Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DecryptorMax/CryptInfinite (.CRINF) Ransomware Support and Help Topic


  • Please log in to reply
255 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,524 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:14 PM

Posted 17 November 2015 - 07:06 PM

This is the support topic for the ransomware that is currently being called DecryptorMax or CryptInfinite.
 
Fabian Wosar of Emisoft was able to create a decrypter for this Ransomware. Information on how to use this decrypter can be found below.  There is also technical information about this infection listed under the decrypter instructions.
 
 
 
If you are infected with this malware, simply download decrypt_cryptinfinite.exe from the following link and save it on your desktop:
 

http://emsi.at/DecryptCryptInfinite



In order for this program to find your decryption key you must drag both an encrypted file and a copy of the same file in its original state onto the decrypt_cryptinfinite.exe icon at the same time. If you do not have a copy of the unencrypted file, you can find an encrypted PNG and another PNG file you find from the Internet and use that instead. To explain what I mean about dragging them both onto the icon at the same time, please see the image below.
 
 

decryptcryptinfinite.gif


 
When you drag both files onto the icon you will be shown a UAC prompt. Please click on the Yes button to continue.

You will now be shown a screen asking what e-mail address is given in the ransomware ransom note on your computer as shown below.

select-email-address.jpg


Press the number associated with the email addresses given in your ransom note and the program will begin the process of trying to brute force the decryption key. This process can take quite a long time so please be patient. 
 
 

brute-forcing-key.jpg



If the process was successful, a windows will be displayed showing the key.  Please click on the OK button to continue.

 

decryption-key-found.jpg



You will not see the main window for the decrypter. This window will display a list of encrypted files that was retrieved from the registry. 
 

decrypt_cryptinfinite.jpg



If the list of files is incomplete, you can click on the Add Folder button to add further folders that contain encrypted files. Once you are ready, click on the Decrypt button to decrypt your files. When it has finished decrypting your files, the results will be shown in the Results tab as seen below.
 
 

decryption-results.jpg


All of your files should now be decrypted.
 
For those who wish to know more technical information about this ransomware, you can read the section below.  
 
Technical Information:
 
When the infection is installed it will first generate a unique victim id and rename and create a new executable that is named with this ID. The executable will be stored in the %UserProfile% folder. For example, the file would be named test-ADBFFA-G131.exe.

The malware will then execute the following commands:
 
cmd.exe /k vssadmin.exe Delete Shadows /All /Quiet
cmd.exe /k bcdedit.exe /set {default} recoveryenabled No
cmd.exe /k bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
The above commands delete all Shadow Volume Copies and disable Windows Startup Repair. These commands require Administrative privileges so you will be shown a UAC, or User Account Control, prompting if you wish to allow vssadmin.exe to execute.

While running, this malware will also kill common apps used during malware analysis:
 
TASKKILL /F /IM msconfig.exe
TASKKILL /F /IM rstrui.exe
TASKKILL /F /IM tcpview.exe
TASKKILL /F /IM procexp.exe
TASKKILL /F /IM procmon.exe
TASKKILL /F /IM regmon.exe
TASKKILL /F /IM wireshark.exe
TASKKILL /F /IM LordPE.exe
TASKKILL /F /IM regedit.exe
TASKKILL /F /IM cmd.exe
TASKKILL /F /IM filemon.exe
TASKKILL /F /IM procexp64.exe
When it begins the encryption process it will search through all drive letters and encrypt any data files that match the following extensions:
 
