Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crysis (.<extension>.<id-number>.<email>.arena/.CrySiS) Ransomware Support Topic


  • Please log in to reply
673 replies to this topic

#1 al1963

al1963

  • Members
  • 814 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 10 March 2016 - 10:55 PM

Decrypter for this variant can be found here. You should select a .docx, .zip, .mp3, or .png file to start the decryption.
 
 

There has been some confusion from the start with what is actually 2 different ransomwares that use the extension .xtbl. The topics have been renamed to help with sorting future victims between these two infections.

------------------------------------------------------------------------------------------------------------------------------------------

Troldesh/Shade

This ransomware renames files with the format Base64(AES_encrypt(original file name)).xtbl or may have .ytbl.breaking_bad, or .heisenberg. Other
extensions include .better_call_saul.da_vinci_code.magic_software_syndicate and .windows10 (these are not currently included with the Kaspersky decrypter, and so are not decryptable yet).

An example of a Troldesh/Shade encrypted file would be "VTJGc2RHVmtYMSs3aHNzL1NSem5qMmlxUjhKVVR2SlA4dGhVQkFDV1R1TT0=.xtbl".

The ransom note left is README1.txt, README2.txt ... README10.txt.

This ransomware is decryptable. See this page: https://www.nomoreransom.org/decryption-tools.html

------------------------------------------------------------------------------------------------------------------------------------------

CrySiS

This ransomware does not rename files. It will only append filenames with something like .<id>.<email>.xtbl.<id>.<email>.CrySiS, or .<id>.<email>.crypt, <id>.<email>.lock.

An example of a CrySiS encrypted file would be "mypicture.jpg.id-12345678.Vegclass@aol.com.xtbl". There are several different email addresses, and a few very slight alterations on this format, but it still remains the same concept in general.

The ransom note left is How to decrypt your data.txt, How to decrypt your files.txt, or How to get data back.txt.

 


Please help with decoding files encoder *Vegclass@aol.com.xtbl
have encrypted files and clean, and there is also a body of the encoder.

encrypted files here
https://www.sendspace.com/file/smaj3v

clean files here.
https://www.sendspace.com/file/u8ql6с

File Encoder is detected here
https://www.virustotal.com/ru/file/0df497d3e0637772eed7ffe3ec335d521ff4a1a7d707c8b448de55062480e356/analysis/


Edited by xXToffeeXx, 21 November 2016 - 03:09 PM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:27 AM

Posted 10 March 2016 - 11:01 PM

You may have a double-encryption from the look of the file names. There is the XTBL ransomware (I've only seen references to it in Russian), and the "@" ransomwares from some kit. Some variants of the "@" ransomwares have been decrypted by Kaspersky's tools, but to my knowledge XTBL isn't breakable.

 

Do you have ransom notes to confirm?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 al1963

al1963
  • Topic Starter

  • Members
  • 814 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 10 March 2016 - 11:10 PM

@Demonslay335,

This is another xtbl, apparently copied the expansion :)

 

ESET-NOD32 Win32/Filecoder.NFY

Kaspersky Trojan-Ransom.Win32.Crysis.c

Microsoft Ransom:Win32/Genasom

 

 

there are versions of the encoder.
keygpg.rar.IDF5A4D1.redbleepline@india.com.xtbl

 

even encrypt executable files (* exe) in the program files

 

-------

not the very heavy option Shade / Filecoder.ED (ESET).
There were such files:
BHeEjlz4GxA + iW7IzEYHCLfN8vX6-2bpPwFXfxv6jM1mRgfjDYF976bMRcA0qGqB.xtbl


Edited by al1963, 10 March 2016 - 11:23 PM.


#4 al1963

al1963
  • Topic Starter

  • Members
  • 814 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 10 March 2016 - 11:33 PM

Demonslay335,

saver for redemption for the decoder is not available, but all the labels on the same encrypted desktop.

------

decoder from fraud unfortunately is not on hand, there is only encoder.


Edited by al1963, 10 March 2016 - 11:36 PM.


