Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Radamant Ransomware (.RRK, .RDM, .RAD) Support and Help Topic - YOUR_FILES.url


  • Please log in to reply
156 replies to this topic

#46 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:14 PM

Posted 26 December 2015 - 06:32 AM

Thanks a lot Fabian. You're really a life saver. It worked like a charm and decrpted my files. Now, I'm going to decrpt my all files. Thanks a lot again. :)

Glad you got all your files back :)
 

Hello , sorry for my english , yesterday has infected my computer , all files received an extension .RRK

The .RRK version is a newer variant. I am currently looking into it. Please change the names of the files back. I should have more information about it later today :).

BC AdBot (Login to Remove)

 


#47 czarli

czarli

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:14 PM

Posted 26 December 2015 - 01:32 PM

OK, I changed the file name and extension by the previous.



#48 villalobosjpc

villalobosjpc

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 26 December 2015 - 02:15 PM

upoloaded sql server express file encrypted with radamant, c u



#49 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:14 PM

Posted 26 December 2015 - 02:22 PM

upoloaded sql server express file encrypted with radamant, c u


I need an unencrypted mdf file as well. Doesn't have to be the original file.

#50 villalobosjpc

villalobosjpc

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 26 December 2015 - 02:50 PM

ok have upload and unencrypted file, cheers



#51 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:14 PM

Posted 26 December 2015 - 02:52 PM

Added support for that format already. Will be included in the next update today or tomorrow.

#52 villalobosjpc

villalobosjpc

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 26 December 2015 - 02:57 PM

your awesome, just a cuestion is there a way to know how you process the file, im a programmer too, low level, and wish to do my own program, how you guess the key and how decrypt byte to byte tiil you hav the file complete, no problem if not, ill "keep walking "



#53 czarli

czarli

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:14 PM

Posted 27 December 2015 - 12:00 PM

Hello,have you could decipher my file? Im afraid that i had lost important file :(

#54 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:14 PM

Posted 27 December 2015 - 04:14 PM

I looked at the second version and I am pretty certain I can break it as well. An updated decrypter will most likely be available tomorrow. So if you have been targeted by the .RRK variant, please don't pay just yet. The malware also appears to have an error that will cause decryption to fail even if you pay. So one more reason not to pay :)


Edited by Fabian Wosar, 27 December 2015 - 04:15 PM.


#55 czarli

czarli

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:14 PM

Posted 28 December 2015 - 03:07 AM

I looked at the second version and I am pretty certain I can break it as well. An updated decrypter will most likely be available tomorrow. So if you have been targeted by the .RRK variant, please don't pay just yet. The malware also appears to have an error that will cause decryption to fail even if you pay. So one more reason not to pay :)

OK , I am very pleased that there is a chance . How files were encrypted , no standard message flashed to pay .
Only the files have been encrypted.



#56 mariushaidu

mariushaidu

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 28 December 2015 - 04:50 AM

we are also a victim of thease criminals. Extension rrk. Please let me know if you need some informations from us or if you have some news about decryption software for RRK versioon. :(

 

greetings from Romania



#57 mariushaidu

mariushaidu

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 28 December 2015 - 08:06 AM

 

I looked at the second version and I am pretty certain I can break it as well. An updated decrypter will most likely be available tomorrow. So if you have been targeted by the .RRK variant, please don't pay just yet. The malware also appears to have an error that will cause decryption to fail even if you pay. So one more reason not to pay :)

OK , I am very pleased that there is a chance . How files were encrypted , no standard message flashed to pay .
Only the files have been encrypted.

 

any new?

 

thanks  



#58 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:14 PM

Posted 28 December 2015 - 09:07 AM

I just published the new version 1.0.0.162 of the Radamant decrypter. New in that version is support for Radamant v2. A few things to note:

Clearly the author of the malware is reading here and they don't appear to be very pleased with what I am doing, as is evident by just looking at the malware:

oiEhbtt.png
 
.rdata:0040C030 00000021 C ThxForHlpFabianWosarANDbleepYOU!!
.rdata:0040C088 0000001F C emisoft bleepedbastardsihateyou  
.rdata:0040C506 0000001A C radamantv2_emisoft_bleeped
I am not really sure how things work in your circles, but in my circles getting insulted by malware authors is considered the highest kind of accolade someone can get, so thank you very much for that. Just next time, please try to get the company name right. But it's a common mistake, so I let that one slide.

The RRK version of Radamant is actually more reliable to decrypt than the RDM version. The only downside is, that the process is also a bit slower. It is not uncommon for the decrypter to work on a file for a couple of minutes until it figured out how to decrypt it properly, but it will work for all file formats. I didn't add multi-threading yet, but you can in theory speed up the decryption process by running multiple instances of the tool, each decrypting different directories. I may add proper multi-threading later, but I decided not to delay the release of the tool further just to add such a feature, especially since parallel decryption is a viable option.

Oh, and unlike the malware itself, which will happily mess up your files even if you paid the ransom, because due to several severe bugs in the malware, it is very well possible for the malware to just botch up the encryption and decryption, this tool will handle both messed up and properly encrypted files perfectly fine:

I4hJSgL.png

You can download the new version of the decrypter here:

http://emsi.at/DecryptRadamant

If for some reason you get a version that is older than 1.0.0.162, please empty your browser cache and re-download.

Edited by Fabian Wosar, 28 December 2015 - 09:31 AM.


#59 mariushaidu

mariushaidu

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 28 December 2015 - 12:34 PM

I just published the new version 1.0.0.162 of the Radamant decrypter. New in that version is support for Radamant v2. A few things to note:

Clearly the author of the malware is reading here and they don't appear to be very pleased with what I am doing, as is evident by just looking at the malware:
 


You can download the new version of the decrypter here:

http://emsi.at/DecryptRadamant

If for some reason you get a version that is older than 1.0.0.162, please empty your browser cache and re-download.

 

Hi Fabian,

 

Approx how much time we need to whait for first decryption? more than 10 minutes? I'm whaiting for one file from more than 15 minutes... In task manager look like the program is working... 

 

Marius


Edited by mariushaidu, 28 December 2015 - 12:35 PM.


#60 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:14 PM

Posted 28 December 2015 - 12:37 PM

Approx how much time we need to whait for first decryption? more than 10 minutes? I'm whaiting for one file from more than 15 minutes... In task manager look like the program is working...

It's pretty much random. Apparently there was also a new version released yesterday, so if you were hit by the malware in the last 48 hours it may not work at all. In that case I would like to take a look at your system.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users