EvilZone

Hello,

I have a client which is infected with ransom virus (sos@anointernet.com).

What it does:
1. Append XXXXXXXXX-sos@anointernet.com to filenames
2. Modify exactly the first 30 000 bits of the file (looks as encryption at first look)
3. Append 4 bits at the end of the file.
4. Ask for money for decryption

I've attached a screenshot on the precise end of the encryption and start of real document.

Lucky the document has a predictable output of auto increment numbers.
There are occurring 03 00 00 <3 digit number> 03 00 00

Is there some technique I could apply to narrow down what type of encryption that is ?
Obviously encrypts same bits differently.

I was thinking of frequency analysis but I'm wondering how to apply it to binary file.

It is some form of CryptoLocker probably, but is there a way to confirm RSA-2048 bit encryption ?

Any thoughts are welcome

Is there any guide to how do you aproach cracking a unknown type of hash ?

Hashes are not immediately obvious MD5 or SHA1. Is there any chatsheat I can learn from ?

For example here are some hashes that I can't find any information about the way they are produced:

$H$7uT0JgyTq0/a6y0bS3ADsX0qng7U4L/
$H$7rzeja3ZJEuLcVe0txonotD1nDuOS7/
$H$9PyRpsC/o3MFaQA4JtxTf5p77Xk1E3/
$H$7D8rz0lys1zZomnd2VbrE47cmZPznZ0
$H$7IfeB4LgyvjKVXSisrSG.yx6NOa8/Q.

they all start alike which is probably a tell-tell sign, but search did not get me any results.

Probably are they are easy to you

Best regards,
Rusty