Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bitcrypt Ransomware Support and Help Topic


  • Please log in to reply
244 replies to this topic

#1 Comdark.Bubnix

Comdark.Bubnix

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:07:46 AM

Posted 05 March 2014 - 01:09 AM

hello. i am from Indonesia. firstly,very sorry if my english isnt good at all.

to the point,my friend's computer has been hit with Bitcrypt,new type of ransomware,i said new because i never see this type before.

data on his computer have ekstra ekstension, ex : blabla.jpg.bitcrypt , blabla.xls.bitcrypt . etc.

 

info that i have so far :

1. he said already use decryptor from kaspersky and the result is none of them can recover his encrypted data.

2. he also mentioned that he found bitcrypt.txt on his computer,but sadly he already erased it. well,i thought it could be useful for analysis here.

 

this is interesting part,he already googling,and found this web : http://blog.cassidiancybersecurity.com/post/2014/02/Bitcrypt-broken

in that web,it said

 

This is definitely not a 1024 bits key! The number has 128 digits, which could indicate a (big) mistake from the malware author, who wanted to generate a 128 bytes key.

Finally, we simply deal with RSA-426 encryption, which can easily be broken on a standard PC in a matter of hours.

they also write this :

 

With such factors, we could build a Python script implementing all the cryptographic operations to decipher the encrypted files, and save the precious pictures. Such a Python script is available on our bitbucket repository.

 

 

this is link download to sample of my friend's data : http://www.mediafire.com/download/j4nwtxba5kj45jo/Bitcrypt.rar

 

i really need help to recover my friend data,pleasee...

if that web saying is true,then pleasee help how to get that decryptor for this bitcrypt,,


Edited by Orange Blossom, 05 March 2014 - 02:12 AM.
Moved to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 Dalicar

Dalicar

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nth Dimension
  • Local time:02:46 AM

Posted 05 March 2014 - 03:53 AM

Ok, I'm into it and I'll tell you my findings as soon as I can

#3 Dalicar

Dalicar

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nth Dimension
  • Local time:02:46 AM

Posted 05 March 2014 - 04:22 AM

Yes, it's broken. You'll need to install Python on a powerful computer to break the encryption and run the script on an encrypted file. Sadly, I couldn't download the script yet because I have no computer near me at this time, and I don't know exactly how to decode the base-64 key, so I'll need your bitcrypt configuration file to get yours and figure it out. According to this, it should be placed at %appdata%\bitcrypt.ccw. Without it, I'm afraid that I won't be able to do anything.


Edited by Dalicar, 05 March 2014 - 05:17 PM.


#4 ZkyVodka

ZkyVodka

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 05 March 2014 - 05:45 AM

I was send bitcrypt.ccw to Comdark.Bubnix
Thank's for your help Mr. Dalicar ^_^


Edited by ZkyVodka, 05 March 2014 - 06:16 AM.


#5 Comdark.Bubnix

Comdark.Bubnix
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:07:46 AM

Posted 05 March 2014 - 06:30 AM

Yes, it's broken. You'll need to install Python on a powerful computer to break the encryption and run the script on an encrypted file. Sadly, they don't explain how to decode the key, so I'll need your bitcrypt configuration file to get yours. According to this, it should be placed at %appdata%\bitcrypt.ccw. Without it, I'm afraid that I can't do anything

thanks so much for coming here.

first,id ZkyVodka above is my friend who got hit by this bitcrypt virus. i am here also to help him.

this link contain file bitcrypt.ccw that you asked : http://www.mediafire.com/download/iu4flsx19nbtaro/bitcrypt(2).rar

please help us.

 

i also wanna ask.

from sample that i posted in post number one,are the files really really got encrypted like cryptolocker ? or its just pretend encrypt like cryptorbit ?



