Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unblocked@email.su/@tuta.io Ransomware Support Topic - HOW TO DECRYPT FILES.txt


  • Please log in to reply
142 replies to this topic

#1 donsicilly

donsicilly

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 02 January 2016 - 06:21 AM

Thankfully, Fabian Wosar of Emsisoft has been able to devise a way to decrypt files encrypted by this family:

 

I just released a generic decrypter for this type of infection. You can download it here:

https://decrypter.emsisoft.com/xorist

You will need an encrypted file as well as its unencrypted version. Just select both the encrypted and original version and drag and drop it onto the decrypter executable. The key finding process may take a while, so please be patient. If you run into any issues, please feel free to post.
 
As a general rule I don't accept any donations for my work. If you feel thankful and want to throw some money at something, I suggest investing into a proper backup solution. Personally I am using CrashPlan. However, there are a lot of different solutions out there. Pick one that you feel comfortable with. If you are unsure, I am sure the helpful users in this amazing community will love to help you out picking one that fits your needs and requirements. If you want to spend even more money, I am sure the polar bears would appreciate your help. I know one polar bear in particular that would be very thankful.   :wink:

 
------------------------------------------------------------------
 
I was infected with virus That encrypt my files with .txt.73i87A extension (EXAMPLE.txt.73i87A). When i was looking for help online i followed an advise to remove the virus with Malware-bytes,Hitman Pro and Roguekiller Anti-malware software's..I have done the scan on my computer and they found some infected virus which was removed and deleted by the anti-malware software i mentioned.
 
I GOT THE BELOW MESSAGE ANYTIME I RESTART MY COMPUTER EVEN AFTER I HAVE SCANNED MY COMPUTER WITH THE MENTIONED ANTI-MALWARE SOFTWARE'S.
==========================================================================
 
Hello. Your files are encrypted! To decrypt files you need to write an email to: unblocked@email.su or unblocked@tuta.io
In the letter you need to tell us your country of residence.
Services decoding paid. Please do not write if you do not intend to pay.
On checking, you can send us a 2-3 small encrypted file (up to 3 megabytes each) and we decipher them for free.
Your ID y4587529
==============================================================================
 
After the removal of the virus my files are still in .txt.73i87A extension....Please help me and advice me on how i will decrypt or restore my file back and remove the .txt.73i87A extension.
 
My files are really important i do not want to loose them please..Help
 
 
 
Thanks in advance..


Edited by xXToffeeXx, 19 May 2016 - 02:50 PM.


BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:14 PM

Posted 02 January 2016 - 08:42 AM

Hi donsicilly,
 
Please can you upload some encrypted file here. Also, if you know what file caused the infection, please upload that too.

 

To anyone else who uploads files. Please leave contact details, either in terms of your forum name (if logged in) or email. We cannot help you otherwise.
 
xXToffeeXx~


Edited by xXToffeeXx, 25 March 2016 - 04:35 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:14 PM

Posted 02 January 2016 - 03:32 PM

donsicilly...you also posted for help at geekstogo in this topic. They replied that you are being helped here so please let them know you will continue at Bleeping Computer.


Update from Post #51...

The malware your got affected with is based upon a ransomware generator. Decryption is possible as long as you still have the malware file on your system. A copy can usually be found in your %temp% folder. I already got the sample that renames files to *.p5tkjw and for those cases I got a fix that worked on all the files that have been submitted so far. Due to the nature of the fix I do not feel comfortable sharing it publicly though, so please contact me via PM or email instead.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 donsicilly

donsicilly
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 02 January 2016 - 05:07 PM

Hi xXToffeeXx~

Thanks for your reply...I have sent you the example of the encrypted file..Please check it out and advise me on what to do..



#5 donsicilly

donsicilly
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 02 January 2016 - 05:11 PM

Hi  quietman7

 

Regards to your message i will inform them that i was already receiving help here in bleepingcomputer...thanks



#6 donsicilly

donsicilly
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 03 January 2016 - 02:15 PM

The solution gave to me by Fabian Wosar worked...I HAVE NOW RESTORE MY FILES BACK..Thanks very much...your my savior it really worked like magic..i am happy...thanks very much

 

Please i still have one more problem..the virus created a txt file with name HOW TO DECRYPT FILES in all the folders and hard drive in my computer both subfolders...please advice me on how i will delete this text file from my computer all at once.



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:14 PM

Posted 03 January 2016 - 03:53 PM

You can do a search for the text file (top right of the window when looking at your files - try from just the C drive), and select all then delete.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:14 PM

Posted 03 January 2016 - 03:54 PM

Was this a new variant or an existing one that has been only recently discovered? I'm curious since the info given looks different than the others I've seen posted.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:14 PM

Posted 03 January 2016 - 04:34 PM

xXToffeeXx works with Fabian Wosar in analyzing and investigating crypto malware as well as provide expert assistance to victims of ransomware infections. Since they looked into this variant, one of them will have to answer your question.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 ronmanik

ronmanik

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 23 February 2016 - 03:31 AM

I had the same problem . All files on my PC are crypted. And every folder had a txt file :

 

"HOW TO DECRYPT FILES.TXT" .

====

Hello. Your files are encrypted! To decrypt files you need to write an email to: unblocked@email.su or unblocked@tuta.io
In the letter you need to tell us your country of residence.
Services decoding paid. Please do not write if you do not intend to pay.
On checking, you can send us a 2-3 small encrypted file (up to 3 megabytes each) and we decipher them for free.
Your ID d295364

=====

 

 

What should I do to restore my files . Please help me , I really need those files.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:14 PM

Posted 23 February 2016 - 08:08 AM

I am not sure what solution Fabian provided the other victim. xXToffeeXx, who works with Fabian, is subscribed to this topic and most likely will reply with that information.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 ronmanik

ronmanik

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 23 February 2016 - 08:29 AM

I am not sure what solution Fabian provided the other victim. xXToffeeXx, who works with Fabian, is subscribed to this topic and most likely will reply with that information.

Thanks bro,
I 've sent a message to him.. hopefully he can help me :-)



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:14 PM

Posted 23 February 2016 - 08:36 AM

You're welcome and good luck.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 PZzzz

PZzzz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 26 February 2016 - 04:03 AM

I also was struck by the same ransomware. Please help.



#15 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:14 AM

Posted 27 February 2016 - 07:34 AM

Can you please upload one or two of your encrypted files here:

 

http://www.bleepingcomputer.com/submit-malware.php?channel=170

 

To anyone else who uploads files. Please leave contact details, either in terms of your forum name (if logged in) or email. We cannot help you otherwise.

 

Thanks.


Edited by xXToffeeXx, 25 March 2016 - 04:34 PM.

Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users