Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.crypt files


  • Please log in to reply
7 replies to this topic

#1 camdenlake

camdenlake

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 27 June 2012 - 04:43 PM

Hello all. I have used this site many times never needed to post always answers already here. I have a client who has gotten them selves infected with some sort of ransom virus. It has encrypted everything. There is a instructions file on how to pay to get the key. I doubt that would work out. Does anyone have a decryptor for the .crypt files? I have read he is toast as there is no alternate method. What say you all?


Thanks
Camdenlake.

BC AdBot (Login to Remove)

 


#2 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:10 PM

Posted 27 June 2012 - 05:24 PM

There are actually quite a few different malware families using the .crypt extension. So a few more information would be quite helpful. Depending which malware family exactly infected your client's system there may or may not be ways to decrypt his files. Can you please post the ransom note found on his system and add the name of the malware file that encrypted his files? If you used any anti-virus or anti-malware software to remove the infection, the logs of those scans would be quite helpful as well :).
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#3 camdenlake

camdenlake
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 27 June 2012 - 06:12 PM

There was a txt file called warning in the root of the users profile folder. it contained this.

Your Id# ####

YOUR COMPUTER IS BLOCKED. All your documents, text files and databases
are securely encrypted.
You can unblock your computer by completing three easy steps.

STEP 1: Buy a MoneyPak in amount of $50 at the nearest store.

STEP2: Fill out the fields on the black screen on your cumputer. Otherwise
send as an e-mail at cryptdecrypt@yahoo.com. Indicate your ID in the message
title and provide MoneyPak number.

STEP 3: Check your e-mail. We will send you a program to remove the malware
and decrypt your files once payment is verified. Your computer will roll back
to the ordinary state.

Q: How I can make sure that you can really decipher my files?

A: You can send ONE any ciphered file on email cryptdecrypt@yahoo.com
(Indicate your ID and /test decrypt/ phrase in the message title), in the
response message you receive the deciphered file.

Q: Where can I purchase a MoneyPak?

A: MoneyPak can be purchased at thousands of stores nationwide, including
major retailers such as Walmart, Walgreens, CVS/pharmacy, Rite Aid, Kmart,
Kroger and Meijer.

Q: How do I buy a MoneyPak at the store?

A: Pick up a MoneyPak from the Prepaid Product Section or Green Dot display
and take it to the register. The cashier will collect your cash and load it onto
the MoneyPak.
https://www.moneypak.com/StoreLocator.aspx - here you find a store near .

Here is a screen shot after several scans with mse. I also scanned with symantec corp but it didnt name anything. MSE also submitted about a half dozen files.

Posted Image


Thanks
Josh

#4 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:10 PM

Posted 28 June 2012 - 02:07 AM

Here is a screen shot after several scans with mse. I also scanned with symantec corp but it didnt name anything. MSE also submitted about a half dozen files.

Posted Image

I was actually looking for file names, not malware names. Based on the ransom note you were hit by one of the recent Birele variants out there. This malware usually copies itself to your AppData directory (C:\Users\Username\AppData\Roaming). So logs of detections in that directory (including the file name) would be helpful to determine the exact variant.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#5 camdenlake

camdenlake
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 28 June 2012 - 04:53 PM

Thanks. Nothing found in those folders. Been updating and scanning everyday. Here are the file results. Its an interesting bugger. He is stressing out big time as all his pics and files are currently toast. Dont care about the system its just decrpting his data. What have been results of these in the past?

Downloader
file:I:\ProgramData\DPA0XkhB.exe
file:I:\Windows\Temp\pdxbuj\setup.exe

Several Files infected in the Java folders
file:I:\Users\Rob\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ee978d1-7975d16f


Downloader
file:I:\Users\Rob\Desktop\Music - Rob\10 fox introudction.mov
file:I:\Users\Rob\Desktop\Music - Rob\15 fox introudction.mov

Tojan win64
file:I:\Windows\System32\dlbx_device.dll

#6 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:10 PM

Posted 29 June 2012 - 11:35 AM

What have been results of these in the past?

To be honest, not promising. It all comes down to which variant exactly hit your client's system. This ransomware family in general uses randomly generated passwords to encrypt files using AES. The password is thereby generated not on the victim's system but by a server operated by the ransomer instead. Depending on which variant infected the system the malware may save this random password either permanently, temporarily or not at all. If the system got hit by one of the variants that saves the password permanently, you can decrypt the files just fine. If it got the variant that stores it temporarily, you may be able to decrypt the encrypted files, if you can restore the deleted password. If it got the variant that never saves the password at all, there unfortunately is no way to get the data back without paying the ransom.

The main issue now is, that it seems that you cleaned the malware from your client's system. The logs are kind of useless or at least you weren't able to find the log entries that usually indicate an infection with one of the known variants of this particular malware family (which are either a VsDsrv32.exe or setsyslog32.exe file located in the %AppData% directory). This could mean that your client either got hit with a completely new variant, that uses different names and locations when infecting a system, or for some reason the removed infections weren't logged correctly by the applications you used to clean them.

Either way, without any idea what actually hit your client's system it is very hard to do anything. You may want to check the %AppData% directory of the infected system for the presence of cconf.txt or cconf.txt.enc (those are the temporary locations the variant responsible for the most recent infections uses to store the generated password temporarily). You may also check the shadow volume for those files, if the system happens to use Windows Vista or later using a tool like for example Shadow Explorer (http://www.shadowexplorer.com). If you weren't able to find any of the cconf.* files there, you may at least be able to restore some of the encrypted files that way.

If all that doesn't work, you are unfortunately out of luck.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#7 camdenlake

camdenlake
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 29 June 2012 - 01:49 PM

Thanks. That is as i suspected. He did briefly try to fix it before he realized it was beyond his knowledge. No idea what he may have removed. I suspect this is new. I have had a email conversation with then ransom holder. If you pay do they really provide the utility or is that just more of the scam?


Camdenlake

#8 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:10 PM

Posted 29 June 2012 - 02:43 PM

If you pay do they really provide the utility or is that just more of the scam?

To be honest, I have no idea. Personally, unless my professional life depends on it, I wouldn't push my luck.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users