Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All images encrypted with .crypt extension


  • This topic is locked This topic is locked
3 replies to this topic

#1 Panimu

Panimu

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 03 March 2016 - 05:59 PM

Just 2 hours ago I got the following files appear on my desktop:

 

"C:\Users\mypcname\Desktop\_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\1_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\2_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\3_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\4_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\5_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\6_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\7_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\8_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\9_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\10_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\11_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\12_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\13_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\14_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\15_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\16_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\17_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\18_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\19_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\20_READ!!!!!!!!!!!.ME.txt"
"C:\Users\mypcname\Desktop\helper.exe"
 
 
and all my .txt, .jpg, .png, pdf and more I've probably not found yet have .crypt added to them and are unusable.
 
The text file contents are:
------------------------------
If you are reading this text, it means that all your photos, documents, databases and other important files are encrypted now.
The encryption algorithm itself is guite complicated. Such algorithms as SHA-1, HMAC and the unique algorithm developed by us, were used in the process of encryption.
To decrypt your files you will need a unique password and the programme-decryptor working with absolutely original encryption algorithm.
This password has more than 20 symbols and it contains uppercase and lowercase letters, special characters, etc.
We really doubt that you could construct a programme and the encryption algorithm or to decode your files in any other way.
You have 15 days for decoding the files. Then, all the data will be deleted with no way to decrypt your files back.
To start the decryption process you should follow further steps:
1.Download the TOR browser on your computer by opening this link :
2.Using a TOR browser, open this link: http:\\nfetyhpx56dnoycm.onion
3.To access a web-site, enter the following code: 
<deleted>
4.Please follow the instructions given on the web-site.
There is file "helper.exe" on your desktop. Don`t delete it - it will help you to decrypt your files when you get the password  
You can decrypt file "C:\ASUS.SYS\00ar.bin simply by clicking "DECRYPT" in "helper.exe"
------------------------------
 
Can anyone help please?

Edited by Panimu, 03 March 2016 - 06:04 PM.


BC AdBot (Login to Remove)

 


#2 neuronic

neuronic

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Hampshire
  • Local time:11:11 AM

Posted 03 March 2016 - 06:58 PM

Do you have a backup?



#3 Panimu

Panimu
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 03 March 2016 - 07:03 PM

Nope!



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:11 AM

Posted 03 March 2016 - 07:10 PM

You appear to be dealing with a variant of CryptInfinite Ransomware

Uniquekey@dr.com and crydhellsek@gmail.com encrypts your data and appends a .crypt, .pzdc, or .good extension to the end of each filename. cwall@dr.com is a newer variant which appends a .R16M01D05 extension to the end of each filename. These infections typically leave files (ransom notes) named Help_Decrypt.txt similar to CryptoWall but your infection may have a new note.

There are ongoing discussions in these topics where you can ask questions and seek further assistance.From the above topics...possible decryptor solution is provided by Fabian Wosar in Post #34 and Post #5.Kaspersky Lab also has a utility called ScatterDecryptor utility that restores files only if the utility contains a certain Trojan-Ransom.BAT.Scatter modification's secret key. As of now, the utility contains keys for the files with the following extensions: .crypt, .pzdc, .good.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users