Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 4281 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MERRY_I_LOVE_YOU_BRUCE.hta ransomware

kingswaygroup

A customer with Sophos Endpoint 10.6 has just dropped off his laptop.   He picked up a ransomware virus on some furniture website that has seemingly encrypted program files in his machine and renamed or created files with a .MERRY extension.   It also leaves an HTML application file named MERRY_I_LOVE_U_BRUCE in all folders with application files. I have not seen any documents that have been touched yet.   The virus came in when he tried to view a file and it claimed the classic "you need to download this font to view the document" message.

In searching the web tonight I can only see a few postings and all seem to be vague, then point to SPYHUNTER.   I don't like playing around further so I will not touch that.

Has anyone seen anything on this campaign or know what can be done with it.   Of course this is the one system that I don't have access to where I would normally have backups and the system restore files have been deleted.

I don't have my equipment here to image the drive so I won't play around with it quite yet.

 



This thread was automatically locked due to age.
Parents
  • 0

    Halo! Did you managed to recover your files? Because we have same problem with MERRY_I_LOVE_U_BRUCE ransomware in one of our workstations. Fortunately scum didn't spread via LAN. So now we are seeking for a way to recover encrypted files. But almost all sites from Google search are similar to this  one and promote SpyHunter tool. It is like joke... Mbam, ShadowExplorer,Cureit can't coupe with ransom but SpyHunter can (only if you pay $$).

    So we stuck here with this merry...

    Will be thankful for any help!

Reply
  • 0

    Halo! Did you managed to recover your files? Because we have same problem with MERRY_I_LOVE_U_BRUCE ransomware in one of our workstations. Fortunately scum didn't spread via LAN. So now we are seeking for a way to recover encrypted files. But almost all sites from Google search are similar to this  one and promote SpyHunter tool. It is like joke... Mbam, ShadowExplorer,Cureit can't coupe with ransom but SpyHunter can (only if you pay $$).

    So we stuck here with this merry...

    Will be thankful for any help!

Children
  • 0 in reply to Alex Parrot

    Sorry for the delayed response.

    As I mentioned in my original posting it would seem that in our case the files that were encrypted were in the /Boot area and in the C:\Program Files and Program Files (X86) area only. Not a single document, picture, pdf or video was affected.  But I was not going to go forward with the system as it was so I imaged the original to another device using Image for Linux, copied the documents we needed to another device and then blew away the world.  Note - I did try the Hitman Pro product but what it found was seemingly insignificant.  I think this is one of those cases where the virus came and went once the deed was done but I cannot explain why no documents unless Sophos would claim to have helped.

    I wonder whether Intercept-X would have helped.  I have now set the machine on a trial for Central and Intercept-X after loading the OS again, the programs, and all the saved files.  Scan after scan has not found anything.

    Now the interesting item is that the customer (against my asking not to) on another office system ( not his independent laptop that was isolated when infected) went to the same website where he got tackled the first time and again saw the message that the font could not be rendered and he needed to download the font.   Luckily that is as far as he went but time will tell if we have another situation brewing.  Hopefully not as I am going off for a few weeks shortly for surgery and recovery time and I won't be near a computer or their offices. Oh, and the website was www.decorium.com - a furniture store in our area.   Kids, don't try this at home!

    I would love to give more detailed information but there is nothing I can find other than the .hta file that displays the ransomware screen and the encrypted .MERRY files within the programs section.

    David

  • 0 in reply to kingswaygroup

    Hello David,

    why no documents [...] Intercept-X [...] scan after scan has not found anything
    Intercept-X is not a static scanner, and furthermore my last encounter with ransomware suggested that the writers do a damn good job of mopping-up. Perhaps they do it even before starting encrypting so that (almost) no traces are left even if you cut power. Thus you won't find anything even remotely significant afterwards.
    On at least two occasions Sophos (HIPS) terminated a process (but this should have been logged). Can't say if it was indeed ransomware as nothing was left behind and nothing had been encrypted or dropped yet. The process was rundll32.exe though and thus the activity was somewhat suspicious.

    No idea why non-documents were encrypted. A bug? 

    Christian

Unfiltered HTML