Jump to content

Archived

This topic is now archived and is closed to further replies.

Babamonkey

blklock@airmail.cc - Need VBA programmer for removal

Recommended Posts

Customer was infected from blklock@airmail.cc ransomware. Too bad Eset Internet Security was not able to find it (now it is) so it encrypted all Word, Excel, PDF and stuff like this on the harddrive.

I found out, it used "rar" to pack it with a unknown password. The files where encrypted and then renamed with "<originalName>.blklock@airmail.cc". The original files where deleted and the shadow copy where also deleted.
I was able to follow the way from the Email (ISO File with download Script) to the Batch File and also the VBA Script which was used to encrypt everything.
I also own the pgp file used to encrypt and key file from the infected PC. BUT .. i'm a total VBA noob. I understand the basics .. more or less .. but not total sure what the VBA script did in every way and how to change it to decrypt it again.

I would link the files here with some samples from the encrypted pc - but no idea if i'm alowed to, because basicly its the ransomware itself and someone could change it to use it again.

Would be nice if someone could help me or maybe even Eset is interessted in programming a removal tool.

Greetings from Germany
Nico Müller

Share this post


Link to post
Share on other sites

Before making any conclusions, please contact samples[at]eset.com and provide the following stuff from the affected machine:
- logs collected with ESET Log Collector (ESET must be installed and activated beforehand if it's not)
- a handful of encrypted files (ideally Office documents)
- the ransomware note (payment instructions).

If the files were encrypted by a 100% legitimate tool, such as PGP, it's not obviously possible to detect such. An attacker might have hacked in via RDP and use it to encrypt files. If that's the case, what failed was not the AV but the security of the system which should have prevented remote attacks via RDP. However, without logs we can now only speculate what happened but the requested logs may shed more light.

Share this post


Link to post
Share on other sites

Hello,

ok thanks, i was in contact with the support.

Sadly it's not possible to decode the files because of the missing private pgp key.

You can close this thread.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...