Posted 08 June 2022 - 05:30 AM
Hi!
I need some help wit new (I believe) ransomware, which encrypt files on QNAP storage of my clients. Ransom puts .checkmate file extension.
Please, reffer to this id-ransomware case SHA1: f0512f8e17ad4fdc9e880775d012a9b1be275871
Thanks in advance!
Bleepin' Gumshoe
Posted 08 June 2022 - 05:32 AM
Is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]) or an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>], _ID_<id***>_<email>) preceding the extension?
Did you find any ransom notes? If so, what is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents in your next reply?
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015 
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click 
Posted 08 June 2022 - 05:38 AM
Is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]) or an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>], _ID_<id***>_<email>) preceding the extension?
Did you find any ransom notes? If so, what is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents in your next reply?
Sorry, no email, but there is a file called "!CHECKMATE_DECRYPTION_README"
Here is the content:
"
.........
You was hacked by CHECKMATE team.
Security specialist and Ransomware expert
Posted 08 June 2022 - 12:19 PM
Attach file "!CHECKMATE_DECRYPTION_README" to your message.
Do not change anything, the file must be original.
Attach an zip-archive with 2-3 files for comparison.
Edited by Amigo-A, 08 June 2022 - 12:20 PM.
My site: The Digest "Crypto-Ransomware" + Google Translate
Posted 09 June 2022 - 12:00 AM
@sikich by any chance can I get one ID to try and speak with him on tele and get their btc address? thanks
Posted 09 June 2022 - 04:11 AM
@Amigo-A, sorry ;-)
!CHECKMATE_DECRYPTION_README.zip 724bytes
14 downloads
encrypted_files.zip 2.84MB
11 downloads
Edited by sikich, 09 June 2022 - 04:13 AM.
Posted 09 June 2022 - 04:15 AM
@duttex, I'm not completely shure that is a good idea ...
Security specialist and Ransomware expert
Posted 09 June 2022 - 05:00 AM
Edited by Amigo-A, 09 June 2022 - 07:43 AM.
My site: The Digest "Crypto-Ransomware" + Google Translate
Security specialist and Ransomware expert
Posted 09 June 2022 - 11:17 AM
If you can collect a collection of encrypted image files (jpg, png), then send me and I will try several recovery tools.
The result is not known in advance, I'll just try what I can.
Edited by Amigo-A, 09 June 2022 - 11:19 AM.
My site: The Digest "Crypto-Ransomware" + Google Translate
Posted 10 June 2022 - 01:40 AM
Security specialist and Ransomware expert
Posted 10 June 2022 - 01:54 AM
I forgot to say, me need at least one original unencrypted file from these files.
My site: The Digest "Crypto-Ransomware" + Google Translate
Posted 10 June 2022 - 02:00 AM
Can any please provide the sample for deep analysis purpose, would be great
Edited by rohitsecres, 10 June 2022 - 02:00 AM.
Security specialist and Ransomware expert
Posted 10 June 2022 - 02:04 AM
rohitsecres
There are no samples. There are only encrypted files.
My site: The Digest "Crypto-Ransomware" + Google Translate
Posted 10 June 2022 - 03:17 AM
try those
It looks like that the only first 8192 bytes are encrypted. And jpeg files can be partially repaired with JpegMedic ARWE.
0 members, 1 guests, 0 anonymous users
Back to top
