Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gomasom Ransomware (!___*email*@gmail.com__.crypt) Support and Help Topic


  • Please log in to reply
44 replies to this topic

#1 billabang

billabang

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 15 December 2015 - 01:00 PM

Hi
 
We have a massive amount of files that have been encrypted with the extension "!___crydhellsek@gmail.com__.crypt"
We do not have a backup of the files to restore.
 
A ridiculous amount of googling and scanning has led me to post here after contacting another forum member.
 
Can anyone here help with this particular strain of ransomware?

BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 5,582 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:57 AM

Posted 15 December 2015 - 02:51 PM

Hi,
 
Please can you upload one of your encrypted files here.

 

To anyone else who uploads files. Please leave contact details, either in terms of your forum name (if logged in) or email. We cannot help you otherwise.

 
xXToffeeXx~


Edited by xXToffeeXx, 04 April 2016 - 09:21 AM.

sRQ7tWY.jpg

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

~Help BleepingComputer fight Enigma Software's lawsuit!~ | ~Twitter~

 

~Malware Analyst at Emsisoft~


#3 billabang

billabang
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 15 December 2015 - 02:58 PM

I have example files I can post if this helps but I cannot see the option to upload

 

--edit, posted before I refreshed. I will upload now


Edited by billabang, 15 December 2015 - 02:58 PM.


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 5,582 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:57 AM

Posted 15 December 2015 - 04:04 PM

Hi,
 
Thank you for that. Do you happen to know what file caused this infected and do you still have it? (may have come from an email, could be a .doc file with macros, an .exe, .js, .pdf).
 
Edit: You can find it in the "%appdata%\Microsoft\Windows\Start Menu\Programs"
 
xXToffeeXx~


Edited by xXToffeeXx, 15 December 2015 - 04:46 PM.

sRQ7tWY.jpg

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

~Help BleepingComputer fight Enigma Software's lawsuit!~ | ~Twitter~

 

~Malware Analyst at Emsisoft~


#5 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:57 AM

Posted 17 December 2015 - 11:57 AM

I created a decrypter for a related variant of this particular ransomware. In my testing it should work for this variant as well.

Look for any file on your system where you have the original unencrypted file of one of the encrypted files, or any unencrypted PNG (can be found on the internet, for example, if you do not already have one) and an encrypted PNG file. Select, and then drag and drop them the original and encrypted files at the same time on the decrypter executable. If that sounds confusing, just take a look at this little animation:

decryptcryptinfinite.gif

The decrypter will then try to determine the encryption key for your system based on the two files you provided. This process can be rather time consuming. On my system guessing the encryption key took up to 1.5 hours. Depending on your system, it may take considerably longer than that, so please be patient. Once the decryption key was determined, you will get a message like this:
 
VDcbwS2.png
 
Just click OK and the decrypter will start up as normal. If you get an error message instead, please make sure you drag and dropped the correct files. If you did, you may have either been targeted by a completely different malware family or by a new variant that this decrypter doesn't support yet.

All folders you add to the folder list will be decrypted recursively, which means files located in the sub-folders of the selected folder will be decrypted as well.
 
In any case I suggest trying to run the decrypter on a limited number of files first and manually check that those files were decrypted properly before you move to decrypt large number of files. This makes sure the decrypter figured out the correct key and may save you a lot of time in the long run in case it turns out the malware author changed the encryption algorithm in a later variant that the decrypter doesn't support.
 
The malware unfortunately does not leave any information about the original file behind. That means the decrypter can't be sure that the result of the decryption is correct. For that reason, the decrypter will not delete the encrypted files on your system just to be sure. That also means, that you need to make sure your disks have enough space before you start the decryption.  If you are low on disk space and you have no way of making room either, the decrypter also has an option to delete the encrypted version of the file after it has been decrypted:
 
2agpZle.png
 
Only use this option if your absolutely have to and after you tested the decrypter on a limited number of files first.
 
