Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

decryption util for fbi et al ransomware??


  • Please log in to reply
42 replies to this topic

#1 cornz

cornz

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 12 April 2015 - 03:30 PM

Hi folks, long time lurker here.

OK, last year, a good mate of mine fell foul to ONE of the ransomware scams. **every** precious photo he owned was scrambled. Yes, no back up!!!!

This was before just cryptolocker and he seems to recall the old FBI / Metro police / Scotland yard porn warnings.

He couldn't shift it and formatted the HD but of course, after his files had been encrypted. I suspect the decryption key was stored on his PC.

So, he asked me if I could help as I have a bit experience with things like this. And his missus is pi55ed as the wedding / holiday / kids etc pics are now all unreadable.

 

I have discovered ALL the encrypted files start with : CR_M0x04ì7     8  when viewed with notepad.

We also now have some encrypted files from his PC and the identical NONE encrypted files which are on my computer as I gave them him those files back in 2004!! Obviously the metadata is different but the pics are identical.

I have just tried the Panda decryption util (pandaunransom) and it generated a key but doesn't seem to decrypt them.

Can anyone here offer up a bit of a suggestion I could try. He's a good mate and I do feel for him. I would be gutted to loose all my pics. Hence 3 backups at my site.

Pics are only small, happy to upload if anyone wants to try...

Thanks for any suggestions.

Cornz..


Edited by Queen-Evie, 12 April 2015 - 03:51 PM.
moved from Anti-Virus and Anti-Malware Software


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 AM

Posted 12 April 2015 - 03:33 PM

Hi cornz :)

CryptoLocker was the first malware that actually encrypted the files and asked for a ransom. And it was spread way more than a year ago, last June. So I don't think that your friend was actually hit by it, but maybe by another Cryptoware. Are the file extensions the same (.pdf, .png, .jpg), etc. or are they different?

Here's the FAQ on CryptoLocker:

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

If you want to make sure that it wasn't CryptoLocker, you could try uploading one of the encrypted file on DecryptCryptolocker.com, by FireEye and FoxIT and see if a private key matching the encrypting is found.

Edited by Aura., 12 April 2015 - 03:35 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 cornz

cornz
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 12 April 2015 - 04:13 PM

Hi and thanks.

Its deffo NOT cryptolocker as DecryptCryptolocker.com asks for a cryptolocker file. So cryptolocker is out of the running.

The extensions (all .jpg) are unchanged.

So far I have tried decrypt_mblblock, anticryptorbit v2, pandaunransom. All to no avail.



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 AM

Posted 12 April 2015 - 04:14 PM

The thing is that, the Ransomware that impersonates the FBI, Scotland Yard, etc. aren't Cryptoware, they do not encrypt the files. And CryptoLocker was the first Ransomware to actually encrypt the files. Did you at least upload a file on DecryptCryptoLocker to see what it gives?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 cornz

cornz
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 12 April 2015 - 04:55 PM

Hi, yes, as I previously stated,  DecryptCryptolocker.com reports that "the file does not appear to be infected with cryptolocker"

Is there anyway I can upload the scrambled and un scrambled files for analysis..

I genuinely thought that as I have an original file, it would have been relatively straight forward to decrypt them. Seems not!!!

 

Just tried Kasperskys Scraper decryption tool, also to no avail.

 

** please remember I am doing this on behalf of someone who isn't that technical so am having to go by what he tells me. Either way, his files (jpg) are definitely encrypted..


Edited by cornz, 12 April 2015 - 04:57 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:42 AM

Posted 12 April 2015 - 04:57 PM

I have discovered ALL the encrypted files start with : CR_M0x04ì7     8  when viewed with notepad.
We also now have some encrypted files from his PC and the identical NONE encrypted files which are on my computer as I gave them him those files back in 2004!! Obviously the metadata is different but the pics are identical.


Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html, .txt, .png, .bmp, .url file.

These are some examples.
DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.URL
HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG
HELP_TO_DECRYPT_YOUR_FILES.bmp, HELP_TO_DECRYPT_YOUR_FILES.txt
RECOVERY_KEY.txt

Does it look like one of these or something else...?
* PClock (WinCL variant)
* PClock (newer Windsk variant)
* TeslaCrypt
* CryptoWall
* TorrentLocker
* CryptoFortress
* CTB-Locker
* KEYHolder

If the ransomware does not look like any of those in the above links...reading through the following information may assist with identifying the crypto malware infection you are dealing with.Once you have identified which particular ransomware you are dealing with, we can direct you to the appropriate discussion topic for further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 AM

Posted 12 April 2015 - 04:57 PM

If you were infected with a Cryptoware, it most likely left a note behind. Is it possible for you to do a search in the back up for files that have the word "crypt" in them and see what comes up?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 cornz

cornz
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 12 April 2015 - 05:04 PM

In short, no. He copied all the jpgs from the infected machine and then formatted the HD...

All I have to work with are the jpg's themselves.


Edited by cornz, 12 April 2015 - 05:04 PM.


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 AM

Posted 12 April 2015 - 05:05 PM

Then its going to be hard to find out which Cryptoware he was hit with. Trying to think of actual ones that uses law enforcement ransom notes but all I can think of is of normal Ransomwares.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 cornz

cornz
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 12 April 2015 - 05:07 PM

It might be easier if someone could point me to the available decryption utils, I can then try them one by one to see if I hit a result...



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:42 AM

Posted 12 April 2015 - 05:18 PM

There is no master list of tools and in most cases there are none which can restore the encrypted data.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:42 AM

Posted 12 April 2015 - 05:19 PM


As is typical with a lot of these newer ransomware infections, they delete all Shadow Volume Copies so that you cannot restore your files via System Restore or using a program like Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do. In some cases Data Recovery Tools may be helpful but there is no guarantee.

If that is not a viable option, then as my security colleague Nathan (DecrypterFixer) has stated several times to victims of various ransomware infections..."if there is no fix tool, the only other alternative is to save your data as is and wait for possible updates".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 cornz

cornz
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 12 April 2015 - 05:36 PM

well, I have asked him if he still has the old HD (he does) but its been formatted, Planning to run a recovery util on it...



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:42 AM

Posted 12 April 2015 - 05:39 PM

Ok...in the meantime, I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

One of them may have encountered encrypted files with CR_M0x04ì7 or this could be a new variant.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 cornz

cornz
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 12 April 2015 - 06:12 PM

great. thank you






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users