I got this ransom trojan in 2013 and found a decrypter tool from Sophos that could decrypt the first 4096 bytes of a file. I have no clue if this is a bug or if it was meant as a generic decrypter and it's not quite working right or whatever. I played around with this again today and found you could remove the first 4096 bytes of a file and it would decrypt the first 4096 bytes of the new file, and with this method a whole file can be decrypted. This is pretty tedious though without a script, as the decrypter need an original file and an encrypted file, and those files also need the same number of bytes removed at the beginning to decrypt an encrypted file properly.
If someone is interested in looking at this, here's a zip file
(hxxps://drive.google.com/file/d/0ByfHqmpzNs8fS0YzQ3UwazQ0dEk/view?usp=sharing) with the ransom trojan (e8bcae53cdbb84c4.exe
), a second trojan downloader (vistrvfd.exe[/size]
) which may be related, decrypter, original files, untouched encrypted files as the trojan created them, and prepared files. The prepared files are named so the decrypter will accept them, and they have the first 8 bytes removed which was added during encryption. The decrypter wouldn't work otherwise.
Here's a screenshot of the lockscreen
Fresh scans of ransom trojan
and trojan downloader
If there's already a better decrypter for this, or if someone wanna find a better way to decrypt the files based on this, that would be great.