Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SuperCrypt Ransomware Support and Help Topic - HOW-TO-DECRYPT-FILES.txt


  • Please log in to reply
62 replies to this topic

#1 Valerio Ferri

Valerio Ferri

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 14 October 2014 - 02:18 PM

This post was edited to include information about the SuperCrypt Ransomware in the first post of the topic.

- Lawrence Abrams (Grinler)


 

In the middle of October, reports have been coming into this topic about a new ransomware that encrypts local data and data on mapped drives. Once a file is encrypted it will change their extension to .SUPERCRYPT and leave a ransom note titled HOW-TO-DECRYPT-FILES.txt on the desktop. This ransom note will contain a unique infection ID for the computer and instructions to send this ID as well as an encrypted file to the malware developer at supercrypt@mailer9.com. The malware developer will decrypt your submitted file as proof that they can do so and then send you back payment instructions. The current ransom is 300 Euros and can be paid in the form of Ukash vouchers or by sending 1 bitcoin. Victims who have paid the ransom were sent a decryption program that was able to decrypt their files.

It appears that computers are becoming infected by manual hacking of remote desktop or terminal services on the affected computer. Once the malware dev has access they will install SuperCrypt on the compromised computer and begin the encryption process. The developer will then remove malware samples when the encryption has been completed. From early reports, it appears that the computers being targetted are currently located in Europe.

The text of the ransom note is:
 

If you're reading this text file, then ALL your FILES are BLOCKED with the most strongest military cipher.

All your data - documents, photos, videos, backups - everything in encrypted.

The only way to recover your files - contact us via supercrypt@mailer9.com

Only WE have program that can completely recover your files.

Attach to e-mail:
1. Text file with your code ("HOW TO DECRYPT FILES.txt")
2. One encrypted file (please dont send files bigger than 1 MB)

We will check your code from text file and send to you OUR CONDITIONS and your decrypted file as proof that we actually have decrypter.

Remember:
1. The FASTER you'll CONTACT US - the FASTER you will RECOVER your files.
2. We will ignore your e-mails without attached code from your "HOW TO DECRYPT FILES.txt"
3. If you haven't received reply from us - try to contact us via public e-mail services such as Yahoo or so.


====================
A4A14D4E4445416ACE4AA0AD4A494AB8AB5B94EC01409BBA15D8A144B19D7CA9
0E968400D66C59CD841A8BBA446D74BA1C6DDE464B4E404554C4499B844006CA
D0ACBEE444AD5A1A4B9E105E4A54B06DC680B5C8987640B8A4CA194AAE496044
4EAC46647B1DDD8CA4479AE691CEBB644BE605B7A8A69A548914DB94456CCAC1
1B4454441544454644841454184B6CD909068484068A840B098C0600040A0A0B0
====================


An image of the decryptor is:
 

decryptor.jpg


Edited by Grinler to include info in the first post
 

Salve a tutti,
Qualcuno si è sfortunatamente imbattuto in un virus che si espande nella rete (server, pc, nas, cartelle condivise) e rinomina l'estensione di alcuni file (tipo xls,pdf,exe ecc...) in .SUPERCRYPT.
 
Ho cercato dappertutto su internet, ma nessuno riesce a decriptarmi i files incriminati.
 
Potete aiutarmi per favore???
Vi prego aiutoooo
 
Grazie mille


EDIT: Mod boopme







Hello everyone,

Someone has unfortunately come across a virus that spreads in the network (servers, pc, nas , shared folders ) and rename the extension of some files (like xls, pdf, exe , etc ...) in .SUPERCRYPT .



I've searched everywhere on the internet, but nobody can decriptarmi files indicted.



Can you help me please ???

Please aiutoooo

Edited by Grinler, 21 October 2014 - 01:21 PM.
Edited by grinler to include info on SuperCrypt


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:13 AM

Posted 14 October 2014 - 04:15 PM

Benvenuti Valerio Ferri.