*.ACCDB, *.BAY, *.DBF, *.DER, *.DNG, *.DOCX, *.DXF, *.ERF, *.INDD, *.MEF, *.MRW, *.ODB, *.ODP, *.PDD, *.PEF, *.PPTM, *.PSD, *.PTX, *.RAW, *.SRF, *.XLK, *.XLS, *.ach, *.aiff, *.arw, *.asf, *.asx, *.avi, *.back, *.backup, *.bak, *.bin, *.blend, *.cdr, *.cer, *.cpp, *.crt, *.crw, *.dat, *.dcr, *.dds, *.des, *.dit, *.doc, *.docm, *.dtd, *.dwg, *.dxg, *.edb, *.eml, *.eps, *.fla, *.flac, *.flvv, *.gif, *.groups, *.hdd, *.hpp, *.iif, *.java, *.kdc, *.key, *.kwm, *.log, *.lua, *.m2ts, *.max, *.mdb, *.mdf, *.mkv, *.mov, *.mpeg, *.mpg, *.msg, *.ndf, *.nef, *.nrw, *.nvram, *.oab, *.obj, *.odc, *.odm, *.ods, *.odt, *.ogg, *.orf, *.ost, *.pab, *.pas, *.pct, *.pdb, *.pdf, *.pem, *.pfx, *.pif, *.png, *.pps, *.ppt, *.pptx, *.prf, *.pst, *.pwm, *.qba, *.qbb, *.qbm, *.qbr, *.qbw, *.qbx, *.qby, *.qcow, *.qcow2, *.qed, *.raf, *.rtf, *.rvt, *.rwl, *.safe, *.sav, *.sql, *.srt, *.srw, *.stm, *.svg, *.swf, *.tex, *.tga, *.thm, *.tlg, *.vbox, *.vdi, *.vhd, *.vhdx, *.vmdk, *.vmsd, *.vmx, *.vmxf, *.vob, *.wav, *.wma, *.wmv, *.wpd, *.wps, *.xlr, *.xlsb, *.xlsm, *.xlsx, *.yuv,*.JPEG,*.jpe, *.jpg
When it encrypts a file it will append the .crinf extension to the end of it. It excludes any files that contains the following strings from the encryption process:
 
Windows, Program Files, KEY, .crinf
While encrypting files it will add a Registry value for each file under this key: HKCU\Software\CryptInfinite. For example:
 
HKCU\Software\CryptInfinite\Files\11	C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
HKCU\Software\CryptInfinite\Files\12	C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
HKCU\Software\CryptInfinite\Files\13	C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
HKCU\Software\CryptInfinite\Files\14	C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
HKCU\Software\CryptInfinite\Files\15	C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
HKCU\Software\CryptInfinite\Files\16	C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
HKCU\Software\CryptInfinite\Files\17	C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
It will also add other information about the installation and whether its complete under this Registry key as well. Finally, it will change the desktop wallpaper to display a ransom note and autostart the executable by adding a Run entry to the Registry.

The full list of registry values/keys made are:
 
HKCU\Software\CryptInfinite
HKCU\Software\CryptInfinite\Files
HKCU\Software\CryptInfinite\Info
HKCU\Software\CryptInfinite\Info\KEY	000000
HKCU\Software\CryptInfinite\Info\1	000000
HKCU\Software\CryptInfinite\Info\c	23
HKCU\Software\CryptInfinite\Info\m	57
HKCU\Software\CryptInfinite\Info\s	21
HKCU\Software\CryptInfinite\Info\Finish	True
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft corporation	C:\Users\<login_name>\<victim's id>.exe
HKCU\Control Panel\Desktop\WallpaperStyle	"0"
HKCU\Control Panel\Desktop\Wallpaper	"C:\Users\<login_name>\z2.bmp"
In each folder that encrypts a file it will create a text file ransom note called ReadDecryptFilesHere.txt that contains the following information:
 

Your personal files have been encrypted!
Your documents, photos, databases and other important files have been encrypted using a military grade encryption algorithm.
The only way to decrypt your files is with a unique decryption key stored remotely in our servers. All your files are now
unusable until you decrypt them. You have 24h to pay for the release of your decryption key. After 24h have passed, your
decryption key will be erased and you will never be able to restore your files.
To obtain your unique decryption key you will need to pay $500 using a PayPal MyCash voucher.
If the payment is not sent within 12h the amount to obtain your decryption key will be $1000.
PayPal MyCash vouchers can be purchased at CVS, 7-Eleven, Dollar General, fred`s Super Dollar,
Family Dollar and many other stores.
--------------------------------------------------------------------------------------------------------------------------
After obtaining your PayPal MyCash voucher code you need to send an email to
silasw9pa@yahoo.co.uk with the following information.
1. Your $500 PayPal MyCash PIN
2. Your encryption ID = <victim's id>
Shortly after the voucher is received and verified, all your files will be restored to their previous state.
All payments are processed and verified manually, do not try to send invalid PIN numbers.
--------------------------------------------------------------------------------------------------------------------------


When the infection has finished it will display user interface for the ransomware which consists of two screens. The first screen contains some basic information about what happened to your files and is seen below.
 

decryptormax.jpg


The second page allows you to check for and see the status of your payment:
 

decryptormax-screen-2.jpg


If you make a payment and it's confirmed, it will display a new screen that states you should download a decrypter. The url to this decrypter is hard coded into the executable, but the link does not work anymore. The hardcoded url is: https://github.com/m0nk8/tor/blob/master/DecryptorMAX.exe?raw=true


Finally, the wallpaper is changed to this image:
 

wallpaper.jpg


As more information about this ransomware is discovered we will update this first post to reflect the latest information.

