Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    NSA shares zero-trust guidance to limit adversaries on the network

Featured Deal: Enjoy quick, compatible data transfers with this $59.99 portable SSD

Latest Buyer's Guide:    Hotspot Shield VPN review

Generic User Avatar

HsHarada/Rapture Ransomware ([random 6 chars]; -README.txt) Support Topic

Started by Adha , Apr 06 2023 05:26 PM

  • Please log in to reply
37 replies to this topic

#1 Adha

Adha

  • Avatar image
  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:12:08 PM

Posted 06 April 2023 - 05:26 PM

Any files that are encrypted with HsHarada Ransomware (Rapture Ransomware) will have a random 6 or 14 character alpha-numerical extension appended to the end of the encrypted data filename and typically will leave ransom notes which include apparently the same [random 6 or 14 character]-README.txt but actually a "hard-coded character string" as part of its name as explained here by Amigo-A (Andrew Ivanov). These are some examples?


.m9SRob
.ua2Id7
.JCuYqr
.353a66e3004269
m9SRob-README.txt
ua2Id7-README.txt
JCuYqr-README.txt
353a66e3004269-README.txt

HsHarada ransom notes are known to include a long string of alpha-numerical characters comprising a SPECIAL KEY (unique ID, custom ID) similar to N3ww4v3/Mimic but without an asterisk (*) and extension after the ID numbers.

YOUR SPECIAL KEY is F2nQOVOzOPeK853xvR3zo0PnSZd8cInPF9rWP9ydQTJzfMtJaZ
Your unique ID is  9eCTFzqgMRJ3AIlUbdOkNSEEk0YTHw9ek2ybsjskiSxiVjrsDl
YOUR ID is uudzWKLfmLzF9SRsHj5tiSKmYVbjFkmzMy8NdTjPyE4CppYmRZ
your exclusive ID: H4wSDVOzOPeK853xvR3zo0PnSZd8cInPF9rWP9ydQTJzaFxKB2
Your Crp ID is  1nFDQEUWZCOJeAEGNtsLyW8jaaTI2oHioJqDVY78Jy1qvGNBsK
Your custom ID : pgAeE4KO8PlaQ6XwLjjkRxyer2nl6_vAmc4aTg

Attackers Email provided by rivitna (Andrey Zhdanov)

hsharada@skiff.com
r.heisler@keemail.me
r.heisler@skiff.com
rainbowforever@skiff.com
rainbowforever@tutanota.com
ghostsbackup@skiff.com
summerkiller@tutanota.com
shadowghost@skiff.com
lastghost@skiff.com
Rsacrpthelp@skiff.com
crypto scheme: AES-256 CFB / RSA-2048

 
 
This morning I got m9SRob extension on my important files. Encrypted and cannot be used. I searched online and no result..please help me with this type and decryptor

Regards
Adha


BC AdBot (Login to Remove)

 

#2 Adha

Adha
  • Topic Starter

  • Avatar image
  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:12:08 PM

Posted 06 April 2023 - 05:27 PM

Here's readme text

Attached Files


#3 Adha

Adha
  • Topic Starter

  • Avatar image
  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:12:08 PM

Posted 06 April 2023 - 05:53 PM

3b7dd97e903b62c4fa28a148cb422139c1312bef

 


All your important files are processed!
 
YOUR SPECIAL KEY is F2nQOVOzOPeK853xvR3zo0PnSZd8cInPF9rWP9ydQTJzfMtJaZ
 
Any attempt to restore files using third-party software will be fatal to your files!
The ONLY POSIBLE WAY TO GET BACK YOUR DATA is buy private key from us.
 
Follow the instructions below to get your files back:
 
| 1. Send an email with YOUR SPECIAL KEY to our mailbox:
    >     hsharada@skiff.com
    >     r.heisler@keemail.me
| 2. Complete the payment in the method specified by us (usually Monero)
| 3. Send payment records to us and then download tool that can recover files in a short time
 
 ###  Attention! ###
 # Do not rename encrypted files.
 # Do not try to recover using third party software, it may cause permanent data loss.
 # Obtaining your files with the help of a third party may result in a higher price (they charge us a fee)

 

 

Attached Files


#4 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:08 AM

Posted 06 April 2023 - 06:20 PM

The .m9SRob extension may be a new variant of N3ww4v3/Mimic Ransomware which will have a random 5-15 character extension (.n3ww4v3, .3kfAp, .r0Qp@3M, .1cy931cn9v, .h777XRgNVM777xM) appended to the end of the encrypted data filename OR append a .crypt, .HONESTBITCOIN, .Fora, .Hairysquid, .PORTHUB, .QUIETPLACE, .bigspermhorseballs, .KASPERSKY, .shiverer, .darth, .Indianguy, .damarans, .dataland. 

