I take a quick look at a new version of another file encrypting ransomware trojan. Unlike previous versions, this one leaves (nearly) no way to decrypt your files without the correct password.
+don brathuhn It doesn't work. This person has the decency to not fuck you if they make no money from you. This is obsolete, so it doesn't matter either way. (operating server 37.221.162.51 is now shut down)
Which ransomware was that fake AV that made your computer lock up, flashed the screen red, and played this annoying electrical sound through the speakers? I remember seeing it on Rogueamps channel.
Where would you generally get infected by a ransomware? Would the person who made it have disguised it as something too good to be true and sent it to you?
This is why I ghost copy my drive to a redundant RAID server every night, you can build one for just backups, ghost copies etc. for less than $200 then if your computer gets ransomed, you just re-install and and since it is a ghost copy restore it to right before your machine was ransomed
It wouldn't make any difference. Create a text file, put words in it. Then, change it's extenstion to something like .data, or like in the video, .txt.crypt. If you try to open it with Notepad, it'll show the file's contents just fine.
What you could do is disassemble the file and find out how it works. Then find where the data is in memory and then execute the file through preferably a debugger and you shall find the key. Although regular execution would not work because it will only be in memory a fraction of a second dependant on speeds and opcodes.
I went to the destination IP that the .php file lies on in an attempt to see how it does it, but it asks for a log on, with the description being "bit-coin mining proxy". huh needless to say I couldn't log-in, and it booted me to a page saying "Sorry, I don't know you."
***** Why are you criticising her for liking Roblox? Is it because you hate Roblox? I could also say that your grammar is bad, as that "sentence" - if I could even call it that - doesn't make sense AT ALL. Roblox also has nothing to DO with WireShark. Come on, at least step up your game a little bit. Or are you just gonna write another complaint comment, with your one subscriber (probably you) and your 10 views?
hmm, maybe it also effect program because it think it might have to do with a problem you are trying to resolve, point still stands system restore should not effect pictures, documents, music, etc
What would happen if this was run on a machine without an internet connection? I doubt files are being uploaded to a server and changed there, or you could just send huge files at the server constantly, the encryption has to be in that exe, surely? which would mean someone like xylitol could make a fix with a bit of ollydbging.
Who ever said I was a white hat D: I am curious to see if I can reverse engineer it, I mean I have several books on cryptology and I am currently developing a system of encryption, but I need something which seems like a challenge :3
I wonder if it's using RC4 or some other weaksauce crypto with an identical keystream for every file. In that case if you have a backup of any of the files, you can recover the keystream, up to the size of that file, with some xor action. Then xor the keystream with the ciphertext to get back you precious crazy Russian porn.
Do you know which type of encryption method it uses? This seems very interesting and I feel like I would like to take the challenge to decrypt it :) I mean pm me a link to where I can download this so I can take a crack at it :O
***** but there antivirus or protection will block it and since they able to design something like this they r bound to be grey hat hackers so itll be easy for them to counter the roughe but SQL injects can bypass there defense systems, and denial of service will stop them from destroyin ur data for sendin them a Sql
a good one would be the Trojan.zeroaccess, if you got experience with it. Because zeroacess basically sneakly gets into there sytem, deactivates internet security then it opens a backdoor and installs a tonne of other viruses which crashe there computer. With the backdoor u basically get control over the system and u can get the passkey to unlock ur system by urself from there computer :D
I really enjoy watching these types of videos in the morning, generally while drinking a Monster, or Redbull. Except, it's 1PM. I overslept, I'm too fucking sick to go to the store to get anything, and it would taste like shit, most likely. Sorry for telling you all my whole life story.
Check Google. I'm pretty sure it is a rogue so go on google or something and look it up. Generally when you type in the name of a rogue everything that comes up is warnings and bad reviews from websites like BleepingComputer.
