Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    NSA shares zero-trust guidance to limit adversaries on the network

Featured Deal: Enjoy quick, compatible data transfers with this $59.99 portable SSD

Latest Buyer's Guide:    Hotspot Shield VPN review

Generic User Avatar

RCRU64 Ransomware ([ID=id random 6-Mail=email].random 4) Support Topic

Started by aamoudi , Apr 16 2022 03:28 PM

  • Please log in to reply
52 replies to this topic

#31 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 185 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:08:07 AM

Posted 29 October 2023 - 08:45 AM

 

Are you saying that these random 3 char extensions - .Hhe, .Lro, .M4x, .Vypt, .Dfi, .HPL, .MRB, .L7I, .MMV - actually belong to RCRU64 Ransomware?
 
Do you have a complete list of extensions used by RCRU64 Ransomware?
 
 

Some ransom extensions are hardcoded. (.Vypt)

 

But mostly the ransom extensions are random...

Here is ID and extension generation algorithm (v4)

https://github.com/rivitna/Malware/blob/main/RCRU64/rcru64_gen_id.py

 

v3

ID - 6 random chars

Ext - 4 random chars

 

v4

ID - 5 random chars

Ext - 3 random chars

 

 

Here is GoodMorning ID generation algorithm

https://github.com/rivitna/Malware/blob/main/GoodMorning/gm_id.py


Edited by quietman7, 31 October 2023 - 07:12 AM.

BC AdBot (Login to Remove)

 

#32 bitrunner

bitrunner

  • Avatar image
  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:01:07 AM

Posted 29 October 2023 - 02:00 PM

Can the code in Github be used to recover an impacted system?
 

Some ransom extensions are hardcoded. (.Vypt)
 
But mostly the ransom extensions are random...
Here is ID and extension generation algorithm (v4)
https://github.com/rivitna/Malware/blob/main/RCRU64/rcru64_gen_id.py
 
v3
ID - 6 random chars
Ext - 4 random chars
 
v4
ID - 5 random chars
Ext - 3 random chars
 
 
Here is GoodMorning ID generation algorithm
https://github.com/rivitna/Malware/blob/main/GoodMorning/gm_id.py


#33 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 185 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:08:07 AM

Posted 29 October 2023 - 02:08 PM

 

Can the code in Github be used to recover an impacted system?

If you have an RSA private key


Edited by rivitna, 29 October 2023 - 02:08 PM.

#34 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 29 October 2023 - 08:04 PM

@bitrunner (& rivitna)
 
I have merged your topic and related postings into the primary support topic for victims of this ransomware.

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#35 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 185 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:08:07 AM

Posted 29 October 2023 - 08:05 PM

 

@bitrunner (& rivitna)
 
I have merged your topic and related postings into the primary support topic for victims of this ransomware.

 

Ok, thanks!


#36 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 29 October 2023 - 08:13 PM

You're welcome. I appreciate the clarification and feedback.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#37 andrewtran

andrewtran

  • Avatar image
  • Members
  • 2 posts
  • OFFLINE
    •  
  • Local time:12:07 PM

Posted 22 December 2023 - 01:14 PM

Hello everyone,

My PC open port 3389 RDP to internet. After that my PC get ransomware.

Could you help check what kind of ransomware ?

 

https://drive.google.com/drive/folders/1HSQuW9JNLWGASJsp6fV72A5knmlO2s49?usp=sharing

 

Thank so much

AndrewTran


#38 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 22 December 2023 - 01:24 PM

....My PC open port 3389 RDP to internet. After that my PC get ransomware.
Could you help check what kind of ransomware ?
 
https://drive.google.com/drive/folders/1HSQuW9JNLWGASJsp6fV72A5knmlO2s49?usp=sharing


The encrypted file pattern looks to be a new variant of RCRU64 Ransomware V4 which will have an _[ID-id random 5_Mail-email}.random 3 character extension (.HHE, .LRO, .M4X, .Vypt, .DFI, .HPL, .HMC, .MRB, .L7I, .MMV) appended to the end of the encrypted data filename and leave files (ransom notes) named Restore_Your_Files.txt, ReadMe.hta. These are some examples.

_[ID-GRHYT_Mail-jounypaulo@mail.ee].HHE
_[ID-LQIWB_Mail-pm24@tuta.io].LRO
_[ID-RRF0H_Mail-dr.file2022@gmail.com].M4X
_[ID-DXNVI_Mail-Sc.computer1992@Gmail.com].L7I
_[ID-BVPKO_Mail-insomnia1441@gmail.com].MMV

In your case...