Ho segnalato questo ai nostri colleghi di sicurezza che si specializzano in crypto del malware ransomware con un link a questo argomento.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:13 AM

Posted 14 October 2014 - 04:23 PM

Do you have any samples of malware? Any idea how did you become infected?

#4 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:05:13 PM

Posted 14 October 2014 - 07:15 PM

Maybe SuperCrypt 1.0 Libre > to MS ransomware?

http://it.downloadv.com/download-Supercrypt-131089.htm
Supercrypt 1.0 https://translate.google.com.au/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fit.downloadv.com%2Fdownload-Supercrypt-131089.htm&sandbox=1


https://www.quag.com/it/thread/16310/estorsione-da-virus-informatico/
https://translate.google.com.au/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=ISO-8859-1&u=https%3A%2F%2Fwww.quag.com%2Fit%2Fthread%2F16310%2Festorsione-da-virus-informatico%2F&edit-text=
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#5 Valerio Ferri

Valerio Ferri
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 15 October 2014 - 09:54 AM

Buobasera e grazie a tutti per l'interessamento.

Ho provato con https://www.decryptcryptolocker.com/, ma nulla.

 

Come posso postare un file criptato??

 

Ancora grazie



#6 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:05:13 PM

Posted 15 October 2014 - 06:53 PM

Ciao Valerio,

Ho provato con https://www.decryptcryptolocker.com/, ma nulla.

Questo non funziona per https://www.decryptcryptolocker.com/ come si dispone di un altro infezione.

Come posso postare un file criptato??

 Puoi caricare il campione. http://www.bleepingcomputer.com/submit-malware.php?channel=3

Leggi questo, https://www.quag.com/it/thread/16310/estorsione-da-virus-informatico/
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#7 Valerio Ferri

Valerio Ferri
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 16 October 2014 - 04:42 AM

Grazie appena fatto



#8 jamez2b

jamez2b

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 17 October 2014 - 02:19 AM

Do you have any samples of malware? Any idea how did you become infected?

Hi, We have the same attack on our 2003 TSE server, unfortunally we can't found a solution to decrypt our files. I can send you samples of original and crypted file and the instruction left, if you can help us.

 

Best regards.



#9 Valerio Ferri

Valerio Ferri
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 17 October 2014 - 08:49 AM

Unfortunately I have not solved



#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:13 AM

Posted 17 October 2014 - 09:20 AM

We need more details. Does anyone have any samples of the malware that infected you? Are there ransom notes? If so, please submit everything to http://www.bleepingcomputer.com/submit-malware.php?channel=3.

No need to send encrypted files right now. We need the ransom notes and the malware files first.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:13 AM

Posted 19 October 2014 - 03:32 PM

Someone sent me a decryptor.exe. How did you get that? Please contact me via pm. Want more info before i run it

Thank you

#12 Valerio Ferri

Valerio Ferri
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 20 October 2014 - 05:04 AM

Ciao a tutti.

Nessuno ha soluzioni al riguardo??

 

Grazie mille



#13 keysteal

keysteal

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 20 October 2014 - 05:53 AM

Ciao Valerio, ho mandato un messaggio all'ADMIN Grinler, vediamo se ci capiscono qualcosa.



#14 js2017

js2017

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 20 October 2014 - 06:28 AM

Hello all, I also have a customer with the same problem, I think I managed to find the original EXE file witch started the encryption, tried to execute it in a vm, and saw that it was password protected, is it of any use if i send it to someone to investigate?

 

Also, can I try the decryptor?



#15 keysteal

keysteal

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 20 October 2014 - 07:04 AM

No you can't, every decryptor.exe is compiled with a unique key.

 

 

 

Hello all, I also have a customer with the same problem, I think I managed to find the original EXE file witch started the encryption, tried to execute it in a vm, and saw that it was password protected, is it of any use if i send it to someone to investigate?

 

Also, can I try the decryptor?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users