Switch to full style
Anything related to computer forensics (new section!)
Post a reply

Help to Identify Ransomware Website

June 7th, 2016, 11:53

I have a client hit with a ransomware virus that encrypted all his data and converted it all to the following format:

(filename)-BAA14811.bitcoinrush@aol.com.xtbl

I know this is a Russian virus, and I know that the BAA14811 part is the unique infection ID. However I've been unable to find the HTML files it generates upon completion. Perhaps the virus never completed its work. Anyway, the client's entire law firm is stored on this drive, all backups failed, so they are willing to pay.

Anyone know where the website to pay this ransom is? Or have a sample HTML file from one like this?

Many thanks!

Re: Help to Identify Ransomware Website

June 8th, 2016, 1:11

Google searches seem to suggest that there are READMEnn.TXT files.

Depending on your version of Windows, you could select Start -> Find -> Files or Folders and specify a date range.

Re: Help to Identify Ransomware Website

June 8th, 2016, 4:38

It's Troldesh :(
There are numerous reports that even people that have paid the ransom were unable to decrypt their files.

We have found some way to brute force *some* of these variants, so there *might* be a way to decrypt.
If you're interested, I can take a look. Send me one or two infected files (it is important that they're untouched) and I will analyze them for you.
Post a reply