Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

KeyBTC ransomware (DECRYPT_YOUR_FILES.txt) Support Topic


  • Please log in to reply
41 replies to this topic

#16 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:49 AM

Posted 22 January 2016 - 07:40 AM

Decrypter is available here:

 

http://www.bleepingcomputer.com/forums/t/602891/keybtc-ransomware-decrypt-your-filestxt-support-topic/page-2#entry3917078


Edited by Fabian Wosar, 25 January 2016 - 06:35 AM.

Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

BC AdBot (Login to Remove)

 


#17 spoo

spoo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 22 January 2016 - 12:25 PM

I had the same issue. The files weren't encrypted but only obfuscated. The first 2k Bytes were scrambled by an XOR-Bitmask. I had a backup from a scrambled file and managed to extract the key. With this key it was easy possible to rescue all other files.



#18 rakelly67

rakelly67

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 22 January 2016 - 01:04 PM

Can you please post the process you did to fix the obfuscated files? or email me at <removed>
 
thanks


Mod Edit by quietman7: personal email removed

#19 spoo

spoo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 22 January 2016 - 02:42 PM

Step1: Bitwise XOR the first 2048 Byte of a known good file (from a backup) with the first 2048 Byte of the same file that is obfuscated. This will get you the 2048 byte long bitmask (in fact, it is only 255 byte long and gets repeated, but i'm ignoring it at this point).

Step2: To fix the files, you just have to XOR the first 2048 Bytes of the obfuscated files with the Bitmask you received in Step1.



#20 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 5,978 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:49 AM

Posted 23 January 2016 - 05:49 AM

Can you please post the process you did to fix the obfuscated files? or email me at <removed>
 
thanks


Mod Edit by quietman7: personal email removed

If you would prefer a fix without having to find a known good file, please send an email to fw@emsisoft.com.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#21 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:49 AM

Posted 23 January 2016 - 02:39 PM

@ Valentinik87

Since your infection is unrelated to KeyBTC, your postings and replies to them were split into s separate topic to avoid confusion with this one. You can find it here. I also sent you a PM.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#22 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:49 AM

Posted 24 January 2016 - 07:10 AM

I created a proper decrypter today. It's available here:

 

http://emsi.at/DecryptKeyBTC

 

There is no way for the decrypter to figure out whether you were actually hit by the malware or not. So only try it if you are 100% sure it matches your infection. The decrypter will create backups of all encrypted files it attempted to decrypt. So you will need enough free storage for all the backup copies. If you don't have enough storage capacity, you can disable the backup creation under options.

 

The decrypter also performs some basic checks whether the resulting file somehow makes sense and resembles a known file format. This works fine but in the off-chance that you have some file formats encrypted that the decrypter can't recognize, you may have to disable those safety checks in the options as well.

 

In all circumstances I strongly advise you to test it on a couple of sample files first before letting it run on your entire drive.

 

As a general rule I don't accept any donations for my work. If you feel thankful and want to throw some money at something, I suggest investing into a proper backup solution. Personally I am using CrashPlan. However, there are a lot of different solutions out there. Pick one that you feel comfortable with. If you are unsure, I am sure the helpful users in this amazing community will love to help you out picking one that fits your needs and requirements. If you want to spend even more money, I am sure the polar bears would appreciate your help. I know one polar bear in particular that would be very thankful.  :wink:
 
As always, please ask if you run into any issues. Keep in mind that I do have a rather busy day job, so I may not reply right away. So please be patient. 


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#23 JD355113

JD355113

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 24 January 2016 - 06:24 PM

I have been working this same problem since it hit me Jan-18 and can confirm what others are saying here. Indeed, I just confirmed that only the first 2KB of "encrypted" files were altered. I've yet to try the fix Fabian has posted, but don't doubt that it will work.

 

This attack is characterized by the ransom note DECRYPT_YOUR_FILES.txt on the desktop, with the keybtc@inbox.com email address in it.

 

I've several things to contribute. I was able to halt the attack within the first couple minutes, after it had damaged only ~1100 files, but long before it completed. As a result, I was able to capture all the working files and do an analysis on it.

