Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HowDecrypt or CryptorBit Encrypting Ransomware - $500 USD Ransom Topic


  • Please log in to reply
1728 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,889 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:00 PM

Posted 16 December 2013 - 07:17 PM

There is a new ransomware called HowDecrypt or Cryptorbit  that has been released that encrypts your files and requires a $500 USD or .5 Bitcoin ransom in order to get a decrypter. This ransomware will encrypt data on your computer and then place howdecrypt.txt and howdecrypt.jpg files inside of each folder with instructions on how to decrypt the files.

At this point we do not have any samples in order to analyze the infection and provide advice. If you are infected with this ransomware, please submit any samples using the following url: http://www.bleepingcomputer.com/submit-malware.php?channel=163

The contents of the HowDecrypt.txt file is similar to:
 

All files including videos, photos and documents on your computer are encrypted.

File Decryption costs ~ $ 500.

In order to decrypt the files, you need to perform the following steps:
1. You should download and install this browser http://www.torproject.org/projects/torbrowser.html.en
2. After installation, run the browser and enter the address: 4sfxctgp53imlvzk.onion
3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.

Guaranteed recovery is provided within 10 days.

IMPORTANT INFORMATION:

Your Personal CODE: 00000001-xxxxxx


When you visit the decryption page on TOR, you will be presented with a site that allows you to pay the ransom using .5 Bitcoins or by submitting a $500 USD MoneyPak, PaySafeCard, or Ukash voucher.
 

tor-decryption-service-2-11-14.jpg


The contents of the TOR payment site is:
 
We are present a special software - CRYPTORBIT DECRYPTOR - which is allow to decrypt and return control to all your encrypted files.

We accept payment in Bitcoin. Please enter in form below your Personal Code (you can find it in HOWDECRYPT.txt file) to get price for decryptor:

Personal Code:		

How to buy CRYPTORBIT decryptor?

1. First, you should register Bitcon wallet (click here for more information with pictures)

2. Purchasing Bitcoins - Although it's not yet easy to buy bitcoins, it's getting simpler every day. Here are our recommendations:

    LocalBitcoins.com - This fantastic service allows you to search for people in your community willing to sell bitcoins to you directly.
    How To Buy Bitcoins - An international directory of bitcoin exchanges.
    Cash Into Coins - Recommended for fast, simple service.
    Coinbase - Bitcoin exchange based in the United States. (Highly rated).
    BitStamp - A multi currency bitcoin exchange based in Slovenia. (Highly rated).
    MtGox - A multi currency bitcoin exchange based in Japan
    CoinJar - CoinJar allows direct bitcoin purchases on their site. They're based in Australia but serve an international clientele.

3. Transfer BTC to our wallet: 12GZoiAdcUubEwtArg1MApKB5uazpVneih

4. Complete the form below and click Submit.

5. Within 24 hours you will receive email containing archive with CRYPTORBIT decryptor. Simply run decryptor and wait until decryption proccess finished. After this operation is finished all your files will be decrypted.
Please, submit this form only after successful payment.
Note: Personal Code - you can find in HOWDECRYPT.txt file.
Note: Transaction ID - you can find in detailed info about transaction you made. Check it twice. We can't verify your payment if you fill it with incorrect transaction id.
Reports state that once you submit the money, you will receive an email with an attached decrypter that you can use to decrypt your files.

Edited by Grinler, 11 February 2014 - 03:52 PM.
Added Cryptorbit info


BC AdBot (Login to Remove)

 


#2 ahibj8

ahibj8

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 AM

Posted 16 December 2013 - 08:28 PM

Hi I have uploaded a sample from a customers desktop

I have been able to decrypt some photos using rakhnidecryptor.exe and rectordecryptor.exe from Kaspersky.

 

ad561ef86f8b700e.jpg to ad561ef86f8b700e.decryptedKLR.jpg



#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,889 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:00 PM

Posted 16 December 2013 - 08:32 PM

Do you have the infection samples by any chance?

#4 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:00 PM

Posted 16 December 2013 - 08:35 PM

Hi I have uploaded a sample from a customers desktop

I have been able to decrypt some photos using rakhnidecryptor.exe and rectordecryptor.exe from Kaspersky.

