Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Uniquekey@dr.com Ransomware Support Topic. Adds .crypt extension to files.


  • Please log in to reply
53 replies to this topic

#31 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:29 AM

Posted 21 December 2015 - 10:17 AM

Yes, a sample file would be nice :)


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

BC AdBot (Login to Remove)

 


#32 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:29 PM

Posted 22 December 2015 - 07:34 PM

I've sent an encrypted PNG file from their Downloads folder.

 

I've also located an encrypted PNG file that was in the backgrounds for a Family Tree Maker program, but couldn't find a clean version of it online. Once the customer re-installs the program (hopefully they have the disc, assuming the image could vary by version too) I can try to grab the clean version for comparison if you have a brute-force that ends up needing it.


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#33 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:29 AM

Posted 23 December 2015 - 05:40 AM

Thanks. Will be looking into it shortly :)
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#34 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:29 AM

Posted 28 December 2015 - 10:56 AM

I created a decrypter for a related variant of this particular ransomware. I performed all my testing with the variant that asks to contact "mykey@dr.com", but chances are it will work for other variants as well. If it doesn't for you, please let me know.

Look for any file on your system where you have the original unencrypted file of one of the encrypted files, or any unencrypted PNG (can be found on the internet, for example, if you do not already have one) and an encrypted PNG file. Try to stick to the smallest files you can find, as the smaller the file, the faster the brute force process will be. Select, and then drag and drop them the original and encrypted files at the same time on the decrypter executable. If that sounds confusing, just take a look at this little animation:

decryptcryptinfinite.gif

The decrypter will then try to determine the encryption key for your system based on the two files you provided. This process can be rather time consuming. On my system guessing the encryption key took up to a day. Depending on your system, it may take considerably longer than that, so please be patient.

Once the decryption key was determined, you will get a message like this:
 
LHRJi5E.png
 
Just click OK and the decrypter will start up as normal. If you get an error message instead, please make sure you drag and dropped the correct files. If you did, you may have either been targeted by a completely different malware family or by a new variant that this decrypter doesn't support yet.

All folders you add to the folder list will be decrypted recursively, which means files located in the sub-folders of the selected folder will be decrypted as well.
 
In any case I suggest trying to run the decrypter on a limited number of files first and manually check that those files were decrypted properly before you move to decrypt large number of files. This makes sure the decrypter figured out the correct key and may save you a lot of time in the long run in case it turns out the malware author changed the encryption algorithm in a later variant that the decrypter doesn't support.
 
The malware unfortunately does not leave any information about the original file behind. That means the decrypter can't be sure that the result of the decryption is correct. For that reason, the decrypter will not delete the encrypted files on your system just to be sure. That also means, that you need to make sure your disks have enough space before you start the decryption.  If you are low on disk space and you have no way of making room either, the decrypter also has an option to delete the encrypted version of the file after it has been decrypted:
 
2agpZle.png
 
Only use this option if your absolutely have to and after you tested the decrypter on a limited number of files first.
 
The decrypter can be downloaded here:
 
Please make sure you read the above instructions carefully before you download it. Don't just click the link, trying to skip ahead. Seriously. You will most likely save yourself a lot of headache.
 
As a general rule I don't accept any donations for my work. If you feel thankful and want to throw some money at something, I suggest investing into a proper backup solution. Personally I am using CrashPlan. However, there are a lot of different solutions out there. Pick one that you feel comfortable with. If you are unsure, I am sure the helpful users in this amazing community will love to help you out picking one that fits your needs and requirements. If you want to spend even more money, I am sure the polar bears would appreciate your help. I know one polar bear in particular that would be very thankful. :wink:
 
As always, please ask if you run into any issues. Keep in mind that I do have a rather busy day job, so I may not reply right away. So please be patient.

Edited by Fabian Wosar, 28 December 2015 - 11:01 AM.

Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#35 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:29 PM

Posted 29 December 2015 - 12:46 PM

Thanks Fabian. I'll start the brute-force on my i7 at home for the customer's data and let you know if I have any luck.

 

I was having some trouble securing a before and after on a PNG file. Any chance it will still work for a JPG? I'm trying it now anyways to test while I continue digging for a PNG image.


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#36 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:29 AM

Posted 29 December 2015 - 01:10 PM

You can either use a file where you have the original or any PNG with an encrypted PNG. A good candidate are the Windows sample pictures for example.