 

  • This was introduced to my system through spam email on verizon.net with the subject line "You have new fax, document 00000696300" from Interfax.net. Attached to the email was a .zip file named scan-00000696300.zip. The content of the zip file was scan-00000696300.docx.js. At the time, I scanned it with AVG and was unable to detect a problem. By the way, I received a second copy of this spam email 3 or 4 days later -- I hope verizon starts blocking it soon.
  • The .js file contains a very obfuscated script (VBScript or JavaScript, I don't know the difference). I was able to decode the script to human readable form and see exactly what it was attempting to do.
  • First, it determines where your %TEMP folder is, in my case C:\Users\<name>\AppData\Local\Temp. It sends a key to a remote host and downloads a file, XXXXXX_crypt.exe, and deposits it in the TEMP folder. Then it writes out XXXXXX_readme.txt and XXXXXX_tree.cmd files also in the TEMP folder. At that point the tree.cmd script is launched.
  • The tree.cmd script causes all drive letters, A: to Z: to be visited, and recusively traverses the file structure looking for matches to 79 different file name extensions. Any found are processed through crypt.exe. The filesystem traversal seems to run in strictly alphabetical order, dropping into subfolders before continuing.
  • Other than receiving a new date/timestamp, files appear unchanged, not having their names or extensions altered. Of course, the content is mangled and unusable.
  • After completion of traversal and processing of the entire filesystem, the script does some finalization and cleanup tasks. The ransom note is popped up in notepad.exe, it is copied to the user's desktop as DECRYPT_YOUR_FILES.txt, and a registry entry is made to run WinHelp displaying the ransom note each time the user starts up. The working files, XXXXXX_crypt.exe and XXXXXX_tree.cmd are deleted.
  • If the virus script is triggered a second time, it only runs again if the XXXXXX_readme.txt file no longer exists in the %TEMP folder.
  • File extensions that are matched during the attack are:
    .3ds .7z .accdb .als .asm .aup .avi .bas .blend .cad
    .cdr .cpp .cpr .cpt .cs .csv .doc .docx .dsk .dwg
    .eps .gpg .gz .indd .jpg .kdb .kdbx .lwo .lws .m4v
    .max .mb .mdb mdf .mp4 .mpe .mpeg .mpg .mpp .npr
    .odb .odm .odt .pas .pdf .pgp .php .ppt .pptx .psd
    .pub .rar .raw .rtf .scad .skp .sldasm .slddrw .sldprt .ssh
    .sxi .tar .tif .tiff .tsv .u3d .vb .vbproj .vcproj .vdi
    .veg .vhd .vmdk .wdb .wmf .wmv .xls .xlsx .zip
     
  •     Files added:
        %TEMP\<random>_tree.cmd *    * These two are deleted upon attack completion
        %TEMP\<random>_crypt.exe *
        %TEMP\<random>_readme.txt
        Desktop\DYCRYPT_YOUR_FILES.txt
  •     Registry entries added:
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> WinHelp %TEMP\readme.txt

Assuming they'd like to see the scripts and embedded keys and addresses, I intend to submit a more detailed report to the moderators.

 

Thank you Fabian and others for jumping on this too. I'm relieved that I'll soon be able to retrieve my files without too much more effort.

 

-- JD



#24 satanclaws

satanclaws

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovenia
  • Local time:09:49 AM

Posted 25 January 2016 - 07:10 AM

Fabian Wosar you are the best. Decrypter works flawlessly for me. Thank you very much. You have made my life easier. Thank you again!  :thumbup2: 

#25 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:49 AM

Posted 25 January 2016 - 07:18 AM

Glad you got your data back :)


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#26 Valentinik87

Valentinik87

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 25 January 2016 - 07:21 AM

it's not work for my file... Can you give another solution, please?

I have all my files decrypted in .yvrqgrk

There are two files:
https://app.box.com/s/9emhxap2vixq7u34oeu8g6wegpi8m3x7



#27 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:49 AM

Posted 25 January 2016 - 09:07 AM

it's not work for my file... Can you give another solution, please?

It's not working because you do not have KeyBTC ransomware. I previously replied to you in Post #21 with a link to your topic.
 

@ Valentinik87

Since your infection is unrelated to KeyBTC, your postings and replies to them were split into s separate topic to avoid confusion with this one. You can find it here.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#28 arthurbbj

arthurbbj

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 25 January 2016 - 10:16 AM

Is there a topic for discursion by TeslaCrypt 3.0?? 

 

 
if there please send pm


#29 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:49 AM

Posted 25 January 2016 - 10:21 AM

 

Is there a topic for discursion by TeslaCrypt 3.0?? 

 

 
if there please send pm

 

 

There is no solution for TeslaCrypt 3.0 (.xxx, .ttt, .micro) at the present time, but we are working on it. I recommend archiving your encrypted data and hoping for the future.

 

You can check the main topics for TeslaCrypt for information, including the news articles.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#30 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:49 AM

Posted 25 January 2016 - 11:57 AM

Is there a topic for discursion by TeslaCrypt 3.0?? 

There is no dedicated discussion topic just for TeslaCrypt 3.0. We are using the following link as the primary support topic where folks can ask questions and seek further assistance but as Demonslay335 noted, he and BloodDolly are still working on this variant.You can also post comments in the related BC News article...
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users