 

ad561ef86f8b700e.jpg to ad561ef86f8b700e.decryptedKLR.jpg

The files you uploaded are both unencrypted. Can you check that you didn't mix the files up? :)


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#5 mg23

mg23

  • Members
  • 495 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 16 December 2013 - 09:27 PM

Does your customer know how they were infected?  Email?



#6 jb75

jb75

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:00 PM

Posted 17 December 2013 - 08:29 AM

I just uploaded 3 possible virus files.



#7 JDGR

JDGR

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 22 December 2013 - 06:08 AM

Hello,
A close friend of mine was infected 3 days ago. So far we havent found any means of recovery,and kaspersky's as well as Panda's decryptors dont work.
We also uploaded a sample here last night.
BUT I think I have quasi-good news.
It seems to me that the files are not encrypted.I opened a jpeg in a hex editor and the only thing I am sure was jumbled up was the header. So I downloaded a jpeg repair utiliry like those used by photographers when their photos have a problem. The program was able to recover a thumbnail of the image but stopped before completing.This strengthens my view that it is not an encryption( otherwise please inform me about an unbreakable encryption that can encrypt 1tb of data in less than an hour) but a nice scary way to take money from people.
I advised my friend not to pay them an be a little patient until a "decryptor" program gets issued. Myself,I will try to see if i can write a matlab script that takes a healthy header and pastes it on a "broken" file. (Not my cup of tea,so not much hope that i ll do it but hey, its Sunday, I can spare the time and my friend is in need).
My greetings to everybody.

#8 realcruelworld

realcruelworld

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 24 December 2013 - 05:07 AM

They now asking only 0.1 btc :(
I payed 0.5 

injustice



#9 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:07:00 AM

Posted 24 December 2013 - 04:29 PM

They now asking only 0.1 btc :(
I payed 0.5 

injustice

 

 

It is to do with the exchange rate of btc to usd over the months changing,  0.5btc = how many USD that that time.  0.1btc = how many USD now.



#10 JDGR

JDGR

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 25 December 2013 - 02:26 AM

I ve got some news. The virus changes only the first 512 bytes of each file. The algorithm used is a minimum length constant value xor cipher so it is not the simplest thing but not in any way unbreakable.(frequency analysis can do it,along with some samples of original and encrypted files)IT SURE CAN BE DECRYPTED.so it is only a matter of time until somebody issues a decryptor. Dont worry guys, it is not that bad, and most important, DONT PAY THEM

Edited by JDGR, 25 December 2013 - 02:28 AM.


#11 Lord_Palethorn

Lord_Palethorn

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 25 December 2013 - 05:54 PM

I have a client infected on 22 december. I made a backup of these files, waiting for some sollution. It's definetly not e real encryption as it's about 80GB of data "encrypted" in a couple seconds.
They ask $50 here, not 500 :).



#12 TheAlexPanther

TheAlexPanther

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 26 December 2013 - 05:17 AM

HI  , first time here , i got the virus on 19 , confirm what Lord posted, i got the  $50 one type nd i was present at the infection time, i seen the external hd working, about 300 GB was encrypted in fews seconds(both interbal c: and external), didnt turn off it for not brocken the hd. I did use Kaspesky rectordecriptor and it worked for only fews files, not for all.

So i hope very soon will be a definitive tool for decrypter it.

 

Merry Christmas to all friends   



#13 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,889 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:00 PM

Posted 26 December 2013 - 12:59 PM

Still waiting for samples of the virus itself. If anyone still has the infection files, please submit them to:

http://www.bleepingcomputer.com/submit-malware.php?channel=163

Please do not submit any encrypted files. We have enough of those.

#14 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:07:00 AM

Posted 26 December 2013 - 01:11 PM

Even if someone only has a MD5, SHA for a sample, That would help to see about tracking the file(s) down.

 

Quads



#15 stavrino

stavrino

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 28 December 2013 - 09:21 PM

Grinler, what do you mean by "infected files"?

 

I have a backup version of many clean files (before infection) and a version of the same files after infection.

I also can retrieve the mlhl.exe that probably did the whole mess. The Trojan was found in that file.

 

The size of each infected file is 0.5KB more of than the size of its clean file.

I opened an xlsx file with a Hex Editor and found that a number of bytes were added at the start and at the end of the file, whereas a number of bytes were deleted.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users