#6 ZkyVodka

ZkyVodka

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 05 March 2014 - 06:38 AM

 

Yes, it's broken. You'll need to install Python on a powerful computer to break the encryption and run the script on an encrypted file. Sadly, they don't explain how to decode the key, so I'll need your bitcrypt configuration file to get yours. According to this, it should be placed at %appdata%\bitcrypt.ccw. Without it, I'm afraid that I can't do anything

thanks so much for coming here.

first,id ZkyVodka above is my friend who got hit by this bitcrypt virus. i am here also to help him.

this link contain file bitcrypt.ccw that you asked : http://www.mediafire.com/download/iu4flsx19nbtaro/bitcrypt(2).rar

please help us.

 

i also wanna ask.

from sample that i posted in post number one,are the files really really got encrypted like cryptolocker ? or its just pretend encrypt like cryptorbit ?

 

Thank you so much Comdark.Bubnix



#7 Dalicar

Dalicar

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nth Dimension
  • Local time:02:46 AM

Posted 05 March 2014 - 12:22 PM

Hello again.

 

Please be patient. I'm digging into this.



#8 Dalicar

Dalicar

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nth Dimension
  • Local time:02:46 AM

Posted 05 March 2014 - 05:06 PM

Well, I'll explain this as easily as I can. Just follow the steps and you'll be fine.

 

I hope you can access a Linux box or virtual machine, because you'll most probably need one. (Maybe a Mac will do either, but I don't know because I'm not a Mac user).

 

First of all, install Python 3.2 or greater. If your Linux distribution does not install the sqlite3 module, you must locate it and also install it by hand.

 

Then, RIGHT CLICK on this link and select download destination as... "decrypt.py":

 

https://bitbucket.org/cybertools/malware_tools/raw/fa4ec9df293b2504a1fa8691c91f006f32acb8bc/bitcrypt/decrypt.py

 

Run the script on any of your encrypted files:

 

python ./decrypt.py "MY ENCRYPTED PICTURE.jpg.bitcrypt"

 

This will show you an error, because your key is not known yet. It will provide your decoded key so you can break it using another tool.

 

How? Download this: 

 

https://gforge.inria.fr/frs/download.php/33131/cado-nfs-2.0.tar.gz

 

Decompress: Open a shell prompt, go to wherever the downloaded file is, and then run the following command:

 

tar zxvf cado-nfs-2.0.tar.gz

 

This will extract all the files to a new cado-nfs-2.0 folder.

 

Go to that folder and compile:

 

cd cado-nfs-2.0

make

 

Run the key cracker. This will take several HOURS (maybe DAYS) to complete:

 

./factor.sh YOUR_KEY_WHICH_IS_A_VERY_LONG_SERIES_OF_DIGITS_PROVIDED_BEFORE_BY_THE_DECRYPTING_SCRIPT -s 4 -t 6

 

If all goes well, the output will read as follows:

 

Info:Complete Factorization: Total cpu/real time for everything: xxxx/yyyy
LONG_NUMBER_1 LONG_NUMBER2

 

Open decrypt.py in a TEXT EDITOR.

 

Locate the block:

 

known_keys = { many long numbers

}

 

Add, before that "}" the following lines:

 

YOUR KEY, as provided by the previous call, a COLON, OPEN PARENTHESIS, FIRST LONG NUMBER, COMMA, SECOND LONG NUMBER, CLOSE PARENTHESIS.

 

For instance, let's figure out that your key is 123, the first number "456" and the second "789". You'll add this:

 

123:(456,789)

 

Don't worry. You're almost done. This needs to be performed only ONCE.

 

Now, you are ready to decode ANY file in your computer (not others, which will have different keys which will need to be cracked as well):

 

python ./decrypt.py "MY ENCRYPTED PICTURE.jpg.bitcrypt"

 
This should work and generate "MY ENCRYPTED PICTURE.jpg.bitcrypt.clear"
 
RENAME the output:
 
mv "MY ENCRYPTED PICTURE.jpg.bitcrypt.clear" "MY ENCRYPTED PICTURE.jpg"
 
Try to open it. It should be fully decrypted and working now. Repeat the process.


