Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Microsoft just killed the Windows 10 Beta Channel again

Featured Deal: Study ethical hacking in this comprehensive $40 course bundle deal

Latest Buyer's Guide:    PureVPN review: How good is it in 2024?

Generic User Avatar

Proxima/BlackShadow Ransomware (.proxima, .BlackShadow, .X) Support Topic

Started by zjdaher , Feb 13 2023 06:18 AM

  • Please log in to reply
38 replies to this topic

#16 nichbeau

nichbeau

  • Avatar image
  • Members
  • 4 posts
  • OFFLINE
    •  
  • Local time:11:16 PM

Posted 22 October 2023 - 01:16 AM

Just adding some more files, as managed to find a pdf example and some js examples. 
Thank you...

 

 

Attached Files


BC AdBot (Login to Remove)

 

#17 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 411 posts
  • ONLINE
    •  
  • Gender:Male
  • Local time:04:16 PM

Posted 22 October 2023 - 01:58 AM

It's Proxima / BlackShadow ransomware

https://github.com/rivitna/Malware/blob/main/Proxima/Proxima.png


#18 nichbeau

nichbeau

  • Avatar image
  • Members
  • 4 posts
  • OFFLINE
    •  
  • Local time:11:16 PM

Posted 22 October 2023 - 02:40 AM

Thank you. Any suggestions?


#19 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 AM

Posted 22 October 2023 - 03:23 AM

@nichbeau
I have merged your topic into the primary support topic for victims of this ransomware.
 
Unfortunately, there is no known method that I am aware of to decrypt files encrypted by Proxima Ransomware without paying the ransom (not advisable) and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the criminal's master private key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way (RSA, AES, Salsa20, ChaCha20, ECDH, ECC) that cannot be brute-forced...the public key alone that encrypted files is useless for decryption. 

If feasible, your best option is to restore from backups, try file recovery software to recover (not decrypt) some of your original files or backup/save your encrypted data as is and wait for a possible solution at a later time. 
 
 

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#20 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 3,119 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:06:16 PM

Posted 22 October 2023 - 06:02 AM

It's Proxima / BlackShadow ransomware

 

 

@quietman7

 

Proxima is no longer the closest, but rather distant...
If to sever the sub-code fragments and look at other elements... The variant with  Off-extension rather closer to "Black Shadow" with scattered variants spreading since the second half of summer.
 
I'm talking about the title in the topic title.

Edited by Amigo-A, 22 October 2023 - 06:21 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#21 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 AM

Posted 22 October 2023 - 06:24 AM

Ok. Topic title updated accordingly.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#22 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 3,119 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:06:16 PM

Posted 22 October 2023 - 06:50 AM

OK. Thank you! 


My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#23 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 AM

Posted 30 December 2023 - 08:26 AM

.Tisak, Tisak_Help.txt...possible new variant of Proxima/BlackShadow


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#24 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 411 posts
  • ONLINE
    •  
  • Gender:Male
  • Local time:04:16 PM

Posted 30 December 2023 - 08:27 AM

https://github.com/rivitna/Malware/blob/main/Proxima/Proxima.png


#25 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 AM

Posted 30 December 2023 - 08:39 AM

Thanks. Looks like a couple more new ones since last I checked.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#26 Micrid

Micrid

  • Avatar image
  • Members
  • 1 posts
  • OFFLINE
    •  
  • Local time:05:16 PM

Posted 10 January 2024 - 02:46 PM

Hello everybody. Мy mom take a ransomware virus on PC. Can you help me ?
 
SHA1: cf6eaa5b026eaf4f0e02d3b00b0ecc1ce2b51348
i have encpypted and orginal file 
 this virus take a files Jack_Help.txt with text:
YOU SEE THIS PAGE, IT MEANS THAT YOUR SERVER AND COMPUTERS ARE ENCRYPTED.
 
# In subject line please write your personal ID
05100E08CBCF15F2
 
# What is the guarantee that we will not cheat you?
Send us a small encrypted file to the listed emails.
(The files must be in a common format, such as: doc-excel-pdf-jpg)
We will decrypt these files and send them back to you as evidence.
 
Contact us:
Email 1 : Jack2009@skiff.com
Email 2 : Jack2009@onionmail.org

Attached Files


#27 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 411 posts
  • ONLINE
    •  
  • Gender:Male
  • Local time:04:16 PM

Posted 10 January 2024 - 02:56 PM

This is Proxima / BlackShadow Ransomware.

Unfortunately, no solution yet


#28 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 AM

Posted 10 January 2024 - 03:16 PM

@Micrid

 

I have merged your topic into the primary support topic for victims of this ransomware.
 


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#29 optarion

optarion

  • Avatar image
  • Members
  • 4 posts
  • OFFLINE
    •  
  • Local time:02:16 PM

Posted 23 October 2024 - 06:16 AM

Good afternoon, we are from an association of people with autism and yesterday afternoon you did not encrypt one of the servers where we have the accounting program, all the files now have a ".arthur" extension, we ask for help in case someone can give us a solution .
 
I have uploaded the ransom note and a file to ID Ransomware, and it tells me that it could not be identified. It gave me SHA1: 
44da18985c9507e99d1c92d4fffae818cb3c402c

#30 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 AM

Posted 23 October 2024 - 06:33 AM

Is .arthur the full extension appended to the end of the encrypted data filename or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or just a series of random characters (.8wLv8GMph) preceding the extension?
 
Did you find any ransom notes? If so, what is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents in your next reply?


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

Back to Ransomware Help & Tech Support


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


  1. BleepingComputer Forums
  2. Security
  3. Ransomware Help & Tech Support
  4. Privacy Policy
  5. Rules ·