Pandemic 0 Posted June 4 Share Posted June 4 hello everyone my friend's computer infected by a ransomware that is unknown to; https://id-ransomware.malwarehunterteam.com/ https://www.nomoreransom.org/ https://app.malcore.io/ransom-note I have eset internet security, it detects even the text file that comes with it but it only says "filecoder.mimic". what is even more odd is if the text inside the .txt file is sent through something else, lets say e-mail, and if you copy the text to notepad then try to save it. eset will detect that file too. here is the infected file and the .txt file, compressed. Desktop.rar Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted June 4 Administrators Share Posted June 4 It's probably Filecoder.Mimic, decryption is not possible. We'd need ELC logs from the machine that was infected if ESET was installed there. Pandemic 1 Link to comment Share on other sites More sharing options...
Pandemic 0 Posted June 4 Author Share Posted June 4 (edited) 1 minute ago, Marcos said: It's probably Filecoder.Mimic, decryption is not possible. We'd need ESET Log Collector logs from the machine that was infected if ESET was installed there. how can I provide that? sadly they did not have eset installed. is there any other way? Edited June 4 by Pandemic Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted June 4 Administrators Share Posted June 4 If ESET was installed on the machine with encrypted files, run ESET Log Collector there and upload the generated zip archive here. Only ESET staff has access to file attachments in this forum. Pandemic 1 Link to comment Share on other sites More sharing options...
Pandemic 0 Posted June 4 Author Share Posted June 4 (edited) 4 minutes ago, Marcos said: If ESET was installed on the machine with encrypted files, run ESET Log Collector there and upload the generated zip archive here. Only ESET staff has access to file attachments in this forum. so is it too late for that since there was no eset at the beginning? Edited June 4 by Pandemic Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted June 4 Administrators Share Posted June 4 The logs would be useful in case ESET was installed at the time of encryption. Since it wasn't, we could not prevent the ransomware from running and encrypting files on user's disks. Pandemic 1 Link to comment Share on other sites More sharing options...
Pandemic 0 Posted June 4 Author Share Posted June 4 38 minutes ago, Marcos said: The logs would be useful in case ESET was installed at the time of encryption. Since it wasn't, we could not prevent the ransomware from running and encrypting files on user's disks. I want internet to know about this ransomware, there is really no website that can detect and identify this but you guys. what can I do to submit samples? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted June 4 Administrators Share Posted June 4 ESET detects Filecoder.Mimic. We can't help with decryption, however. Link to comment Share on other sites More sharing options...
itman 1,786 Posted June 4 Share Posted June 4 (edited) if this is mimic ransomware , the encrypted files should show .QUIETPLACE appended as noted below; Quote After we executed a sample of Mimic on our testing system, it encrypted files and appended their filenames with a ".QUIETPLACE" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.QUIETPLACE", "2.png" as "2.png.QUIETPLACE", and so on. https://www.pcrisk.com/removal-guides/25932-mimic-ransomware Edited June 4 by itman Link to comment Share on other sites More sharing options...
Pandemic 0 Posted June 4 Author Share Posted June 4 2 hours ago, itman said: if this is mimic ransomware , the encrypted files should show .QUIETPLACE appended as noted below; https://www.pcrisk.com/removal-guides/25932-mimic-ransomware I uploaded the files but only admins and moderators have access to them. suffix is not ".quietplace" sadly it is ".companydata@mail.ru.500USD" Link to comment Share on other sites More sharing options...
itman 1,786 Posted June 4 Share Posted June 4 2 hours ago, Pandemic said: I uploaded the files but only admins and moderators have access to them. suffix is not ".quietplace" sadly it is ".companydata@mail.ru.500USD" Still believe its a mimic ransomware variant. Attacker just changed the encrypted file suffix to mail.ru to make one believe its mail.ru ransomware. Link to comment Share on other sites More sharing options...
Pandemic 0 Posted June 5 Author Share Posted June 5 12 hours ago, itman said: Still believe its a mimic ransomware variant. Attacker just changed the encrypted file suffix to mail.ru to make one believe its mail.ru ransomware. there are hundreds of ransomware variants, how can I find its variant? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted June 5 Administrators Share Posted June 5 Use the https://id-ransomware.malwarehunterteam.com/ service to determine the variant. However, sometimes same instructions may be used by different variants of ransomware so further logs would be needed to determine the one that encrypted files. That's not the case of Filecoder.Mimic as far as I remember. Link to comment Share on other sites More sharing options...
Pandemic 0 Posted June 5 Author Share Posted June 5 1 hour ago, Marcos said: Use the https://id-ransomware.malwarehunterteam.com/ service to determine the variant. However, sometimes same instructions may be used by different variants of ransomware so further logs would be needed to determine the one that encrypted files. That's not the case of Filecoder.Mimic as far as I remember. I already stated this on my first post Marcos, c'mon now. ransomware id websites cannot find anything about this Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted June 5 Administrators Share Posted June 5 2 minutes ago, Pandemic said: I already stated this on my first post Marcos, c'mon now. ransomware id websites cannot find anything about this I meant it in general for any encryption by ransomware. ESET has identified it as Filecoder.Mimic so it is very likely that variant. Link to comment Share on other sites More sharing options...
itman 1,786 Posted June 5 Share Posted June 5 Identifying the ransomware in all likelihood will not help you. Odds are that it's not decryptable. Nightowl 1 Link to comment Share on other sites More sharing options...
Recommended Posts