#9 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:46 PM

Posted 05 March 2014 - 05:09 PM

Bitcrypt is no longer broken. The first variant was because the author made a huge mistake and this allowed it to be broken through factoring the key. But the second variant i would assume has this fixed, and it looks to me that you do not have the first variant. 

 

We wont know for sure until we can get a new sample.


Have you performed a routine backup today?

#10 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:46 PM

Posted 05 March 2014 - 05:11 PM

Dalicar,

 

I already attempted to factor his files on a I7 debian machine, with no luck. It took 38 hours to attempt to factor the key but alas at the end the factoring script failed.


Have you performed a routine backup today?

#11 Dalicar

Dalicar

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nth Dimension
  • Local time:02:46 AM

Posted 05 March 2014 - 05:38 PM

Dalicar,

 

I already attempted to factor his files on a I7 debian machine, with no luck. It took 38 hours to attempt to factor the key but alas at the end the factoring script failed.

 

Is this the key you tried?

 

85310107995719376929730792485227945512294584839511031837783551443646971297915249149983962091126708921644951193108011775791399531

 

It's the decoded version of PqNi3fvQtDDHIGHQ1BEx=N23arLWZktS=eHAVPkbG6P3eY6tmRw8MjADVXjUji24X8vLyEV

If that's actually the key (it may not), it's still 128 digits, so RSA-426 like said in the original post.

 

I'd like to give it a shot but, regrettably, I have not enough oomph around to try myself.



#12 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:46 PM

Posted 05 March 2014 - 05:41 PM

Well its a different AES key per file. But that is correct, it is one. But it doesnt result to anything when factored. And its quite easy to try if you want, even on a less than decent computer, it will just take awhile. Install debian on it and python and have at it. You will also need the crypto libs


Have you performed a routine backup today?

#13 Dalicar

Dalicar

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nth Dimension
  • Local time:02:46 AM

Posted 05 March 2014 - 05:57 PM

But, those three files have the same block:

 

<IDPubKey++>PqNi3fvQtDDHIGHQ1BEx=N23arLWZktS=eHAVPkbG6P3eY6tmRw8MjADVXjUji24X8vLyEV<IDPubKey-->

 

And that's the pub key also in the config file %appdata%\bitcrypt.ccw, which is unique.

 

It looks like the same variant so it should work. But my best linux box is a several years-old dual-core Xeon HP server with only 1 GB of DDR2 RAM (you know, I just don't need anything more powerful for my line of work), and I can't run any processor-intensive jobs on it because it handles essential corporate processes which don't need much power, but uptime.



#14 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:46 PM

Posted 05 March 2014 - 06:01 PM

YEs the public id is always the same, but the AES key is not. Which in variant one is useless, but it may be in variant 2, is relevant. 


Have you performed a routine backup today?

#15 Comdark.Bubnix

Comdark.Bubnix
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:07:46 AM

Posted 05 March 2014 - 06:04 PM

 

Well, I'll explain this as easily as I can. Just follow the steps and you'll be fine.

 

 

Can you confirm that this steps will actually works ? have you tried it on my sample ?

 

Dalicar,

 

I already attempted to factor his files on a I7 debian machine, with no luck. It took 38 hours to attempt to factor the key but alas at the end the factoring script failed.

 

38 hours with no luck...very sorry if my case wasting your precious time.

emm,by factoring you mean you already took steps like dalicar wrote above ? and the result is no luck ?

 

this is my question for dalicar and decrypterfixer.

1. your best guess,this bitcrypt that hit my friend's computer is first variant that crackable or second variant that impossible to crack ? if this case really second variant,so what will i do ? just keep my data and waiting miracle someday like cryptolocker victim ?

 

2. i already install cryptoprevent on my computer since january to prevent cryptolocker (but my friend ZkyVodka is not install cryptoprevent),and recently i read decrypterfixer's post that cryptoprevent will also work against cryptorbit, so now,will cryptoprevent maybe also work for this Bitcrypt virus ?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users