After the key is broken it is saved in a file called decryption.key next to the decrypt_crypboss.exe. You can just copy it to the victim's system and start the decrypter there without any files and it will use the key from decryption.key.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#37 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:29 PM

Posted 29 December 2015 - 02:41 PM

Ah, so PNG doesn't have to be the unencrypted/encrypted pair, the unencrypted file can be any PNG? Guessing that means it just checks the header or MIME versus hashing the file itself?

 

I let it run for a good hour on my i7 and it got to 0.25%... a bit more intensive than I anticipated with a decent computer. I'm sure my wife won't like going a few weeks without the gaming computer, so I'm commissioning it to a Xeon server laying around the shop booted to MiniXP. :P

 

I'll let you know the results as soon as I get something. Thanks again for the help. :)


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#38 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:29 AM

Posted 29 December 2015 - 02:46 PM

It checks the first 16 bytes, yes. Since PNGs all start with the same 16 bytes in most cases, just picking any encrypted PNG and a normal PNG will work. On my Haswell i7 it takes about a day to recover the key. There is a lot of overhead involved unfortunately as I do use the same functions the malware uses. I may be able to speed it up considerably if I hand craft the routines. But since waiting a day isn't completely prohibitive and there was a lot of different ransomware released, I didn't do that yet.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#39 Marylee55

Marylee55

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 29 December 2015 - 03:42 PM

Hi Fabian!

 

At first, Thank You for your help!  But your wonderful decrypter didn`t help me ((( Also I tried another software (like Tesla, Kasperski and etc)

 

And there`s no chance for me... I`m crying....

 

But I have sent a payment to those guys and bought their decrypter software... And Hallelujah!

 

Anyway You`re a good guy! And you`re making a good things! Good luck!



#40 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:29 PM

Posted 01 January 2016 - 02:56 PM

Hi Fabian!

 

At first, Thank You for your help!  But your wonderful decrypter didn`t help me ((( Also I tried another software (like Tesla, Kasperski and etc)

 

And there`s no chance for me... I`m crying....

 

But I have sent a payment to those guys and bought their decrypter software... And Hallelujah!

 

Anyway You`re a good guy! And you`re making a good things! Good luck!

 

What was the email address on the ransom note for yours? We're running into the tool not working with some email address variants (including the one I'm working on with "decrypt@dr.com"). Looking for more information or droppers if we can help Fabian with that, or maybe sending the decrypter the bad guys sent you could help for analysis?


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#41 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:29 AM

Posted 29 January 2016 - 12:35 PM

There appears to be a new variant using ".R16M01D05" as a file extension and "cwall@dr.com" as an email address. The decrypter has been updated for this new variant already and should handle it properly.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#42 eznetso

eznetso

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Largo, FL
  • Local time:09:29 PM

Posted 30 January 2016 - 12:59 PM

The effort in this string is amazing!  Fabian I too tried your decrypter and applaud your efforts.  Sadly it did not work for me.  I really don't understand how these guys are getting away with this, and the number of people that must pay this for their files.  I'd rather loose everything than give in to them, but I understand sometimes that's not an option.  Does anyone else have anything that has been successful? 



#43 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:29 AM

Posted 30 January 2016 - 02:52 PM

The effort in this string is amazing!  Fabian I too tried your decrypter and applaud your efforts.  Sadly it did not work for me.  I really don't understand how these guys are getting away with this, and the number of people that must pay this for their files.  I'd rather loose everything than give in to them, but I understand sometimes that's not an option.  Does anyone else have anything that has been successful?

Are you sure you have the same malware? Would you mind sharing your ransom note with us. Thanks.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#44 DaveEP

DaveEP

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 06 March 2016 - 06:05 AM

Hi Fabian,

 

Looks like you're doing a great job on here and really hope you'll be able to help me.

 

On Friday I downloaded something which turned out to be one of these awful ransomware viruses.
 
I realised it was bad news after about half an hour as my desktop was filled with README!! ransom notes and all my important files were ending *.crypt.
 
I followed some online guides and removed the malware/virus(?) using various stuff like RogueKiller/Malwarebytes and tried to restore previous versions with Shadow Explorer/System restore which didn't help..
 
Looking into it further, I ran all the Kaspersky variants to no avail, as well processed several PNG files through your Decrypt_gomasom program.
 
They all ran to 100% and am thinking I must have a different variant.
 
If I post you the PNGs (before and after encryption) as well as the ransom notes and screenshots, do you think you could take a look into it for me! Would be happy to donate to your causes. Thanks!
 
Regards,
Dave


#45 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:29 PM

Posted 06 March 2016 - 10:15 AM

@DaveEP

What is the email address in your ransom note? It should be something "@dr.com" if it matches this variant. Might check your quarantines for anything that could be the dropper for analysis.

Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users