Pandemic 0 Posted June 4, 2024 Posted June 4, 2024 hello everyone my friend's computer infected by a ransomware that is unknown to; https://id-ransomware.malwarehunterteam.com/ https://www.nomoreransom.org/ https://app.malcore.io/ransom-note I have eset internet security, it detects even the text file that comes with it but it only says "filecoder.mimic". what is even more odd is if the text inside the .txt file is sent through something else, lets say e-mail, and if you copy the text to notepad then try to save it. eset will detect that file too. here is the infected file and the .txt file, compressed. Desktop.rar
Administrators Marcos 5,741 Posted June 4, 2024 Administrators Posted June 4, 2024 It's probably Filecoder.Mimic, decryption is not possible. We'd need ELC logs from the machine that was infected if ESET was installed there. Pandemic 1
Pandemic 0 Posted June 4, 2024 Author Posted June 4, 2024 (edited) 1 minute ago, Marcos said: It's probably Filecoder.Mimic, decryption is not possible. We'd need ESET Log Collector logs from the machine that was infected if ESET was installed there. how can I provide that? sadly they did not have eset installed. is there any other way? Edited June 4, 2024 by Pandemic
Administrators Marcos 5,741 Posted June 4, 2024 Administrators Posted June 4, 2024 If ESET was installed on the machine with encrypted files, run ESET Log Collector there and upload the generated zip archive here. Only ESET staff has access to file attachments in this forum. Pandemic 1
Pandemic 0 Posted June 4, 2024 Author Posted June 4, 2024 (edited) 4 minutes ago, Marcos said: If ESET was installed on the machine with encrypted files, run ESET Log Collector there and upload the generated zip archive here. Only ESET staff has access to file attachments in this forum. so is it too late for that since there was no eset at the beginning? Edited June 4, 2024 by Pandemic
Administrators Marcos 5,741 Posted June 4, 2024 Administrators Posted June 4, 2024 The logs would be useful in case ESET was installed at the time of encryption. Since it wasn't, we could not prevent the ransomware from running and encrypting files on user's disks. Pandemic 1
Pandemic 0 Posted June 4, 2024 Author Posted June 4, 2024 38 minutes ago, Marcos said: The logs would be useful in case ESET was installed at the time of encryption. Since it wasn't, we could not prevent the ransomware from running and encrypting files on user's disks. I want internet to know about this ransomware, there is really no website that can detect and identify this but you guys. what can I do to submit samples?
Administrators Marcos 5,741 Posted June 4, 2024 Administrators Posted June 4, 2024 ESET detects Filecoder.Mimic. We can't help with decryption, however.
itman 1,924 Posted June 4, 2024 Posted June 4, 2024 (edited) if this is mimic ransomware , the encrypted files should show .QUIETPLACE appended as noted below; Quote After we executed a sample of Mimic on our testing system, it encrypted files and appended their filenames with a ".QUIETPLACE" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.QUIETPLACE", "2.png" as "2.png.QUIETPLACE", and so on. https://www.pcrisk.com/removal-guides/25932-mimic-ransomware Edited June 4, 2024 by itman
Pandemic 0 Posted June 4, 2024 Author Posted June 4, 2024 2 hours ago, itman said: if this is mimic ransomware , the encrypted files should show .QUIETPLACE appended as noted below; https://www.pcrisk.com/removal-guides/25932-mimic-ransomware I uploaded the files but only admins and moderators have access to them. suffix is not ".quietplace" sadly it is "[email protected]"
itman 1,924 Posted June 4, 2024 Posted June 4, 2024 2 hours ago, Pandemic said: I uploaded the files but only admins and moderators have access to them. suffix is not ".quietplace" sadly it is "[email protected]" Still believe its a mimic ransomware variant. Attacker just changed the encrypted file suffix to mail.ru to make one believe its mail.ru ransomware.
Pandemic 0 Posted June 5, 2024 Author Posted June 5, 2024 12 hours ago, itman said: Still believe its a mimic ransomware variant. Attacker just changed the encrypted file suffix to mail.ru to make one believe its mail.ru ransomware. there are hundreds of ransomware variants, how can I find its variant?
Administrators Marcos 5,741 Posted June 5, 2024 Administrators Posted June 5, 2024 Use the https://id-ransomware.malwarehunterteam.com/ service to determine the variant. However, sometimes same instructions may be used by different variants of ransomware so further logs would be needed to determine the one that encrypted files. That's not the case of Filecoder.Mimic as far as I remember.
Pandemic 0 Posted June 5, 2024 Author Posted June 5, 2024 1 hour ago, Marcos said: Use the https://id-ransomware.malwarehunterteam.com/ service to determine the variant. However, sometimes same instructions may be used by different variants of ransomware so further logs would be needed to determine the one that encrypted files. That's not the case of Filecoder.Mimic as far as I remember. I already stated this on my first post Marcos, c'mon now. ransomware id websites cannot find anything about this
Administrators Marcos 5,741 Posted June 5, 2024 Administrators Posted June 5, 2024 2 minutes ago, Pandemic said: I already stated this on my first post Marcos, c'mon now. ransomware id websites cannot find anything about this I meant it in general for any encryption by ransomware. ESET has identified it as Filecoder.Mimic so it is very likely that variant.
itman 1,924 Posted June 5, 2024 Posted June 5, 2024 Identifying the ransomware in all likelihood will not help you. Odds are that it's not decryptable. Nightowl 1
Recommended Posts