Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    NSA shares zero-trust guidance to limit adversaries on the network

Featured Deal: Enjoy quick, compatible data transfers with this $59.99 portable SSD

Latest Buyer's Guide:    Hotspot Shield VPN review

Generic User Avatar

Press Ransomware (.press, .spfre; RECOVERY NFO.txt) Support Topic

Started by Sr_Scorpio , Dec 29 2023 09:52 AM

  • Please log in to reply
35 replies to this topic

#1 Sr_Scorpio

Sr_Scorpio

  • Avatar image
  • Members
  • 5 posts
  • OFFLINE
    •  

Posted 29 December 2023 - 09:52 AM

Any files that are encrypted with Press Ransomware will have an .press, .dwarf, .spfre extension appended to the end of the encrypted data filename and typically leave files (ransom notes) named RECOVERY NFO.txt as explained here by Amigo-A (Andrew Ivanov).

 

rivitna (Andrey Zhdanov) may be able to help victims but you need to contact him privately.

If you have become a victim of this ransomware, write to me PM :-)

 
 
Hi, I have attack from an unknown ransomware. I can't find a decryption tool for it. Can you help me identify it and know which tool to use?
I am attaching the ransom note and the affected files.
All the files in the computer were given an extension: .press
 
ID Ransomware
SHA1: f20cf0856a94f8678f0a9876cd3c660062c20a4c
 
Thx!

Attached Files


BC AdBot (Login to Remove)

 

#2 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 29 December 2023 - 12:44 PM

Is .press the full extension appended to the end of the encrypted data filename or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or just a series of random characters (.8SLV8GMp-hjqo9v3s) preceding the extension?

RECOVERY NFO.txt contents:

Hello! 
 
We're sorry, but your data are stolen and encrypted.
In case of nonpayment - all sensitive information will be sold or made publicly accessible.
Compared to other ransomware we charge a lot less, so don't be stingy!
If you pay - we will provide you with decryption software and remove your data from our servers. We work honesty!   
Warning! Do not delete or modify any files, it can lead to recovery problems!
 
You can contact us using TOX messenger without registration and SMS https://tox.chat/download.html
Tox ID:  ABF256935FB3F8E5DE4E0127A98300EA41B9F3F651598B1BF37823EA46E8017CC740F9FFED83
 
Or download Tor Browser
        and email us at Tyhelpss@onionmail.org
 
Send us your KeyID and 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 2 mb) for free decryption.
        Use https://ufile.io
 
Good luck!
 
Key Identifier: 
YhxEkP4uQgFcTqulvLhW+vpSfZbFiZoiujW5a5bgRl5je/0NWlcE7c+kmCH5OPgpK3pd+XRb5L7jFZle6ef1Ev380bzONXm4MPODzEkrlEaZdfqjGX3+jjddLppPmug6abfbsYEa7sPOVF5SE/7azA5Uls27GPMO/ypuHq7ZRQZH598Plp1aLptvO/elL2PRswsQxsjwxlxKoIts8dPhBLz+vboIevgOOcMslel8m2X6imhMp6DzdLvzUl9sH3yPL4ghX/iFIips0Qxb9Zj+a+4FqCz4IpaRAulu/4QYLa4Aub5vm8naajgTXprxz90OBsb5HvRKuLjMeIyYsv6/whBeCy/TT5nmScpiD1Q0UZo0rKigq7mxTChnycvDX3mLiw/J3666vl55VNiJxmIf6cqmIzEvNsQcvQlem0IFzlB8rd3iK2PHd8eVEwOH2F2DM81dYoNp/PGTqcQNrfpsSyv+AEIORMJ+LyZbU+PpwOVtuAwA18WQNLmQwJgmNyjo/ZDPKh8rScLVCcICHlbS1/J7hb2a2tiCYMhAtVdiLfGcM6dsDIPKddEJeEj2iTOQeGsGZvIc+nBVa4LPPQ5DLCb9rfSVxF7inPZLaDjuS5IE7aJRaVIQfaydpoVRlOuIKZOHQZSfH/lUPcKuYPWoRlgCD/EvhhOlWmVJuKCo25I=

 

 


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Sr_Scorpio

Sr_Scorpio
  • Topic Starter

  • Avatar image
  • Members
  • 5 posts
  • OFFLINE
    •  

Posted 29 December 2023 - 01:02 PM

Hi, it's always the .press extension without any other data. Thx


#4 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 29 December 2023 - 07:40 PM

If you can find the malicious executable that you suspect was involved in causing the infection, you can submit (upload) a sample to VirusTotal and provide a link to the results...this is the safest way of sharing malware since only vetted researchers can access it. Doing that may be helpful with any of the following: analyzing, investigating, identification of the ransomware and possibly finding a flaw which could be useful for decryption of encrypted data. Refer to my comments in this topic (Post #18) for the most common locations malicious executables are know to hide.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 185 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:08:07 AM

Posted 30 December 2023 - 07:47 AM

I think the files can be decrypted. :-)


#6 Sr_Scorpio

Sr_Scorpio
  • Topic Starter

  • Avatar image
  • Members
  • 5 posts
  • OFFLINE
    •  

Posted 30 December 2023 - 10:40 AM

Hi,

 

Ok, I'm going to try to find the culprit. Thx

If you can find the malicious executable that you suspect was involved in causing the infection, you can submit (upload) a sample to VirusTotal and provide a link to the results...this is the safest way of sharing malware since only vetted researchers can access it. Doing that may be helpful with any of the following: analyzing, investigating, identification of the ransomware and possibly finding a flaw which could be useful for decryption of encrypted data. Refer to my comments in this topic (Post #18) for the most common locations malicious executables are know to hide.