_[ID-OUTHH_Mail-vansu@mailfence.com].4YC

The contents of your ransom note and naming format of the extension with the random 3 characters appended at the end are similar to what we have seen with this ransomware.
 
RCRU64 V4 typically will include a random 5 uppercase character "ID" in the ransom note.

Your ID: RRFOH
Your ID : YUNFY
Your ID : WEKNZ
Your ID : L1LXB
Your ID : BVPKO

In your case...

Your ID : OUTHH

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#39 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 185 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:08:07 AM

Posted 22 December 2023 - 01:43 PM

 

https://drive.google.com/drive/folders/1HSQuW9JNLWGASJsp6fV72A5knmlO2s49?usp=sharing

It's RCRU64 Ransomware

 

ID (0UTHH) and ransom extension (4YC) are random

 

Sample

https://www.virustotal.com/gui/file/9368d4db4f743d3a97f8893c28e1157ed8ba82eb8d798b945de0f70c741d94f3

 

Footer

Attached Files

  • Attached File  1.png   76.12KB   0 downloads

Edited by rivitna, 22 December 2023 - 01:48 PM.

#40 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 22 December 2023 - 01:48 PM

@andrewtran
 
I have merged your topic into the primary support topic for victims of this ransomware.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#41 andrewtran

andrewtran

  • Avatar image
  • Members
  • 2 posts
  • OFFLINE
    •  
  • Local time:12:07 PM

Posted 22 December 2023 - 06:41 PM

 

 

Can the code in Github be used to recover an impacted system?

If you have an RSA private key

 

Hello,

Normally, RSA private key will keep in PC if PC encryption not yet Complete ?

Or RSA private key never stay in victim PC ?
Thanks


#42 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 185 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:08:07 AM

Posted 22 December 2023 - 07:22 PM

In general, if a session private key is generated on a compromised computer, it is immediately encrypted using the master public key and erased. A session public key is used for encryption.

 

RCRU64 ransomware contains 3 RSA public keys (2 RSA-2048 and 1 RSA-3072), and the attackers have private keys.

One RSA-2048 key is used to encrypt files, the other two are used to encrypt various information


#43 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 22 January 2024 - 05:49 PM

New variant of RCRU64 Ransomware variant reported with .HM8 extension


Paris
Your Files Has Been Stolen And Encrypted!
All Your Files Are Locked And Important Data Downloaded !
Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You .
If Payment Isn't Made After A While We Will Sell OR Publish Some Of Your Data, You Don't Have Much Time!
Your ID : OGA1Q
If You Want To Restore Them Email Us : silolopi736@gmail.com
If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Telegram , ID : @silolopi736
To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .
Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email.
We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail.
What Is The Guarantee !
Before Payment You Can Send Some Files For Decryption Test.
If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits.
--------------------------------------------------------------------------------
Attention !
Do Not Rename,Modify Encrypted Files .
Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because
It May Make Decryption Harder Or Destroy Your Files Forever !
--------------------------------------------------------------------------------
Buy Bitcoin !
hxxps://www.kraken.com/learn/buy-bitcoin-btc
hxxps://www.coinbase.com/how-to-buy/bitcoin

 

 


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#44 rivitna

rivitna

  • Avatar image
  • Security Colleague
  • 185 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:08:07 AM

Posted 22 January 2024 - 06:20 PM

https://www.virustotal.com/gui/file/dcf573e0bbf6a16fa3e9d29bc5539fc83ba50bb5a48340a04a52d6362dd70d66

 

Ransom extension and ID are random


#45 pabibhatiya

pabibhatiya

  • Avatar image
  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:10:37 AM

Posted 15 February 2024 - 03:44 AM

hello is ther eany luck priivate key failing when i decrypt. this file : )

 

python .\rcru64_decrypt_file.py SiteMGMT_log.ldf_[ID-DC3AF_Mail-silolopi736@gmail.com].NQY   
metadata marker pos: 00100001
chunk size: 204800
chunk space: 819200
encryption size: 1048576
RSA private key: Failed
Error: Failed to decrypt file


is there on attacked computer possible find private key or rsa key something ?


Back to Ransomware Help & Tech Support


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Ransomware Help & Tech Support
  4. Privacy Policy
  5. Rules ·