Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cryptcryptcrypt@gmail.com server encryption problem


  • Please log in to reply
9 replies to this topic

#1 ibastavd

ibastavd

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 01 March 2016 - 11:24 AM

Hi,

 

Our server in work has been locked with all files using the extension _cryptcryptcrypt@gmail.com_

 

I have a couple of before and after files and I've tried decrypt_gomasom, decrypt_crybos and decrypt_mblblock to no avail.

 

I can get hold of the email attachment that possibly caused the problem and post it here if that helps.

 

It's our main business server and it's encrypted our latest backup too!

 

We do have a backup from a week ago which is ok but that's going to cause us loads and loads of headaches and problems to catch up....

 

Many thanks

 

Mac



BC AdBot (Login to Remove)

 


#2 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:48 AM

Posted 01 March 2016 - 11:28 AM

I have a couple of before and after files and I've tried decrypt_gomasom, decrypt_crybos and decrypt_mblblock to no avail.

 

I can get hold of the email attachment that possibly caused the problem and post it here if that helps.

 

Both would be helpful. Please submit them here:

 

http://www.bleepingcomputer.com/submit-malware.php?channel=170


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#3 ibastavd

ibastavd
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 01 March 2016 - 11:50 AM

Hi Fabian,

 

Many thanks for the quick reply,

 

I've uploaded the before and after files, I'll get hold of the email attachments tomorrow and post them too.

 

Our off site IT support team are in the process of restoring the server to last weeks good backup but they can re-restore it to the encrypted version if you need anything else off it.

 

By the way the malware totally borked the server and corrupted/encrypted all the files on it including all the system files too! The first we knew about it was a non booting server with a BCD error on Monday morning.

 

Thanks again

 

Mac



#4 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:48 AM

Posted 01 March 2016 - 11:54 AM

You only uploaded an encrypted file, but no unencrypted version of the same file. 


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#5 ibastavd

ibastavd
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 01 March 2016 - 12:18 PM

Oops, brain out of gear!

 

I've uploaded a new rar with 4 files, 2 encrypted and two unencrypted.

 

Thanks Fabian

 

Mac



#6 doubleblast2

doubleblast2

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 02 March 2016 - 11:46 AM

Hi Guys

 

I am having exactly same problem.

 

Most of the files icons registry etc are ending with lnk.__cryptcryptcrypt@gmail.com__ .

 

I tried all the fixes from here https://malwaretips.com/threads/how-to-fix-lnk-file-association-error.10825/

 

however none of them worked. System restore was turned off.

 

Please give me an update / solution.


Edited by doubleblast2, 02 March 2016 - 11:46 AM.


#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:48 AM

Posted 02 March 2016 - 11:58 AM

Hi Guys

 

I am having exactly same problem.

 

Most of the files icons registry etc are ending with lnk.__cryptcryptcrypt@gmail.com__ .

 

I tried all the fixes from here https://malwaretips.com/threads/how-to-fix-lnk-file-association-error.10825/

 

however none of them worked. System restore was turned off.

 

Please give me an update / solution.

 

File associations will do nothing for you, as the files themselves are actually encrypted. No program can open them until they are decrypted. Whether or not that is possible without paying the ransom is unknown at this point until it has been analysed.

 

It would be best to follow Fabian's advice above to submit an encrypted file with a clean copy if possible, and the malware itself if you can find it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:48 AM

Posted 08 March 2016 - 01:44 PM

Someone submitted a sample of the malware. It looked into it and it doesn't look very good. I suggest you restore as much as you can from backups.


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#9 ibastavd

ibastavd
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 08 March 2016 - 01:49 PM

Someone submitted a sample of the malware. It looked into it and it doesn't look very good. I suggest you restore as much as you can from backups.

 

Thank you for trying Fabian... 



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:48 AM

Posted 08 March 2016 - 02:10 PM

For archiving-sake, do you have a sample of the ransom note? And was the exact extension "_cryptcryptcrypt@gmail.com_"? So, files show as "picture.jpg._cryptcryptcrypt@gmail.com_"?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users