Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

LOCKED Ransomware Support and Help Topic - Read_it.txt


  • Please log in to reply
91 replies to this topic

#31 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:59 AM

Posted 09 March 2016 - 05:06 PM

Alrighty, I have keys for most victims, and a working decrypter. Some victim's gave me an error on decrypting the AES key, so I will be working on those manually.

 

Here is a CSV with all of the decrypted keys I could do automatically so far.

 

https://www.dropbox.com/s/n4lfdv9ti8sbwtu/decrypted_keys.csv?dl=0

 

Here is my decrypter for HiddenTear.

 

Please backup all of your encrypted files before running this! I have not put any fancy safe-guard to backup the file if decryption fails. By nature, it shouldn't write back to the file if the decryption library has an issue, but I can't put a guarantee on this!

 

Search the CSV above for your computer name and the user account that was infected. This is how you identify what key to use. If you see an error in the field, contact me via PM with your computer name and user account, I will see if I can manually recover your key.

 

Run hidden-tear-decrypter, and select a folder to decrypt. Enter your password. I recommend testing on a small folder first.

 

https://www.dropbox.com/s/tym00s23hgkxfrp/hidden-tear-decrypter.exe?dl=0


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#32 Simonk1974

Simonk1974

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 09 March 2016 - 05:37 PM

can I run this on a test folder or will it just find and decrypt everything?



#33 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:59 AM

Posted 09 March 2016 - 05:44 PM

@Simonk1974

 

You can just run the program and it will let you select a folder; no command line like theirs. If you select the root C drive, it will go through everything looking for the .locked files. I recommend testing it on a small folder before going for everything.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#34 xbr21

xbr21

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 09 March 2016 - 05:46 PM

Its says 

 

Finished! Decrypted 0 files!

skipped 103 files (wrong password?)

i have enter the password correctly j07DEKS7AvktasgnSyJasJaXNkwRz4n4

 

@Demonslay335


Edited by xbr21, 09 March 2016 - 05:51 PM.


#35 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:59 AM

Posted 09 March 2016 - 05:55 PM

Its says 

 

Finished! Decrypted 0 files!

skipped 103 files (wrong password?)

i have enter the password correctly j07DEKS7AvktasgnSyJasJaXNkwRz4n4

 

@Demonslay335

 

Can you PM me a sample file and your computer name?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#36 xbr21

xbr21

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 09 March 2016 - 05:57 PM

computer is MAXWARE user is xbr21 code is j07DEKS7AvktasgnSyJasJaXNkwRz4n4"



#37 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:59 AM

Posted 09 March 2016 - 06:13 PM

Can you upload a sample encrypted file to SendSpace and post the link here?

 

P.S. I've re-uploaded the CSV with more keys.


Edited by Demonslay335, 09 March 2016 - 06:13 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#38 xbr21

xbr21

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 09 March 2016 - 06:15 PM

how



#39 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:59 AM

Posted 09 March 2016 - 06:17 PM

Grinler has good instructions on using SendSpace.com to upload a file for sharing. Skip to step 3, and post the link in this topic.

 

http://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-etc-files-decryption-support-requests/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#40 xbr21

xbr21

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 09 March 2016 - 06:25 PM

here is the link https://www.sendspace.com/file/37d8vn

this was a save from a game that got encrypted


Edited by xbr21, 09 March 2016 - 06:26 PM.


#41 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:59 AM

Posted 09 March 2016 - 06:38 PM

@xbr21

 

Hmm. Getting a padding error from the decryption library, which usually means the key is wrong. I've decrypted the AES key a few different ways and it is definitely correct for that system.

 

There is a possibility of name collision with the computer name for another victim, but I believe it would be unlikely with your system, unless you were possibly hit more than once. Their server would only record the last key for that computer name that is received. I'll continue trying.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#42 xbr21

xbr21

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 09 March 2016 - 06:42 PM

Thanks man but is that 72 hour thing true



#43 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:59 AM

Posted 09 March 2016 - 06:44 PM

We have no way of telling. Many times it is a scare tactic, and just a bluff. Worst-case, if they do delete your key on their server, we already have whatever they had on the server for your system (as far as the code can tell, its the same code that they use to pull up the key on their end if you were to pay). I would disregard it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#44 Simonk1974

Simonk1974

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 09 March 2016 - 06:49 PM

working through my files now and seems to be working - just doing non important folders first - it has come across some files it cannot decrypt - what do I do for those?  I think I have the original file that caused all of this - it was a crack for the new far cry primal game - do you want me to upload this for testing?



#45 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:59 AM

Posted 09 March 2016 - 06:51 PM

working through my files now and seems to be working - just doing non important folders first - it has come across some files it cannot decrypt - what do I do for those?  I think I have the original file that caused all of this - it was a crack for the new far cry primal game - do you want me to upload this for testing?

 

Another team confirmed it was a 3DM FarCry Primal crack too, probably the same one. You can upload the malware to Malwr.com to confirm. If it states it was added about 20 hours ago, then that's the same sample I reversed.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users