Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Help_Decrypt_Your_Files - New Variant

  • This topic is locked This topic is locked
2 replies to this topic

#1 PaulSBack


  • Members
  • 1 posts
  • Local time:03:33 AM

Posted 08 January 2016 - 01:25 PM



We were hit with a new variant on our servers called "keyone9code" it seems like. The files saved to all our servers have different public keys and are identified by the server names. All files have the extension .encryptedRSA. Has anyone seen this before and is there a potential solution? Please advise as we are in a bind here. 

Thanks in advance. This is their forum where they want you to submit payment information to: https://keyone9code.wordpress.com




BC AdBot (Login to Remove)


#2 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,561 posts
  • Gender:Male
  • Location:USA
  • Local time:03:33 AM

Posted 08 January 2016 - 01:28 PM

There is a support topic for this variant: http://www.bleepingcomputer.com/forums/t/600245/encryptedrsa-ransomware-support-topic-drops-help-decrypt-your-fileshtml-note/


It seems rather new, and there is no information on it being decryptable yet, if at all. Best advise is always to restore from backups - if you don't have backups, you really need to start implementing them now. It's better to have your encrypted data backed up in the event a breakthrough is found in the future than having no data at all.


If you have a sample of the dropper or an executable of the infection, you can submit it to the link xXToffeeXx provides.

Edited by Demonslay335, 08 January 2016 - 01:29 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,769 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:33 AM

Posted 08 January 2016 - 06:42 PM

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread.

Samples of any encrypted files or suspicious executables (malicious files) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=170) with a link to that topic.

To avoid unnecessary confusion...this topic is closed.

The BC Staff

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users