I wonder how it can display "Password accepted". Does it check with the server? A file that it decrypts with known contents to test the password? Or is the password still saved on the system?
This ransomware is now obsolete. The IP the webserver this runs on (37.221.162.51) is now no longer available. If you really want to, I suppose you can route 37.221.162.51 to localhost in your hostsfile. I got a sample of this is and this is quick fix as it will not encrypt anything if it can't properly send the code.
Mustang is right. The way this works is by generating a private seed to encrypt with, which is what that identification number is, so say each install's password seed is: identifiaction number + "xOdpdDFPG40fxZ", so if you decompiled it you could get the seed, and thus, the password.
+.Float what's preventing this thing from having a preset pattern, if the password does not match the pattern, why interact with the server at all? or you can enter an incorrect password with the correct pattern, it would contact the server then realize it's the incorrect password. nothing is preventing the owner from keeping the key and the parameters on a private disposable server and sending it when the password is correct.
A ransomware
that actually
delivers
If I knew myself, but this comment is old.
Just forget it, this comment is old.
I read it as a haiku, thank god I renewed my bamboozle insurance yesterday.
@@marimeme indeed, it is
@@youtube.commentator yes it is very old indeed
I'll send them BankInfo.txt.exe.
yea
Wow wasnt expecting to see a toontown fan like me here XD
"CRAZY RUSSIAN PORN" 😆 fucking brilliant!!
i get that reference 😂😂😂
Change all files to .mp3
*****
I mean before.
+minerinnorway norsk gaming For this occasion before he runs the virus.
+ThePuffin77
What a smart idea!
because then this may happen:
Russian.exe INFECTED
fakeimagedisquised.mp3 SAFE!
Send them/him a txt with the Rick roll url
you did it, amp. you did the thing. i'm so proud of you.
What if you have the internet disconnected so the server does not receive the password?
+don brathuhn It doesn't work. This person has the decency to not fuck you if they make no money from you.
This is obsolete, so it doesn't matter either way. (operating server 37.221.162.51 is now shut down)
what if you get it, but have internet off, then restart and turn it on?
@@smasher4291 please try that and let us know
So basically WireShark (or any packet analyzer) toasts this ransomware through and through.
Your user icon is a work of art
In case you haven't found it yet, it was Desktop Defender 2010.
someone needs to make a virus that pops up Rickroll every 2 seconds
Which ransomware was that fake AV that made your computer lock up, flashed the screen red, and played this annoying electrical sound through the speakers? I remember seeing it on Rogueamps channel.
both of these are system processes that are essential for your computer to run. do NOT end their processes or system trees.
Where would you generally get infected by a ransomware? Would the person who made it have disguised it as something too good to be true and sent it to you?
This is why I ghost copy my drive to a redundant RAID server every night, you can build one for just backups, ghost copies etc. for less than $200 then if your computer gets ransomed, you just re-install and and since it is a ghost copy restore it to right before your machine was ransomed
Wow, that's one hell of a trojan 0.0
It wouldn't make any difference. Create a text file, put words in it. Then, change it's extenstion to something like .data, or like in the video, .txt.crypt. If you try to open it with Notepad, it'll show the file's contents just fine.
So rogue's been listening to some Jim Jones
I miss Chad Warden. BALLIN.
Those are so mainstream now that that isn't really a safe assumption.
We fly high
No lie
You know dis
BALLIN
What you could do is disassemble the file and find out how it works. Then find where the data is in memory and then execute the file through preferably a debugger and you shall find the key. Although regular execution would not work because it will only be in memory a fraction of a second dependant on speeds and opcodes.
Those text files made me laugh pretty hard.
wouldn't there be a key to use, it needs a key to encrypt it right? decompiling it might help us
I went to the destination IP that the .php file lies on in an attempt to see how it does it, but it asks for a log on, with the description being "bit-coin mining proxy". huh
needless to say I couldn't log-in, and it booted me to a page saying "Sorry, I don't know you."
