Ransomcrypt (DirtyDecrypt.exe) uses EFS

Greetings guys,

 

I found a lead about a possible fix on this. Apparently someone claimed to use this tool te94decrypt to decrypt his files.

 

I'm following it now, but the tool is really annoying as it scans all my disk partitions instead of just the folder with infected files. 

 

It also seems to work with a lot of decryption keys ( -k 87, -k 88, -k 104 )

 

If i manage to "fix / decrypt" anything I'll let you know.

The te94decrypt is unfortunately for a different infection.

http://news.drweb.com/show/?i=2356&lng=en

The te94decrypt is unfortunately for a different infection.

http://news.drweb.com/show/?i=2356&lng=en

 

Sad to hear that, but all-right, i've sent them the case too, maybe they have a breakthrough in this case.

Edited by JStormrage, 04 August 2013 - 11:50 AM.

Hello everyone

I'v unfortunately also been infected with the so called Dirty Decrypt.exe

My problem is not the actual virus but the damn decrypt which is the whole point with the virus itself ..

 

But my internally HD was ofc. infected first and I can live with loosing the data on that ..

Sadly I had a 3 TB HD hooked up to my computer, it contains my whole life "in data" if you can call it that

 

The Dirty Decrypter locked like 99% of all my files with that stupid image that demands to pay out ..

I wouldn't mind giving money at all, I would pretty much do anything to get those images and other files back ..

But I've read several times and it pretty much says it itself that giving them money wouldn't do anything other than motivate them more to keep creating these evil inventions !

 

I just wanted to make sure that if I can do anything at all to work towards a solution to this problem, just say so ..

One things for sure, that HD is too important to just give up on, I'll never stop working on it ..

 

Thanks in advance to anyone who took the time to read this reply

 

Wishes and good luck to us all ..

P.S. I wondered about a little thing, if the virus really did decrypt all my files, how the heck did it do it so fast ? True decrypting would take many hours, especially with 3000 GB, and this happened at a much faster rate, maximum 2 hours I'd say ..

Edited by ScrewDirtyDecrypt, 04 August 2013 - 12:54 PM.

Hello everyone

P.S. I wondered about a little thing, if the virus really did decrypt all my files, how the heck did it do it so fast ? True decrypting would take many hours, especially with 3000 GB, and this happened at a much faster rate, maximum 2 hours I'd say ..

Yes, it does raise a lot of questions.

Upload at leat two of those files here.

Edited by JSntgRvr, 04 August 2013 - 01:56 PM.

It's quite simple. I'm very close to the solution. But: I NEED DirtyDecrypt.exe !!! Send me anyone PM with that. (to mod: PM instead email is ok?)

Edited by MrNobody, 04 August 2013 - 02:23 PM.

P.S. I wondered about a little thing, if the virus really did decrypt all my files, how the heck did it do it so fast ? True decrypting would take many hours, especially with 3000 GB, and this happened at a much faster rate, maximum 2 hours I'd say ..

 

I have a theory, that the virus just quick edits the file headers, leaving most of the file content intact, but trapped within its code. making it not an encryption, more like a hijack.  Doing something like this would be faster than encryption.  It probably takes a couple of hours to run through your hard drive. 

 

What scares me is the surgical accuracy of the attack, as each extension is different but it targets docs, PDFs and image files.

 

 

 

Still looking for the virus. Will send you a copy if I find it.

Edited by Orange Blossom, 04 August 2013 - 02:11 PM.

Someone already posted a link to the KernelMode discussion about this particular threat:

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2861&p=19951

Samples can be found there as well. Though I wouldn't advise anyone to go there and get a copy of the malware unless you know exactly what you are doing.

Here's a response from Microsoft,

 

 

 

At the moment the personal files encrypted on the drive(s) seem to be encrypted with RSA ---End Quote--- There are different types of encryption, so obviously different programs to remove them.

Unfortunately with RSA there is a big problem.

I haven't yet found a decrypter that will rectify this problem.

So at the moment it seems the files may be lost.

 

 

 

I hope they are wrong, and a solution can be found.

The truth is there is few types of encryption.

 

@JStormrage: Can you send the same e-mail to Kaspersky, Panda, ESET, Norton, etc?


I've got DirtyDecrypt now. Thx.


Have you found new files in Windows 7/8 in directory: %user%/Applications Data/Microsoft/Crypto/ ? I hadn't these files (in windows xp i have now) or Kaspersky deleted these files.

 

Have you always in DirtyDecrypt.exe information: Error connecting to server?

Edited by MrNobody, 04 August 2013 - 05:35 PM.

 

P.S. I wondered about a little thing, if the virus really did decrypt all my files, how the heck did it do it so fast ? True decrypting would take many hours, especially with 3000 GB, and this happened at a much faster rate, maximum 2 hours I'd say ..

 

I have a theory, that the virus just quick edits the file headers, leaving most of the file content intact, but trapped within its code. making it not an encryption, more like a hijack.  Doing something like this would be faster than encryption.  It probably takes a couple of hours to run through your hard drive. 

 

What scares me is the surgical accuracy of the attack, as each extension is different but it targets docs, PDFs and image files.

 

 

Yes, it is possible.
My jpg files have injected png at the beginning, it seems that the following encrypted segment.
By address 7D000 followed by more than 80% of the original unencrypted data.
Maybe files from Grinler which are published are too small so it is virus encrypts all.

My jpg have a size of around 4MB.

 

 

 

 

 

Hello again,

 

Hey JStormrage,

 

Welcome.

 

Did you have a chance to test this on an Office document (.doc or .docx mainly)? Did it work like it did for the Image files?

I got a word document that I desperately need by mid Aug for an application so was wondering if it was possible to make the changes to it and retrieve it back.

 

Regards,
Arvind

 

Yes I looked over doc files too, the header has been replaced in them also, you can simply open the doc file with a notepad and see that.

 

To fix it, I suspect you only need to put the correct doc or docx file header back and hit Save, that should restore the file. Please make a backup of the file you're experimenting the fix on, I didn't get it working from my first try. 

 

Hi Jad,

 

Will you be able to decrypt a doc file for me using the above method please?

 

Cheers,

 

I can try, please send me the document as PM.

No, that's can't work's.
 

The same data is above 512.000 bytes (the first is 512.001), and that's how this program encrypted so fast. But the others bytes are encrypted! It's no way to use other header or something like that and decrypt file.

 

No, that's can't work's.
 
The same data is above 512.000 bytes (the first is 512.001), and that's how this program encrypted so fast. But the others bytes are encrypted! It's no way to use other header or something like that and decrypt file.

Actually prepended data is different depending on the type of file it is. PNGs for images, XML for DOCX files, the doc format for DOC files, etc. If we are trying to figure out how fast it encrypted, that has nothing to do with the inserted header. Regardless, my guess is the ransomware runs in the background encrypting for a while before you know its active. So it could be running for much longer than you think.

Unfortunately the data IS encrypted. I wish it were otherwise.

Has anyone tried to right click on a file, go into properties, and select previous versions to see if the are recoverable from a shadow copy? Not sure if this infection wipes those or not.