Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with .crypt files


  • Please log in to reply
6 replies to this topic

#1 sol14

sol14

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 12 June 2012 - 06:19 AM

G'day

Recently my PC was infected by a ransomware virus displaying a warning.txt file as posted below. I have since, performed a system restore, installed norton 360, updated the virus definitions, performed a partial scan that removed a couple of viruses and have tried several decrypting tools with no success. My music, word and MS office files still remains as .crypt file and I cannot access them. I have seen a previous post about this and i'm wondering if anyone can help me with decrypting my files. Any help is much appreciated.

cheers

"YOUR ID: 342

YOUR COMPUTER IS BLOCKED. All your documents, text files and databases
are securely encrypted.
You can unblock your computer by completing three easy steps.

STEP 1: Buy a MoneyPak in amount of $50 at the nearest store.

STEP2: Fill out the fields on the black screen on your cumputer. Otherwise
send as an e-mail at cryptdecrypt@yahoo.com. Indicate your ID in the message
title and provide MoneyPak number.

STEP 3: Check your e-mail. We will send you a program to remove the malware
and decrypt your files once payment is verified. Your computer will roll back
to the ordinary state.

Q: How I can make sure that you can really decipher my files?

A: You can send ONE any ciphered file on email cryptdecrypt@yahoo.com
(Indicate your ID and /test decrypt/ phrase in the message title), in the
response message you receive the deciphered file.

Q: Where can I purchase a MoneyPak?

A: MoneyPak can be purchased at thousands of stores nationwide, including
major retailers such as Walmart, Walgreens, CVS/pharmacy, Rite Aid, Kmart,
Kroger and Meijer.

Q: How do I buy a MoneyPak at the store?

A: Pick up a MoneyPak from the Prepaid Product Section or Green Dot display
and take it to the register. The cashier will collect your cash and load it onto
the MoneyPak.
https://www.moneypak.com/StoreLocator.aspx - here you find a store near."

BC AdBot (Login to Remove)

 


#2 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:59 PM

Posted 12 June 2012 - 06:33 AM

Can you please check the quarantine of the tools you used to clean your system for the actual malware files? If you can't find the files in the program's quarantine, do you have logs that show the infections? Without anyone of those it is almost impossible to get your files back, because to find out how your files were encrypted it is necessary to take a look at the exact malware variant that infected your system.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#3 sol14

sol14
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 12 June 2012 - 07:10 AM

Here's the link to the original post by Mr.Quasar

http://www.bleepingcomputer.com/forums/topic456569.html

The warning message he received is exactly the same as mine. Someone sent a tool to Mr.Quasar to unlock his files via email. I wonder if I can have that decrytping tool as well?

cheers

#4 sol14

sol14
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 12 June 2012 - 07:21 AM

I've checked my scanning history from Norton 360 and this is what i have;

1) xt0a6y1p.exe (WS.Malware1)

2) apaco.exe (Trojan.Gen)

3) vsdsrv32.exe (Trojan.Gen)

4) a0236105.ini (Trojan.ZeroACCESS)

5) a0237114.ini (Trojan.ZeroACCESS)

6) a0237611.ini (trojan.ZeroACCESS) *this one seems to re-generate itself with a different filename.

#5 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:59 PM

Posted 12 June 2012 - 10:08 AM

Based on your information I was able to find the sample that infected your system. Unfortunately I don't have good news. This particular malware will get a randomly generated key from its server. Previous variants of the malware stored the key that was returned by the server on the infected system which is why it was possible to decrypt the encrypted files. This variant though doesn't store the key on the system anymore. While the key is written to various different files on a system (cconf.txt and cconf.txt.enc) those files are securely deleted once they are no longer useful to the malware. So unless you have a backup, you won't get your files back.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#6 pmqdmzzi

pmqdmzzi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 14 June 2012 - 06:51 PM

My parents computer has been hit with the same attack. Do you know what encryption algorithm was used? How large is the key?

I have some of the files they encrypted in plain text but not all of them. How feasible would it be to do a brute force search for the key they used?

#7 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:59 PM

Posted 14 June 2012 - 07:02 PM

Check your %appdata% folder (just press the Windows key + R and type "%appdata%" and press OK) if you have a file ccrypt.txt or ccrypt.txt.enc there. If you don't and you are using Windows Vista, 2008 or 7, please check your shadow volume using a tool like Shadow Explorer (http://www.shadowexplorer.exe) as well. Those files are temporary files created by the malware and contain the password used for encryption. They are securely deleted after the malware finished the encryption of all files, but on some systems the malware crashes, never deleting these temporary files and on some other systems the files were backed up by the VSS service before they were deleted.

To answer your questions:
The encryption algorithm used by the malware is AES. The password length varies. In my testing I got 8 to 12 characters long passwords. The character set included alphanumerical characters as well as symbols. It is rather unlikely that you are able to guess the password within a reasonable time.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users