted

here I leave the encrypted files and the ransom note https://dropmefiles.com/r8NoK

 

This is the ransom mail  iosif.lancmann@mail.ru

 

this is the result of ID Ramsonware
 

Unable to determine ransomware.

Please make sure you are uploading a ransom note and encrypted sample file from the same infection.

This can happen if this is a new ransomware, or one that cannot be currently identified automatically.

You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.

Please reference this case SHA1: affd3bb9e56c8059e090c4a213fbb5ed294f5638


Edited by Paleskiwi, 20 June 2021 - 10:32 AM.


#4 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:42 AM

Posted 20 June 2021 - 09:21 AM

Ok. Please be patient until Demonslay335 has a chance to review the case SHA1 / case reference number you provided. He may be able to gather some information by manually inspecting the files. He is inundated with support requests and and it may take some time to get a reply. Amigo-A may also ask for sample files, the ransom note or other information.

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#5 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,119 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:01:42 PM

Posted 20 June 2021 - 01:58 PM

This seems like a new ransomware.

Self-name: 0XXX Virus

A new article in my Digest: 0XXX Ransomware

 

 

Archived files change the modification date.

Let us know when the encryption happened and what happened before this incident. 


Edited by Amigo-A, 20 June 2021 - 02:44 PM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  •  Avatar image
  • Security Colleague
  • 4,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:42 AM

Posted 21 June 2021 - 02:03 PM

We'd need the malware to properly analyze it.

 

Can you provide an encrypted file and its original for me to compare?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:42 AM

Posted 21 June 2021 - 05:54 PM

Topic title changed to reflect naming convention and direct other victims to this support topic.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#8 barbatrukko

barbatrukko

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 10 July 2021 - 11:59 AM

News about this ransomware?

 
My friend's NAS was scrambled!

Can I do something to help you?

Edited by barbatrukko, 10 July 2021 - 12:05 PM.


#9 Demonslay335

Demonslay335

    Ransomware Hunter


  •  Avatar image
  • Security Colleague
  • 4,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:42 AM

Posted 10 July 2021 - 12:04 PM

We still need the malware in order to identify / analyze it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:42 AM

Posted 10 July 2021 - 04:19 PM

In regards to finding the malicious executable that you suspect was involved in causing the infection, see my comments in here.
 

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#11 CKlabs

CKlabs

  •  Avatar image
  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 14 July 2021 - 05:26 AM

same here can provide both encrypted and plain files if needed .... thanks if I can help let me know.

 

In my case I run ubuntu linux an all my PCs .. just have one iMac ... but no Windows device ... probably attack arrived from outside since my NAS smb ports where open to work remotely.


Edited by CKlabs, 14 July 2021 - 05:27 AM.


#12 Paleskiwi

Paleskiwi
  • Topic Starter

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 14 July 2021 - 06:49 AM

Hello at the end I make the decision to pay the ransom if you want I can upload the decryptor and the encrypted and original files and I think that the key they give me only decrypts my files



#13 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,119 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:01:42 PM

Posted 14 July 2021 - 07:04 AM

Anyone can give the decryptor (decoder) to Demonslay335 if they wish.

Just don't tell everyone about it. Extortionists can read this too.


My site: The Digest "Crypto-Ransomware"  + Google Translate 

 


#14 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:42 AM

Posted 14 July 2021 - 08:38 AM

If you have a working decryptor, you can zip and submit it here with a link to this topic along with a few encrypted files, the private key and anything else the malware writers provided or send it in a PM to Demonslay335 (Michael Gillespie).


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#15 CKlabs

CKlabs

  •  Avatar image
  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 15 July 2021 - 02:50 AM

I would like to help so if you have the decoder and any other info please share with me if possible, the encryption seems to work in blocks of 16 bytes since the spare last bytes if less then 16 are not encrypted, so AES with a 128 bit key probably.

 

edit:

found that on bigger files more than the last 16 bytes are still plain ... do not know if I interrupted the encryption process by putting the NAS offline.


Edited by CKlabs, 15 July 2021 - 07:47 AM.





4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users