Wouldn't you think that the packet that sends the password would use SSL to prevent people from using sniffers to get the password?
i think you should put that code in the description so that people can remove it easily.
and also, gr8 files
That is very cool that you can use wireshark for anything
So? Aren't you a fan of something too?
***** Why are you criticising her for liking Roblox? Is it because you hate Roblox? I could also say that your grammar is bad, as that "sentence" - if I could even call it that - doesn't make sense AT ALL. Roblox also has nothing to DO with WireShark. Come on, at least step up your game a little bit. Or are you just gonna write another complaint comment, with your one subscriber (probably you) and your 10 views?
HashtagBenches Thank you. You didn't have to stand up for me.
Roblox TheTechyButterfly Eh, no problem.
+HashtagBenches This is the internet. Don't take what people say to heart
hmm, maybe it also effect program because it think it might have to do with a problem you are trying to resolve, point still stands system restore should not effect pictures, documents, music, etc
1:14 Ballin. Jarl Ballin.
Ballin'.
We Fly High You know this. You watch Chad Warden before this video xD?
What would happen if this was run on a machine without an internet connection? I doubt files are being uploaded to a server and changed there, or you could just send huge files at the server constantly, the encryption has to be in that exe, surely? which would mean someone like xylitol could make a fix with a bit of ollydbging.
WOMAN IM LOOOOORD OF THE RINGS
that ransom ware kills safe mode as well though!!!!
ballin
Who ever said I was a white hat D: I am curious to see if I can reverse engineer it, I mean I have several books on cryptology and I am currently developing a system of encryption, but I need something which seems like a challenge :3
what is the OS used in this video?
is this Windows 7 with the Windows 2000 interface?
Here we go, more ransomware. :P
I heard on Britc09's site there is a decryption tool
Hi, keep up to date on this Birele Ransomware? Thanks!
I wonder if it's using RC4 or some other weaksauce crypto with an identical keystream for every file. In that case if you have a backup of any of the files, you can recover the keystream, up to the size of that file, with some xor action. Then xor the keystream with the ciphertext to get back you precious crazy Russian porn.
what happens when you run it again? You could spam add.php to see what happens :)
I could install Linux, but I prefer to be productive. I am a certified Microsoft, apple, and GNU/Linux tech, and for productivity Windows is the best
Would it be possible to decrypt a file by comparing the encrypted version to the unencrypted version the criminal sends you?
no matter what antimalware/antivirus program you use... there will always be ways around it. Its impossible to block every virus.
Do you know which type of encryption method it uses? This seems very interesting and I feel like I would like to take the challenge to decrypt it :) I mean pm me a link to where I can download this so I can take a crack at it :O
Wait, couldn't you just get wire shark and run it again?
Does it send out the password every time the informer starts?
IT ISSSSSS FUCKED that was so funny
all the test files are a reference to Chad Warden lol
Yeah, I'm sure.
Dammit, i just recorded a whole video of this!
Looks like their getting their money through bitcoins... They are gonna be impossible to track down... Damn :(
but what happens if you get it and you send them a DDOS or SQL in that one file ur allowed to send them ?
***** but there antivirus or protection will block it and since they able to design something like this they r bound to be grey hat hackers so itll be easy for them to counter the roughe but SQL injects can bypass there defense systems, and denial of service will stop them from destroyin ur data for sendin them a Sql
That Stupid Guy That Will Slap Your Face Send them the Fagot virus.
It'll infect them AND call them a fagot at the same time.
t-t-t-torture breaker
if i will got infected with this i will send them the Gruel virus or the Internet Secururity rouge
a good one would be the Trojan.zeroaccess, if you got experience with it. Because zeroacess basically sneakly gets into there sytem, deactivates internet security then it opens a backdoor and installs a tonne of other viruses which crashe there computer. With the backdoor u basically get control over the system and u can get the passkey to unlock ur system by urself from there computer :D
I'd be sending something which can blow their machine up, with some kind of overflow
What is this?
now that's just mean.