#5 NightbirD

NightbirD

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buenos Aires, Argentina.
  • Local time:04:27 AM

Posted 10 March 2016 - 11:36 PM

Sounds interesting, i wish i could have time to get inside this word........ :(


************************************************************************************************************************


Please, start TODAY a BACK UP DISCIPLINE, & try to spread the idea to everyone you know. This way you, & your beloved ones, will keep safe the whole data, & the crypto-criminal activity will turn senseless soon.


#6 al1963

al1963
  • Topic Starter

  • Members
  • 814 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 10 March 2016 - 11:41 PM

I noticed that at the end of each encrypted file has a block of data with a file name that is virtually the same for all the encrypted files.

 

 

646296a86f83.jpg

 

and another file

 

 

7cd97e348afc.jpg


Edited by al1963, 10 March 2016 - 11:49 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:27 AM

Posted 11 March 2016 - 06:53 AM

It is believed these "@" infections are part of a ransomware kit that different affiliates utilize with their own payment email addresses and explains why so many variants have been reported.

As I noted via PM, it also apprars you are dealing with a variant of Win32/Filecoder...(aka Troldesh, Encoder.858, Shade) which is a crypto malware detected by ESET. According to their research lab, there are several different variants for which they add a modifier or additional information after the name that further describes what type of ransomware it is. The Win32/Filecoder.NFY and Win32/Filecoder.ED variants encrypts data and utilizes the .XTBL in the file name.

Troldesh is a crypto-ransomware variant created in Russia that appends encrypted data files with an .XTBL or .YTBL extension to the end of each filename using GPG Cryptography. In later versions, Kaspersky lab advises the malware added the infected computer’s ID and then the .xtbl extension to the file name like this example... ArSxrr+acw970LFQw.043C17E72A1E91C6AE29.xtbl. According to ESET, the newer variants append an additional .ID%variable%.%email_address%.xtbl extension.

I am not aware of any fix tool or way to decrypt encrypted data without paying the ransom.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 thyrex

thyrex

  • Members
  • 465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:10:27 AM

Posted 11 March 2016 - 07:51 AM

This version possible encrypt files with two different keys. I will try to look files

Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:27 AM

Posted 11 March 2016 - 08:07 AM

Kaspersky Lab has a utility called RakhniDecryptor that is able to brute force the decryption key for some of these <filename>.<extension>.id-random number_"@"variants but not all of them. Instructions for using RakhniDecryptor can be found here.

Kaspersky Lab also has a RannohDecryptor utility for decrypting some other types of <filename>"@".<random characters> "@" variants with extensions appended to the end.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 mike 1

mike 1

  • Members
  • 193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Russia, Moscow
  • Local time:11:27 AM

Posted 11 March 2016 - 08:28 AM

quietman7 here is other encoder. RakhniDecryptor does not support this version of encoder.


Ем мышек

My processor AMD Athlon™ X4 860K, 4 cores   :deadhorse:


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:27 AM

Posted 11 March 2016 - 08:40 AM

I said RakhniDecryptor works on some "@"variants but not all. No way to know unless victims try and report back their findings.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 thyrex

thyrex

  • Members
  • 465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:10:27 AM

Posted 11 March 2016 - 08:47 AM

al1963 (aka santy)

Upload the ten (by time) of first encrypted files


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#13 al1963

al1963
  • Topic Starter

  • Members
  • 814 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 11 March 2016 - 11:20 AM

thyrex,

it is necessary to look at the working VM, was saved snepshot. A little later will.

----------

 

and yes I will add that there may have been a new encryption. There was one system reboot, and after encryption has been continued since the encoder was in a startup. Which files have come under a new encryption - it's hard to say right now.


Edited by al1963, 11 March 2016 - 11:44 AM.


#14 al1963

al1963
  • Topic Starter

  • Members
  • 814 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 13 March 2016 - 10:52 PM

thyrex,

the first to have been encrypted CryptoMonitor trap files.

He added two archives: encrypted and clean files.

encrypted
https://www.sendspace.com/file/oqyus9

and clean
https://www.sendspace.com/file/5iph8w

Edited by al1963, 13 March 2016 - 10:52 PM.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:27 AM

Posted 19 March 2016 - 08:19 AM

mike 1 reminded me of the first link in another topic so I posted it here.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users