0XXX (NAS) Ransomware (.0xxx) Support Topic

Are there any obvious file extensions appended to your encrypted data files? If so, what is the extension? Is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]) or an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>], _ID_<id***>_<email>) preceding the extension? 

Thanks for your reply,

Yes I have the extensions .0xxx on each encrypted file but without any email or id number. Example: filename.pdf.0xxx or filename.psd.0xxx. The strange thing is that all my file with pdf, psd, ai, txt etc has been encrypted but none of my .png images (and I'm really happy of it).

In each folder I have a ranson note named "!0XXX_DECRYPTION_README.txt"

Their is its content:

"All your files have been encrypted with 0XXX Virus.

Hello.

Hi, I've been hit by this running Ubuntu. I suspect they got in through Samba (there was an error message) and have encrypted my home media server. All of which is backed up, so I can scrub the drives and copy everything over. However, that doesn't necessarily kill the virus, so if there's a way to do that and rebuild my encrypted files, that would be great.

The decryption ransom text document is as follows:
All your files have been encrypted with 0XXX Virus.
Your unique id: 0857FC6EC3AD45D1B8EF407748C07BF8
You can buy decryption for 300$USD in Bitcoins.

To do this:
1) Send your unique id 0857FC6EC3AD45D1B8EF407748C07BF8 and max 3 files for test decryption to iosif.lancmann@mail.ru
2) After decryption, we will send you the decrypted files and a unique bitcoin wallet for payment.
3) After payment ransom for Bitcoin, we will send you a decryption program and instructions. If we can decrypt your files, we have no reason to deceive you after payment.

I'm not certain what file in linux would be doing the encrypting. Any thoughts on how to hunt down the file type would be helpful, and I'll go on a hunt now myself.

Edit: I'm uploading a ransom note and file for you to look at once that's gone up. I've looked through the logs on linux and it seems that they either edited the logs on the way out, or didn't actually execute anything within linux. They seemed to have logged on through an IP address using the fact I left Samba open to anyone, did something pretty quick to the files given it's a few terrabytes on a not too fast computer and then ended the connection. If you want to look at these logs, I can send you copies of around the time this was happening.

Thanks.

Edited by fluffypeach, 27 July 2021 - 04:10 PM.

Hello,

another victim here. UK-based. It's my WD NAS drive that's infected. All my movies (mp4s etc), music (mp3s) and photos (jpegs) have all been appended with the suffix .0xxx. I had port forwarding set up for remote access and also SMB1.

I have the same ransom text document as the others (except for a different ID).

There's a 16KB file in my Public directory which I don't recognise called '2igdNvmy.so'. Opening it in text edit (I'm a Mac user) reveals gibberish except for an ASCII graphic saying 'YOU ARE HACKED'.

I've had a poke around in the Terminal and I can't find any processes running that jump out to me or exes (however I'm way out of my depth).

What are my options? Do I need to pay up? I have no back ups... I know :-(

Many thanks

J.

Edited by Sitting_Duck, 29 July 2021 - 05:42 PM.

@Sitting_Duck

Can you upload that "2igdNvmy.so" file to VirusTotal and provide the link? A .so file is basically Linux's version of a DLL, so it contains compiled code that could hopefully be related to the malware.

Edited by Demonslay335, 29 July 2021 - 05:53 PM.

Thanks for the reply @Demonslay335

Here is the link

https://www.virustotal.com/gui/file/1087552642419f8f172ed85e2bf4f1ba0758032aa487288af762eadbb3c27182/detection

Good afternoon, 

I have been attacked by the same Ransomware on my Buffalo Linkstation NAS. Most of my files have been appended with the 0XXX extension. Below is a link containing the Ransom Note and some of the files that have been encrypted as well as a copy of one file that I had emailed before it got encrypted.

https://dropmefiles.com/neUa3

SHA1: f2f668c9f4d06e9155ac69110c00f81899dd084d

Please could you assist and let me know if you need anything else?

Many thanks.

A question to fellow attackees - were you all using Samba? I've rebuilt my system from scratch and I suspect my settings on Samba were the door into my server so I'm avoiding using that. Failing that, are you all plexers? My affected machine was running Ubuntu 20.04.2, Samba and Plex and not much else as it's all that machine is for. Thanks for any feedback.

Hello

Case SHA1: d5c66941c00ac29bca37b24afa99afe0ea1fd018.

Added Ransom note and ransom address is iosif.lancmann@mail.ru. Thread is not permitting me to upload a sample of encrypted file.

On next link, you will find ransom letter, one example of encrypted file and the original copy of file (no encrypted)

https://1drv.ms/u/s!Arglk24q-lmogeE8H_C_eXE_G5p2GA?e=1zZbTr

Encryptation happened on 26/07/2021 around 08:00 am CMT

Thanks in advance for your assistance and support

Edited by rdelval, 31 July 2021 - 10:06 AM.

Hi all,

I've not been on my PC in weeks and upon turning on today, I see one of mx NAS drives (an external WD drive, plugged via USB into a ZyXel NAS) has been infected by this ransomware. I have no idea how, the only thing different I did in the past month was try and enable access to it outside of my network to view photos and things while at work. I've disabled that functionality now, but I have so many files I really don't want to lose

All my files are encrypted, and each folder has the .txt file everyone is mentioning telling me to pay for decryption. Can you guys please advise what I should do? I see Demonslay335 is posting advice but I'm a bit of a novice so would appreciate some direction as to what to do.

Many thanks all,