BC AdBot (Login to Remove)

 


#2 kev6987

kev6987

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Honolulu, HI
  • Local time:12:14 PM

Posted 18 November 2015 - 03:25 AM

I have a little more information - there is another computer infected in the same manner. This one hasn't been cleaned yet, but is left powered off for now. It seems that .JPG (and possibly other image) files are also affected, and I found the following in a text file in one of the directories:

 

Your personal files have been encrypted!
Your documents, photos, databases and other important files have been encrypted using a military grade encryption algorithm.
The only way to decrypt your files is with a unique decryption key stored remotely in our servers. All your files are now
unusable until you decrypt them. You have 24h to pay for the release of your decryption key. After 24h have passed, your
decryption key will be erased and you will never be able to restore your files.
To obtain your unique decryption key you will need to pay $300 using a PayPal MyCash voucher.
If the payment is not sent within 12h the amount to obtain your decryption key will be $1000.
PayPal MyCash vouchers can be purchased at CVS, 7-Eleven, Dollar General, fred`s Super Dollar,
Family Dollar and many other stores.
--------------------------------------------------------------------------------------------------------------------------
After obtaining your PayPal MyCash voucher code you need to send an email to
decryptor171@########.com or decryptor171@########.io with the following information.
1. Your $300 PayPal MyCash PIN
2. Your encryption ID = *********-****
Shortly after the voucher is received and verified, all your files will be restored to their previous state.
All payments are processed and verified manually, do not try to send invalid PIN numbers.
--------------------------------------------------------------------------------------------------------------------------
 



#3 housemod

housemod

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 18 November 2015 - 04:48 AM

I have the same infection!!!! ALSO trying to find out how to do remove. Also ran Combofix in safe mode w command prompt. I don't see the countdown anymore but thats not to say it isn't there... 

 

LOST for a fix!!! IDEAS anyone!?!?!?!



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 44,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:14 PM

Posted 18 November 2015 - 08:12 AM

Did anyone find a ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html, .txt, .png, .bmp, .url file.

These are some examples:
HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt
HELP_TO_SAVE_FILES.txt, RECOVERY_KEY.txt, DecryptAllFiles.txt, DECRYPT_INSTRUCTION.TXT
HOW_TO_DECRYPT_FILES.txt, How_To_Recover_Files.txt, About_Files.txt
About_Files.txt, DecryptAllFiles_<user name>.txt, encryptor_raas_readme_liesmich.txt
RECOVERY_FILES.txt, DecryptAllFiles_*******.txt (where * are 6-7 random characters)
Recovery_File_*****.txt, restore_files_*****.txt (where * are random characters)
recover_file_*****.txt, HOWTO_RESTORE_FILES_*****.txt (where * are random characters)
howto_recover_file_*****.txt, _how_recover_*****.txt (where * are random characters)
Another option is to download and run IDTool created by Nathan Scott (DecrypterFixer), a BleepingComuter Security Colleague. IDTool is a small utility that scans certain files, folders, registry keys and signatures of a system for evidence (known flags) of various crypto malware which helps identify what kind of ransomware infection you are dealing with. The tool will provide a list or text generated report of what was found and then provide the correct support links where you can receive assistance with that specific ransomware.Edit: No need to use IDTool...our experts have identified this infection.
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If we have helped you and you wish to make a DONATION, please Help BleepingComputer!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 44,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:14 PM

Posted 18 November 2015 - 08:17 AM


I have also advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Samples of any encrypted or malware files that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic:
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If we have helped you and you wish to make a DONATION, please Help BleepingComputer!

#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,524 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:14 PM

Posted 18 November 2015 - 10:42 AM

Is this what you see on your screen?

decryptormax.jpg

#7 housemod

housemod

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 18 November 2015 - 10:55 AM

YUP THATS IT!



#8 funkindrago

funkindrago

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 PM

Posted 18 November 2015 - 11:02 AM

I submitted some files that I believe are related to the same exact infection that I am seeing on a machine.

