Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UmbreCrypt & HydraCrypt Ransomware Support Topic


  • Please log in to reply
6 replies to this topic

#1 Ahaas

Ahaas

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 04 February 2016 - 09:47 AM

Have what looks like new version on RANSOMEWARE.  Lists itself as Umbrecrypt have found no info searching for details so far...
 
I'll post what i find...



Mod Edit ,,moved to General Security from AII ~~ boopme

Edited by quietman7, 14 February 2016 - 04:20 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 AM

Posted 04 February 2016 - 02:44 PM


Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?

Is there any notice (message) which says something like..."Your files are locked and encrypted with a unique RSA-1024 key!"?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:
HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, RECOVERY_KEY.txt
HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT, How_To_Recover_Files.txt
YOUR_FILES.HTML, YOUR_FILES.url, encryptor_raas_readme_liesmich.txt, Help_Decrypt.txt
DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, 
_secret_code.txt, About_Files.txt, Read.txt, ReadMe.txt, DECRYPT_ReadMe.TXT, DecryptAllFiles_.txt
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, SECRETIDHERE.KEY
IHAVEYOURSECRET.KEY, SECRET.KEY, HELP_DECYPRT_YOUR_FILES.HTML, help_decrypt_your_files.html
HELP_TO_SAVE_FILES.txt, RECOVERY_FILES.txt, RECOVERY_FILE.TXT, RECOVERY_FILE_[random].txt
Howto_RESTORE_FILES_.txt, Howto_Restore_FILES.txt, howto_recover_file_.txt, restore_files_.txt, 
how_recover+[random].txt, _how_recover_.txt, recovery_file_[random].txt, recover_file_[random].txt
recovery_file_[random].txt, Howto_Restore_FILES.TXT and help_recover_instructions+[random].txt

Note: The [random] represents random characters which some ransom notes names may include.
Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:29 AM

Posted 12 February 2016 - 12:38 PM

There is a Decrypter available for HydraCrypt and UmbreCrypt.

It should help you get most of your data back.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#4 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 14 February 2016 - 11:09 PM

As an example, for decoding
https://www.sendspace.com/file/98nfdb



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 AM

Posted 15 February 2016 - 06:38 PM

al1963, just click on the link above provided by Fabian...it includes instructions for what you need to do.

,
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 15 February 2016 - 09:52 PM

quietman7,

thanks for the reply.

I transcribed files. The only pity is that the last few bytes of properly restored when decoding, will have to edit manually.

Files uploaded for example, may be someone will be interesting to check the operation of the decoder.

 

And of course, thanks to Fabian Wosar for rapid development.

For each new decoder researchers believe add a new star to the monitor, as do air aces :)


Edited by al1963, 15 February 2016 - 09:55 PM.


#7 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:02:29 AM

Posted 16 February 2016 - 04:02 AM

This is covered in the article on the decoder at Emsisoft.

We are drowning in information - and starving for wisdom.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users