 

N3ww4v3/Mimic Ransomware typically will leave files (ransom notes) named How-to-decrypt.txt, What_happened_read_me.txt, Instructions.txt, HOW_TO_DECRYPT.txt, Decrypt_me.txt, README.txt, ---IMPORTANT---NOTICE---.txt, Comunicacin.txt === Readme.txt, hashlist.txt, MIMIC_LOG.txt OR ransom notes which include the same extension as part of the name (Bigspermhorseballs_Decryption.txt, Kaspersky_Decryption.txt, INDIANGUY_DECRYPTION.txt).

 

N3ww4v3/Mimic is known to include a long string decryption ID (number, identifier, decrypt ID, unique ID, tox ID) in the ransom note as shown in these examples.

Your identifier (ID) ZeNL5bqnUMCrcKKK_jaHtrsyxuqzJUPU4-Rq6uMjpHM*w9lq64h4
Your decrypt ID is: lpQdH_qHD4LmEC7Hrrt208Pc5ce_aNHNF98mJEeDkwI*9niOpX
Your unique ID is: O28KRMGjKkx_zW7J2TdbdzDe7VluLemi5bv_C9vu7Ww*giapk33vw
Send your unique id crQ_J-dUfG54f2pRx1-mZmXZIJ9jWyGDr4SXALv3owA*KASPERSKY
In subject line please write your decryption ID: kV7sbyJMAseAKZH8JBYMLNQI4D36YWOYL0m2ZcCLMjg*Fora
Encryption Number  : 4L3hC49ng92fRIFuIipkrUXTTVy4v4J8rLPwCELRDlI*dataland

In your case...

YOUR SPECIAL KEY is F2nQOVOzOPeK853xvR3zo0PnSZd8cInPF9rWP9ydQTJzfMtJaZ

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Adha

Adha
  • Topic Starter

  • Avatar image
  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:12:08 PM

Posted 06 April 2023 - 07:00 PM

Thanks for reply, i am not familiar with kind of things. Which decryptor can i used?and how to remove the virus? Regars

#6 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:08 AM

Posted 06 April 2023 - 07:05 PM

If this is N3ww4v3/Mimic Ransomware....it is not decryptable without paying the ransom (not advisable) and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities.
 
Please attach several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file in a "zip file" for comparison so Amigo-A (Andrew Ivanov) can inspect them and possibly confirm the infection (and/or add to his database). 
 
To attach files....Click the More Reply Options button in the bottom right corner of the Board Editor, then click the Choose File button under Attach Files.
 
If you need individual assistance from our experts ONLY with removing the malware infection, (not decryption of your data), there are advanced tools which can be used to investigate but they are not permitted in this forum. Please follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, start a new topic and post your FRST logs in the Virus, Trojan, Spyware, and Malware Removal Logs Forum, NOT here, for assistance by the Malware Response Team.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Adha

Adha
  • Topic Starter

  • Avatar image
  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:12:08 PM

Posted 06 April 2023 - 07:17 PM

Here excel files that encrypted

Attached Files


#8 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 3,049 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:10:08 AM

Posted 06 April 2023 - 11:05 PM

If Adha didn't change anything in the ransom note, then it's not N3ww4v3/Mimic Ransomware.

 

There are similar ones, but none of them match what we see here.
It is necessary to find the malicious file in order to identify more precisely and reveal kinship.
 
N3ww4v3 have never asked for a ransom in the Monero cryptocurrency

Edited by Amigo-A, 06 April 2023 - 11:12 PM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#9 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 3,049 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:10:08 AM

Posted 06 April 2023 - 11:28 PM

Adha

Is the word "hsharada" associated with you or a company you know?


My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#10 Adha

Adha
  • Topic Starter

  • Avatar image
  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:12:08 PM

Posted 06 April 2023 - 11:37 PM

Hsharada not associated with anything in my company or something else

Just sad my data cannot be used. Thanks fo response

#11 Adha

Adha
  • Topic Starter

  • Avatar image
  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:12:08 PM

Posted 06 April 2023 - 11:40 PM

https://drive.google.com/drive/folders/1fIL57bpbL41lcS44fo8D7iWeDoColHZp

Here's link file readme and encrypted files

#12 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 3,049 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:10:08 AM

Posted 06 April 2023 - 11:54 PM

5 files are needed for research: png, jpg, doc, pdf, txt


My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#13 Adha

Adha
  • Topic Starter

  • Avatar image
  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:12:08 PM

Posted 07 April 2023 - 12:05 AM

Ok already uploaded in same link above

#14 Adha

Adha
  • Topic Starter

  • Avatar image
  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:12:08 PM

Posted 07 April 2023 - 04:59 AM

So this is new variant ransomware?

#15 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 3,049 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:10:08 AM

Posted 07 April 2023 - 08:46 AM

A new ransomware or a new variant of a known ransomware that has changed elements to make it harder to identify.
 
It is necessary to find the malicious file in order to identify more precisely and reveal kinship.
 
Description: HsHarada Ransomware

Edited by Amigo-A, 07 April 2023 - 01:22 PM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

Back to Ransomware Help & Tech Support


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Ransomware Help & Tech Support
  4. Privacy Policy
  5. Rules ·