Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crysis (.<extension>.<id-number>.<email>.arena/.CrySiS) Ransomware Support Topic


  • Please log in to reply
679 replies to this topic

#16 al1963

al1963
  • Topic Starter

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 19 March 2016 - 11:35 AM

Dear quietman7,

 

yet I do not agree with you that this is an option Troldesh / Shade.

which is typical for Troldesh / Shade?

1. screen saver with a clear text about encrypting files. (Black screen with red text in two languages)
2. README1-10.TXT in the root directory
3. The encryption and file contents, and file header. The identifier is added to the title in the last two versions: breaking_bad and better_call_saul

None of this is not the case of encryption <filename>. <Extension>. <Id-number> .Vegclass @ aol.com.xtbl

In addition, I noticed that after the encryption of one group of test files in xtbl / breaking_bad / better_call_saul file sizes are the same and differ only in extension and the file name.

 

51a343c49225.jpg

 

369795ff82b1.jpg

 

e348bd7282ce.jpg

 

For the same group of files sizes encrypted files in <filename>. <Extension>. <Id-number> .Vegclass @ aol.com.xtbl will differ from the file size after encryption Ransom.Shade options.

In addition, at the end of the encrypted file <filename>. <Extension>. <Id-number> .Vegclass @ aol.com.xtbl can find the original file name.
In the case of encryption in Ransom.Shade this name is not.

It is added in an encrypted form. It talks about the different encryption algorithms.


Edited by al1963, 19 March 2016 - 11:38 AM.


BC AdBot (Login to Remove)

 


m

#17 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 PM

Posted 19 March 2016 - 02:13 PM

Every vendor uses their own naming conventions, hence some variants will have several aka's and there can be overlap of some of the information which can be confusing.

According to Kaspersky...

The Trojan attempts to rename the encrypted file using the result of the calculation Base64(AES_encrypt(original file name)).xtbl (e.g. ArSxrr+acw970LFQw.xtbl). Failing this, it simply adds the extension .ytbl to the original file name. In later versions, the Trojan adds the infected computer’s ID and then the extension .xtbl to the file name, e.g. ArSxrr+acw970LFQw.043C17E72A1E91C6AE29.xtbl.

The Trojan leaves ransom demands in the files README1.txt, …, README10.txt.


ESET says Win32/Filecoder.NFY uses...

An additional .ID%variable%.%email_address%.xtbl extension is appended.


The Shade Ransomware encrypts and renames files with a unique string like this example... +6HmFrz34gdLAvMb74MvU5KNYwWaIoNkA-PYYDkVGwM=.BD61991CD74BB6479E3E.BETTER_CALL_SAUL and also leaves files (ransom notes) named README1.txt, READEME2...README10.txt.

Your screeshots and descriptions appear to match both. As Demonslay335 noted in Post #2, you may be dealing with two infections.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#18 al1963

al1963
  • Topic Starter

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 20 March 2016 - 10:51 PM

dear quietman7,

let me continue...

 

in the following two figures, the same group of files after encryption encoders

<id-number>.Vegclass @ aol.com.xtbl

and

<id-number>redschitline@india.com.xtbl

 

21664a350ce3.jpg

 

5a8c35d98866.jpg

 

We see the encrypted files differ only by e-mail.

Dimensions of the corresponding files are not changed after encryption.

It follows that the file encryption algorithm is the same, only the details changed.

 

---------

the drawings of the 16 posts I can say that there is no double encryption.

This test has been encrypted. I used a clean snapshot of the virtual machine

 

We can see that the size of the appropriate file in the figures of the posts 16 and 18 is different.

 

Hence, I can say that this is a different encoder.

 

---------

there is another option of the encoder, but with a different e-mail:
gerkaman@aol.com

gerkaman@aol.com.xtbl ransomware

 

http://www.bleepingcomputer.com/forums/t/608480/gerkamanaolcomxtbl-ransomware/

 

 

ESET it defines as: Win32/Filecoder.NFY
Microsoft defines it as: Ransom:Win32/Genasom


Edited by al1963, 20 March 2016 - 11:10 PM.


#19 joraye

joraye

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 22 March 2016 - 09:50 AM

Any updates on possible decryption of these files?  I've used a test email account to email vegclass on ransom options since no ransom note was found - no response yet.



#20 daleozzie

daleozzie

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 22 March 2016 - 11:01 AM

Hi I am having the same issue as well, I tried to contact them this is the email I got back:

 

 

Hello! Your files have been encrypted with cryptographic algorithm! 

We suggest you purchase a decoder which

decrypt all your files in a fully automatic mode on the same day after

payment! (You not need to send any files to us). As we can guarantee - we can

decrypt files for free (2-3 total weight <= 5mb). For warranty

decryption (if required) you should send to us archived

test files in the response letter (even if you did it before).

The cost of the decoder: 930€ (nine hundred and thirty euros).

