RansomNoteCleaner - Remove Ransom Notes Left Behind

Deep learning is one of your best experiences. Remember backups, and you can continue exploring. It is this knowledge that lead to the cleaner. When so many ransomwares are reported to id-ransomware the details about all is revailed and. These two programs / services work together identifying and cleaning up the mess.

 

A simple backup before the attack would be better, but since noone learns before a case has happened, this is a good tool to clean up.

And as said above, most of the info on BC is trustworthy, if there is some posted that is not trustworthy I'm sure one of the users or moderators wil fix it pretty soon.

 

It is good to be cautios, and one way to keep up the cautioness attitude is to read all posts in the topic, very often an answer to your issue can be found.

 

Good luck with your issues and feel free to ask for help if yoiu need any.

 

Regards

Hi deamonslay, I have asked before and now I have a case where this uncertainty about who did what.

Different ransom notes different content. some copy cats other the original encryptor.

 

Maybe this belong in ID-ransomware topic or in PM

 

- Nov 2015: .ccc _how_recover_ivu.HTML (confirmed by me) Unknown by ID ransomware

- Late Feb 2016 - Late March and also some in April _RECOVERY_+dlllx.html (those 5 random characters)

- _RECOVERY_+nhpmw.html (content about AES not RSA 4096)

  I thought Tesla claimed RSA and not AES

- Early April 2016 {RecOveR}-xrarh__.Txt (content RSA 4096) could be Tesla or something else Also 5 random but a .Txt and .Png shares the same random characters

  Also not the cases of the extension

- Early April  de_crypt_readme.txt (confirmed it was encrypted with Tesla v4) but the text content is again mentioning RSA4096 so it looks one Tesla v3-4.1 targeted the file

  and used this help file (ransom note)

- Early april. how_recover+ock.txt.crypt A ransom note from .ccc attack in Nov encrypted with .crypt. (Confirmed the Cryptxxx)

- Early april.howto_recover_file_pgrrx.txt.crypt (probably the same as above)

 

Anyway I have all the files where I refer to the cases above.

I think the service ID-ransomware has to many false positives (hard to do it different) I know, but maybe those above mentioned files can be ompened and the content examined

I can therefore send you the samples if you like.

 

My question my case.

 

Are you able to mention all notes names, recovery nems for

 

.ccc encryptions

Tesla v3 - Tesla v4.1 including the v4a

and the original Cryptxxx

 

Based on time stamps I think I identified in the case I'm working on the following.

 

Nov .ccc

Feb Tesla v3late or v4 early

March Tesla v3late or v4 early

Late March v4 later

April .crypt (Cryptxxx)

 

For the user it is hard to find the key to the .crypt files since apparently no before and after files exists.

unless I can find one file that only .crypt targeted and that the user had a copy of from before the April attack.

 

All others are decryptable when the "currently" decryptable .crypt is decrypted. For any other cases this would be easy, but not when multi encryptin has happened

and no valid samples are found (as of yet)

 

Any advices, you can use PM if you like and maybe the ID-service can be improved even more.

I have 13 MB samples and 75 files, ransom notes howtos etc with different names and content...

I cannot confirm all, since it is a mixture on this case, however I was able to conclude to some extent.

See above my "claims"

 

Link is here to my analysis: https://www.sendspace.com/filegroup/X373y8ZdZZ4gnxhsuwLMOAR

 

Regards, and keep up the great work you do.

Good idea.

Have an issue at start, though.

Ticking CryptoLocker, I see an error window as follows:

Unhandled exceptionhas occurred in your application. etc. etc.

Method not found: 'Int 32

System Environment. get_CurrentManagedThreadID'.

Then Continue button loops between Select window and error window. 

 

I'm wondering if a clean reboot may be more appropriate.

Good idea.

Have an issue at start, though.

Ticking CryptoLocker, I see an error window as follows:

Unhandled exceptionhas occurred in your application. etc. etc.

Method not found: 'Int 32

System Environment. get_CurrentManagedThreadID'.

Then Continue button loops between Select window and error window. 

 

I'm wondering if a clean reboot may be more appropriate.

 

That would definitely be a bug I haven't seem before. Can you share the RansomNoteCleaner-log.txt file with me? You can share it via SendSpace.

@Demonslay335,

 

I'm sorry, that is not at the desired topic written about its proposal on this utility.

 

http://www.bleepingcomputer.com/forums/t/608858/id-ransomware-identify-what-ransomware-encrypted-your-files/page-7#entry4074475

Looks like Malwarebytes detects and delete RansomNoteCleaner. Reporting it as a FP on their forum right now.

Thanks for doing that and letting us know.

It's been fixed in database v2016.09.04.08 2 hours ago by thisisu!

https://forums.malwarebytes.org/topic/187908-ransomnotecleaner-detected-as-trojanagentmsil/#comment-1060193

It's been fixed in database v2016.09.04.08 2 hours ago by thisisu!

https://forums.malwarebytes.org/topic/187908-ransomnotecleaner-detected-as-trojanagentmsil/#comment-1060193

 

This link got the notes all cleaned out. I hope it cleaned some more stuff too. Working around the "Defender" was nauseous, but well worth it. Shout out to you bra....!!!!

It just cleans out the ransom notes. For other debris run Malwarebytes / Hitman Pro / Emsisoft.

Just used this awesome tool to clean out the crap left behind after an infection....just an FYI, ControlNow (Vipre engine) is picking ransom remote cleaner as nasty and delets...needed to first uninstall vipre to run it
Thank you @Demonslay335 for this tool

It's not the first such report.

Certain embedded files that are part of legitimate programs and specialized fix tools (like RansomNoteCleaner), may at times be detected by some anti-virus and anti-malware scanners as suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior (routines, scripts, etc) it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access for scanning but often trigger alerts by anti-virus software.

When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. Compressed and packed files in particular are often flagged as suspicious by security software because they have difficulty reading what is inside them. These detections do not necessarily mean the file is malicious or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive" and can be ignored.

Most of the well known specialized tools we use against malware are written by experts/Security Colleagues at various security forums like Bleeping Computer, TechSupport, GeeksToGo, Emsisoft and other similar sites so they can be trusted...this includes any program hosted by BC for download. Unfortunately, many of these tools are falsely detected by various anti-virus programs from time to time for the reasons noted above. This in turn sometimes results in an inaccurate site rating/warning of potentially dangerous software when that is not the case.

The problem is really with the anti-virus vendors who keep targeting these embedded files and NOT with the tools themselves. We can inform the developers but they have encountered this issue many times before and in most cases there isn't much they can do about it. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database.

Either have your anti-virus ignore the detection or temporarily disable it until you download and run the tool.

I have cleaned all Unblockupc ransom notes with this tool.

If I search all ransom notes with this tool it finds like 12 AutoLocky notes, 109 CrypMic notes, and notes from 7 others malware notes, but when I check files they are normal Readme.txt, info.txt,... files.

Yesterday I created RegBackup and now this tool tells me that created backup_info.txt is AutoLocky ransom note.

Thanks for the feedback. RansomNoteCleaner is fed regular expressions from the ID Ransomware engine, and those particular ransomwares do have very generic ransom note names, so they do tend to trigger false-positives. This is the main reason I made the screen for confirming the files to delete.

 

I'll see if I can limit the regex scope more to not pickup on the backup_info.txt, that definitely should not happen (the rule for AutoLocky is to match simply "info.txt").