The decrypter can be downloaded here:
 
Please make sure you read the above instructions carefully before you download it. Don't just click the link, trying to skip ahead. Seriously. You will most likely save yourself a lot of headache.
 
As a general rule I don't accept any donations for my work. If you feel thankful and want to throw some money at something, I suggest investing into a proper backup solution. Personally I am using CrashPlan. However, there are a lot of different solutions out there. Pick one that you feel comfortable with. If you are unsure, I am sure the helpful users in this amazing community will love to help you out picking one that fits your needs and requirements. If you want to spend even more money, I am sure the polar bears would appreciate your help. I know one polar bear in particular that would be very thankful. :wink:
 
As always, please ask if you run into any issues. Keep in mind that I do have a rather busy day job, so I may not reply right away. So please be patient.

#6 4ward

4ward

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 17 December 2015 - 01:15 PM

Hi Fabian  - have you had much luck with this program with the   ####@gmail.com________.crypt  encrypted files?  The virus came through and took half our drive out so I have many duplicate files store over the drives.  missing about 50 000 file as they are encrypted.  I am running the program now to see how it goes...

#7 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:57 AM

Posted 17 December 2015 - 01:38 PM

Hi Fabian  - have you had much luck with this program with the   ####@gmail.com________.crypt  encrypted files?  The virus came through and took half our drive out so I have many duplicate files store over the drives.  missing about 50 000 file as they are encrypted.  I am running the program now to see how it goes...

Just cross checked with the files you uploaded and they decrypt properly. It will take some time for the decrypter to figure out the proper key, but it should be able to figure it out eventually when using a PNG file. I think the key was found at around the 8 or 9% mark or so.


Edited by Fabian Wosar, 17 December 2015 - 02:00 PM.


#8 4ward

4ward

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 17 December 2015 - 01:45 PM

Ok   great -   I am running your software now - one is at 9.01% and the other is 5.93%  See how it goes :clapping:



#9 billabang

billabang
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 18 December 2015 - 07:33 AM

Hi Fabian

 

Your solution is fantastic. Thank you very much for your work.

We will certainly be donating as mentioned.

 

Cannot thank you enough.



#10 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:57 AM

Posted 18 December 2015 - 10:08 AM

We will certainly be donating as mentioned.

 

Thank you very much. I am sure the polar bears will greatly appreciate it. I know I do. :)



#11 ifonly

ifonly

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 24 December 2015 - 05:18 AM

Hi, we've also been hit with this, how do you ensure the network/systems are now clean, we have found 3 different local systems that have been infected apart from the network shares, we can get these back via restore from backups but we need to identify what is causing it, we have about 70 systems on the network, any help gratefully received as I have lost about a week on this now.

 

Regards



#12 codingdream

codingdream

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 28 December 2015 - 06:46 AM

Can anyone give me a copy of this malware's sample or encrypted files, just for benchmarking this decrpytion tool. Never seen this ransomeware before..



#13 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:57 AM

Posted 28 December 2015 - 07:50 AM

Hello,

As a general rule I don't hand out samples unless you are working for an AV or IT security company in which case you can send me an email to fw@emsisoft.com from your company email account. I have uploaded a couple of encrypted files here:

http://tmp.emsisoft.com/fw/gomasom_encrypted_files.rar

It includes one original file as well, so you can test the decrypter with it.

#14 WynW

WynW

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 28 December 2015 - 11:36 AM

Hi Fabian,

I have been affected by this malware, sometime on or about 20 or 21 Dec. I used your deception tool on a encrypted and unaffected  pair png files and it found a key very quickly. However, as stated in the instructions that might happen, it turned out that on most of my files - (most importantly my word and excel files) the decryption didn't work. Is there anything else I can try ?

Thanks


Edited by WynW, 28 December 2015 - 11:38 AM.


#15 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:57 AM

Posted 28 December 2015 - 11:38 AM

Do you still have the malware file from your system so I can take a look at it? What email was used in your file names?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users