 

:wacko:

I think the files can be decrypted. :-)

 

Thx


#7 Sr_Scorpio

Sr_Scorpio
  • Topic Starter

  • Avatar image
  • Members
  • 5 posts
  • OFFLINE
    •  

Posted 30 December 2023 - 02:39 PM

Hi,

 

I have passed the MalwareBytes scan, attached the result, so I see indicates that it is the virus.neshta.

 

"Virus.Neshta, C:\PROGRAM FILES (X86)\MOZILLA MAINTENANCE SERVICE\MAINTENANCESERVICE.EXE, Sin acciones por parte del usuario, 1944, 1196847, 1.0.79047, , ame, , 99AC881582035C636C2359FCC7C72B71, 8AA538991767D32B538AD399C1E2AF1E536AB9FC04CA70F13C0728347F404753

Virus.Neshta, C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\SOURCE ENGINE\OSE.EXE, Sin acciones por parte del usuario, 1944, 1196847, 1.0.79047, , ame, , CC9086282AEB0488C6F400AFBF477D65, C2D2D8A74C726957A9DD578DCC0ED1C8B86B400822477B50FB2518923065E229
Virus.Neshta, C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\120.0.2210.91\ELEVATION_SERVICE.EXE, Sin acciones por parte del usuario, 1944, 1196847, 1.0.79047, , ame, , 4543E1B77FDF638D778F46AECF3D8B23, 40B803B09482083EF6E6CE6E0A964697354E51B1DF5911225DEAAD51E43D46FA"

 

Virustotal ID:

 

40b803b09482083ef6e6ce6e0a964697354e51b1df5911225deaad51e43d46fa
 
Popular threat label 
virus.neshta/hllp
 
Thx :)

Edited by Sr_Scorpio, 30 December 2023 - 02:39 PM.

#8 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 185 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:08:07 AM

Posted 30 December 2023 - 02:52 PM

This is the legitimate Microsoft Edge module infected with the Neshta virus.

 

Most likely, the ransomware was infected with the Neshta virus.

Ransomware families such as Proxima and LokiLocker are often used in conjunction with the Neshta virus


Edited by rivitna, 30 December 2023 - 02:58 PM.

#9 Sr_Scorpio

Sr_Scorpio
  • Topic Starter

  • Avatar image
  • Members
  • 5 posts
  • OFFLINE
    •  

Posted 01 January 2024 - 11:32 AM

Hi,

 

Sorry, I didn't attach the full log correctly.Can this give more information ?

 

 

This is the legitimate Microsoft Edge module infected with the Neshta virus.

 

Most likely, the ransomware was infected with the Neshta virus.

Ransomware families such as Proxima and LokiLocker are often used in conjunction with the Neshta virus

 

I haven't found the file that may have caused the infection. :(

 

Any tool to decrypt the files of the ransomware you mention? I don't see anything related in "nomoreransom .org"

 

Thx

Attached Files


#10 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 185 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:08:07 AM

Posted 01 January 2024 - 02:37 PM

 

Any tool to decrypt the files of the ransomware you mention? I don't see anything related in "nomoreransom .org"

Yesterday I sent you PM what I need to decrypt


#11 zavidos

zavidos

  • Avatar image
  • Members
  • 1 posts
  • OFFLINE
    •  
  • Local time:06:07 AM

Posted 17 January 2024 - 06:01 AM

Any news on that? I have the exact same problem eheh


#12 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 185 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:08:07 AM

Posted 17 January 2024 - 06:09 AM

I have an idea. I have sent you PM :-)


#13 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 185 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:08:07 AM

Posted 17 January 2024 - 01:31 PM

If you have become a victim of this ransomware, write to me PM :-)


#14 jgla2024

jgla2024

  • Avatar image
  • Members
  • 1 posts
  • OFFLINE
    •  
  • Local time:05:07 AM

Posted 13 February 2024 - 07:52 AM

A friend has been hit with exactly the same but the files end in .spfre


#15 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 185 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:08:07 AM

Posted 13 February 2024 - 08:09 AM

 

A friend has been hit with exactly the same but the files end in .spfre

 

Yeah, Press ransomware use this extension :-)


Back to Ransomware Help & Tech Support


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Ransomware Help & Tech Support
  4. Privacy Policy
  5. Rules ·