Topic title changed to reflect naming convention and direct other victims to this support topic.
Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
HsHarada/Rapture Ransomware ([random 6 chars]; -README.txt) Support Topic
Started by
Adha
, Apr 06 2023 05:26 PM
37 replies to this topic
#16
quietman7
-
- Global Moderator
- 61,818 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:12:08 AM
Posted 07 April 2023 - 03:22 PM
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015 
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click 
Back to top
#17
Adha
- Topic Starter
-
- Members
- 13 posts
- OFFLINE
- Local time:12:08 PM
#18
Amigo-A
-
- Members
- 3,049 posts
- ONLINE
Security specialist and Ransomware expert
- Gender:Male
- Location:Bering Strait
- Local time:10:08 AM
Posted 08 April 2023 - 04:51 AM
Adha
On the affected computer press keys Win + R
and enter command
cmd /c dir C:\ /a/s > "%userprofile%\dirc.log"
press OK
wait while the window of command will closed and find the file
C:\Users\User\dirc.log
Zip the doc.log file and send me the zip file via PM.
Edited by Amigo-A, 08 April 2023 - 04:51 AM.
My site: The Digest "Crypto-Ransomware" + Google Translate
#19
Amigo-A
-
- Members
- 3,049 posts
- ONLINE
Security specialist and Ransomware expert
- Gender:Male
- Location:Bering Strait
- Local time:10:08 AM
Posted 08 April 2023 - 04:55 AM
You need to find the malicious file that did the encryption of your files.
There are many ways in which they can reside or drop files. But sometimes it is enough to browse only the following directories to find them.
C:\Users\User\AppData\Local\
C:\Users\User\AppData\LocalLow\
C:\Users\User\AppData\Roaming\
C:\Temp\
C:\Windows\Temp\
Compare with the date when the encryption took place, this can be seen in the properties of files and folders, when they were created and/or modified.
Compare with the ransom notes, they definitely appeared at the time when the encryption happened.
Edited by Amigo-A, 08 April 2023 - 04:57 AM.
My site: The Digest "Crypto-Ransomware" + Google Translate
#20
ADS82
-
- Members
- 5 posts
- OFFLINE
Posted 19 September 2023 - 09:43 PM
Maybe someone can help with the decryption.
Ransom Note Contents:
Your important files have been modified
Your unique ID is 9eCTFzqgMRJ3AIlUbdOkNSEEk0YTHw9ek2ybsjskiSxiVjrsDl
Any attempts to restore your files with the thrid-party software will be fatal for your files!
There is only one way to get the files back
| 1. Send an email with YOUR ID to our mailbox:
> Rsacrpthelp@skiff.com
> rainbowforever@tutanota.com
| 2. Complete the payment in the method specified by us (usually Monero)
### Attention! ###
# Do not rename encrypted files.
# Do not try to decrypt using third party software, it may cause permanent data loss.
# Decryption of your files with the help of third parties may cause increased price(they add their fee to our)
Attached Files
-
JCuYqr-README.txt 704bytes
3 downloads
#21
al1963
-
- Members
- 1,178 posts
- OFFLINE
- Local time:12:08 PM
Posted 20 September 2023 - 12:09 AM
To determine the type of ransomware, add a few encrypted files to the archive, upload the archive to http://sendspace.com, and give us a link to download the archive. If you still have the ransomware file, upload it to virustotal.com and give us a link to the scan result.
Edited by al1963, 20 September 2023 - 12:14 AM.
#22
rivitna
-
- Security Colleague
- 185 posts
- OFFLINE
- Gender:Male
- Local time:08:08 AM
#23
quietman7
-
- Global Moderator
- 61,818 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:12:08 AM
Posted 20 September 2023 - 05:32 AM
@ADS82
Any files that are encrypted with HsHarada Ransomware will have a random 6 character extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) which include the same random extension as part of the name as explained here by Amigo-A (Andrew Ivanov). These are some examples?
.m9SRob m9SRob-README.txt .ua2Id7 ua2Id7-README.txt
In your case, .JCuYqr appears to be a new variant and the naming + contents of your ransom note are similar to what we have seen with variants of this ransomware.
.JCuYqr JCuYqr-README.txt
HsHarada Ransomware is known to include a long string of alpha-numerical characters comprising a SPECIAL KEY or unique ID in the ransom note.
YOUR SPECIAL KEY is F2nQOVOzOPeK853xvR3zo0PnSZd8cInPF9rWP9ydQTJzfMtJaZ YOUR SPECIAL KEY is txVJM8ZZC8kq4btqqN1hjA9wq04MwWEblfVsRhBNAG85MDPiB8
Your note includes.
Your unique ID is 9eCTFzqgMRJ3AIlUbdOkNSEEk0YTHw9ek2ybsjskiSxiVjrsDl
Since this appears to be a new variant I have merged your topic and related postings into the primary support topic for victims of this ransomware.
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
#24
rivitna
-
- Security Colleague
- 185 posts
- OFFLINE
- Gender:Male
- Local time:08:08 AM
Posted 23 November 2023 - 06:03 PM
HsHarada (aka Rapture) ransomware
Attacker's email
hsharada@skiff.com r.heisler@keemail.me r.heisler@skiff.com rainbowforever@skiff.com rainbowforever@tutanota.com ghostsbackup@skiff.com summerkiller@tutanota.com shadowghost@skiff.com lastghost@skiff.com Rsacrpthelp@skiff.com
#25
quietman7
-
- Global Moderator
- 61,818 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:12:08 AM
Posted 23 November 2023 - 06:45 PM
Good info. First page updated.
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
#26
rivitna
-
- Security Colleague
- 185 posts
- OFFLINE
- Gender:Male
- Local time:08:08 AM
Posted 24 November 2023 - 12:42 AM
Good info. First page updated.
Thanks a lot!
#27
quietman7
-
- Global Moderator
- 61,818 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:12:08 AM
Posted 24 November 2023 - 05:41 AM
You're welcome.
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
#28
rivitna
-
- Security Colleague
- 185 posts
- OFFLINE
- Gender:Male
- Local time:08:08 AM
#29
rivitna
-
- Security Colleague
- 185 posts
- OFFLINE
- Gender:Male
- Local time:08:08 AM
Posted 11 December 2023 - 08:52 AM
#30
alvi1903
-
- Members
- 3 posts
- OFFLINE
- Local time:09:08 AM
Posted 10 January 2024 - 02:39 PM
https://id-ransomware.malwarehunterteam.com/identify.php
SHA1: 62e6bb8b68b9add902b4949554b1c1f289125e0d
Greetings, our server has unfortunately been compromised by a ransomware attack. I am earnestly requesting assistance from the designated authorities within this forum. The files affected are of immense importance to me. I kindly implore your support in this matter. My sincerest thanks to everyone for dedicating your time and effort to help
Your important files have been modified
Your Crp ID is hJVUwdZ9OVDF7dfXthRMAtE9PoRYg0DREciALHK2YiP9Dpw8As
Send an email with YOUR ID to our mailbox: (Get the ransom price)
> Genesis1337@skiff.com
> genesis1337@tutanota.com
We steal the files to the server and if you don't contact us within three days, we will sell them to the dark web
!!!!!!!!!!!!!!!! we are just for money
We guarantee decryption, as long as you pay the ransom (we will not cheat, in order to let more customers trust us, we will not be stupid enough to cheat paying customers)
Remember, contact us promptly to get a better price!
Once more than three days contact us (maybe the ransom will be increased)
Edited by alvi1903, 10 January 2024 - 02:53 PM.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