$300 a lot of money to pay
You're already stupid enough to download ransomware, right?
he said it generates a random password
so there is no actual password
Sup bitches. It's Chad Warden here.
good thing I run linux.
in front of the tmp to download
Nice :D
It's pronounced Baigh-real-ayyyyyyyyyyyy lmao
Lol porn.jpg on the desktop
Test.
lol
or just use Linux.
*Jones_Tec* is reliable when it comes to recovery of files.he's a genius without any delay.
Lol
OMG jp file
Me 2
Calm down dude, its not that funny...
NOOOOOOO! The scry computr ting rooned me shmexy pr0nz!
"And of course, we have a JPG."
"CRAZY RUSSIAN PORN"
Rogueamp, you classy, classy, man.
Birele uses AES. And I'd imagine it is implemented properly without any vunerabilities.
YESSS GIMME DAT CRAZEEEE RUSSUAANNN PPOOORRRNNNNNNNNÑ
I really enjoy watching these types of videos in the morning, generally while drinking a Monster, or Redbull. Except, it's 1PM. I overslept, I'm too fucking sick to go to the store to get anything, and it would taste like shit, most likely. Sorry for telling you all my whole life story.
Check Google. I'm pretty sure it is a rogue so go on google or something and look it up. Generally when you type in the name of a rogue everything that comes up is warnings and bad reviews from websites like BleepingComputer.
I wonder how it can display "Password accepted". Does it check with the server? A file that it decrypts with known contents to test the password? Or is the password still saved on the system?
This ransomware is now obsolete.
The IP the webserver this runs on (37.221.162.51) is now no longer available.
If you really want to, I suppose you can route 37.221.162.51 to localhost in your hostsfile. I got a sample of this is and this is quick fix as it will not encrypt anything if it can't properly send the code.
I can respect that.
Won't encrypt if it can't make sure it can unencrypt.
Try "Emsisoft Harasom Decrypter
maybe it will Decryter this Ramsomware? Let me know? Write Emsisoft Anti Malware
support for the Decrypter!
Good thing I run comodo
No virus will ever come on my PC as long as I have comodo on it :) it has the best behavior blocker ever
I just got a Dell Dimension 3000 series with 600gb just for programming viruses, and Trojans. I spent $30 on the computer.
idk 'bout rthdco.exe and smss.exe but if it is under the owner user etc. you MAAAAY wunna end the process
system restore has do with windows installation and registryl it doesn't touch your files
Oh, I see it's a stupid program that throws up some random message boxes. How nice.
So, we can still watch our porn videos. This Ransomware is somewhat nice, I guess.
system restore?
The code is different every time so it's no use.
So the amp found out about chad warden now lol.
That'sSomeCrazyPorn.jpg.jpg.. Wut.txt
Where do you get these ransomwares and rogues? I would like to try some of them on my VM.
Ctrl+F5 fixed it for me.
You wasn't first...I WAS!
Put in h ttps://
crack the program with a decompiler and get the key and the parameters
... It reads it off of a server, and sad server has authencaton. That wouldnt work.
Mustang is right.
The way this works is by generating a private seed to encrypt with, which is what that identification number is, so say each install's password seed is: identifiaction number + "xOdpdDFPG40fxZ", so if you decompiled it you could get the seed, and thus, the password.
+.Float what's preventing this thing from having a preset pattern, if the password does not match the pattern, why interact with the server at all?
or you can enter an incorrect password with the correct pattern, it would contact the server then realize it's the incorrect password.
nothing is preventing the owner from keeping the key and the parameters on a private disposable server and sending it when the password is correct.
Ticha360 What?
avast covered that voice with "AVAST HAS SUCCESSFULLY UPDATED!"
porn.jpg
Yeah, I love when I see your new videos in my sub box