 

Same .txt/.bmp file found in encypted folder

unusable until you decrypt them. You have 24h to pay for the release of your decryption key. After 24h have passed, your
decryption key will be erased and you will never be able to restore your files.
To obtain your unique decryption key you will need to pay $300 using a PayPal MyCash voucher.
If the payment is not sent within 12h the amount to obtain your decryption key will be $1000.
PayPal MyCash vouchers can be purchased at CVS, 7-Eleven, Dollar General, fred`s Super Dollar,
Family Dollar and many other stores.
--------------------------------------------------------------------------------------------------------------------------
After obtaining your PayPal MyCash voucher code you need to send an email to   
decryptor171@mail2tor.com or decryptor171@scramble.io with the following information.
1. Your $300 PayPal MyCash PIN
2. Your encryption ID = *************************
Shortly after the voucher is received and verified, all your files will be restored to their previous state.
All payments are processed and verified manually, do not try to send invalid PIN numbers.
--------------------------------------------------------------------------------------------------------------------------
 



#9 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,524 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:14 PM

Posted 18 November 2015 - 11:03 AM

OK..we are looking into this. When I tested it the email associated with it was different. May be an affiliate based ransomware. Stay tuned.

#10 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,524 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:14 PM

Posted 18 November 2015 - 11:04 AM

Also in your ReadDecryptFilesHere.txt, what is the link it gives for the DecryptorMax.exe program?

Forget that..i forgot that strings was in the executable.

#11 dzgooden

dzgooden

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 18 November 2015 - 11:16 AM

Same issue here guys.

 

I was infected last night around 7 PM, paid $300 ransom by 8 PM, countdown timer stopped. Stated it could take 1-3 hours for my files to be decrypted and to click next to download DecryptorMax.exe. Then it took to a screen that says please paste the private key in to DecryptorMax.exe, but the screen was just blank and did not actually display a private key to paste in to DecryptorMax.exe.

 

At this point, I have checked with PayPal and the $300 PayPal MyCash voucher has not yet been redeemed. So I still have hope, hoping once the PayPal MyCash gets redeemed that the private key would be displayed at that point



#12 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,524 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:14 PM

Posted 18 November 2015 - 11:18 AM

Were you able to download decryptormax.exe? If so, what was the url to it?

#13 housemod

housemod

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 18 November 2015 - 11:19 AM

Also the ID Tool that was suggested is going into its first hour w no detection.

 

I mentioned through combo, adware, Rkill, etc. normal tools I was able to remove the virus and change theme back to normal Windows 7

but still leaves the .CRINF ext on every infected file. The Decryption seems and I use the word seems loosely here to be the only thing left to fix.



#14 funkindrago

funkindrago

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 PM

Posted 18 November 2015 - 11:26 AM

I believe this is a new variant from what I am seeing and able to find on the web.



#15 mattlu

mattlu

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 18 November 2015 - 11:26 AM

I also have a user infected by this variant.  I was able to remove the ransomware via F8>Repair Your Computer>System Restore followed by a complete scan with Malwarebytes.  However, the files on the computer remain encrypted with the .crinf extension.  I tried using all of the free decryptor tools on Kaspersky's website but none of them were successful in decrypting the files.  The title of the text file that the variant leaves behind is ReadDecryptFilesHere.txt and the contents are as follows - pretty much identical to funkindrago: 

 

Your personal files have been encrypted!
Your documents, photos, databases and other important files have been encrypted using a military grade encryption algorithm.
The only way to decrypt your files is with a unique decryption key stored remotely in our servers. All your files are now
unusable until you decrypt them. You have 24h to pay for the release of your decryption key. After 24h have passed, your
decryption key will be erased and you will never be able to restore your files.
To obtain your unique decryption key you will need to pay $300 using a PayPal MyCash voucher. 
If the payment is not sent within 12h the amount to obtain your decryption key will be $1000. 
PayPal MyCash vouchers can be purchased at CVS, 7-Eleven, Dollar General, fred`s Super Dollar, 
Family Dollar and many other stores.
--------------------------------------------------------------------------------------------------------------------------
After obtaining your PayPal MyCash voucher code you need to send an email to   
decryptor171@mail2tor.com or decryptor171@scramble.io with the following information.
1. Your $300 PayPal MyCash PIN
2. Your encryption ID = ***********-****
Shortly after the voucher is received and verified, all your files will be restored to their previous state.
All payments are processed and verified manually, do not try to send invalid PIN numbers.
--------------------------------------------------------------------------------------------------------------------------

Edited by mattlu, 18 November 2015 - 11:43 AM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users