 

payment instructions: 1. Go to https://localbitcoins.com/

2. Register (sign up) 3. You need to buy Bitcoins from people. (You can pay with any method,

which is convenient to you) 4. Send purchased Bitcoins to our address listed

below. If you have any questions, you can contact support

this service, or email us. Our Bitcoin wallet: 1GnRj8X67nR53ykNeRXAar2KJa5KayfRnw

 

The guarantee to decrypt.

1) I give decrypted files for you, and you see - i have decryptor.

2) Making personal decoder for you - it takes just 3-5 minutes. After payments - everyone gets a personal decoder without exception.

 

Write if you have any questions about the case. There is no bidding, requests to give free decoder and other unnecessary questions - will be ignored.

 

According to the amount payable. Price for this day - 930€, it will be relevant for two days, starting from you wrote to me. After spending two days - the price of the decoder will increase every day on 250€. It mean, for example, after 4 days from the time you contact me, if you still have not paid the decoder - the amount will be 1480€. (except for two days without a price penalty)



#21 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 PM

Posted 22 March 2016 - 03:29 PM

There is no fix tool and no way of decrypting affected files that I am aware of without paying the ransom.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#22 thyrex

thyrex

  • Members
  • 472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:11:24 PM

Posted 25 March 2016 - 10:04 AM

al1963

Sorry, I forgot about this case. I will look files soon


Edited by thyrex, 25 March 2016 - 10:04 AM.

Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#23 al1963

al1963
  • Topic Starter

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 28 March 2016 - 05:06 AM

here's another option with new mail

Ecovector3@aol.coml

https://www.sendspace.com/file/wwpjdq

 

+

Here the message was transmitted by one of the affected users

 

In the attachment the decrypted file is a Sample work decoder.
Yes . You will receive the decryption of all files.
In attachment the program - decoder. Password of decoder you will receive after payment
Go to the website https://localbitcoins.com/ or https://www.xmlgold.eu/ or any other exchanger, sign up, 
buy from people BTC ( Bitcoins ), buy Bitcoins for USD 500$
and send me BTC to this address 1DonJwaWm3qseuQtkdntY3SN9Y3SRREb4 
After 3 days the cost of recovery will be 1000$
If you have questions you can always email me
Here are instructions for buying bitcoins - https://localbitcoins.com/guides/how-to-buy-bitcoins
Here are instructions for send bitcoins - https://www.sendspace.com/file/dy6nxp
 

 


Edited by al1963, 28 March 2016 - 07:26 AM.


#24 TechGuru11

TechGuru11

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 28 March 2016 - 02:41 PM

Hello All,

 

We ended up paying and were having issues with this particular variant. Some files are decrypting while some are not. Sometimes files are decrypting and leaving a copy of the encrypted file behind as well. Is there a third party decryptor out there similar to the TeslaDecoder that can decrypt these files without issue after entering the key? I've attached the decryptor, key, and a sample file for reference. 

 

https://www.sendspace.com/file/g5bn1q



#25 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 PM

Posted 29 March 2016 - 07:20 AM

There is no fix tool and no way of decrypting affected files that I am aware of without paying the ransom.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#26 AllPro

AllPro

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 31 March 2016 - 11:48 AM

I just went through the process after being the victim of ecoventor3@aol.com.xtbl I had to pay $500.00 to have the files decrypted. They sent the code and I was able to get the files back fairly quickly. Here is the email communication I had with them.

 

it is similar but it's different if you scanned correctly then do as it says

the key looks like the key generated after i did the computer scan and sent you the key it generated. Did i get the wrong thing?

 

Eco Vector
ecovector3@aol.com

 

-----Original Message-----
From: help me <fixit1111@mail.com>
To: Eco Vector <ecovector3@aol.com>
Sent: Thu, Mar 31, 2016 3:03 am
Subject: Re: locked data

the key looks like the key generated after i did the computer scan and sent you the key it generated. Did i get the wrong thing?
 
Sent: Wednesday, March 30, 2016 at 1:05 PM
From: "Eco Vector" <ecovector3@aol.com>
To: fixit1111@mail.com
Subject: Re: locked data
YOUR KEY for decrypt in attachment
Before decrypting make a backup encrypted files and disconnect the disc drive with the backup from your PC
Run the produced decryptor: 
1. Select the folder you want to decrypt
2. click the button "Decrypt" 
3. Copy the key to decrypt the window
4. Click the button "Overwrite existing files"
5. and click "OK"
Start with try decoding on 1 folder. If the decryption was successful, 
decrypt all computer making with turning in decoder "delete files after encryption decryption" (if you want) 
 
   
-----Original Message-----
From: help me <fixit1111@mail.com>
To: Eco Vector <ecovector3@aol.com>
Sent: Wed, Mar 30, 2016 9:50 pm
Subject: Re: locked data
 
51Wir4pBzqmZSgpeuBa4rgc7fQC5CYJ03GZiSffI1e1OLSrFlrMOq487Ld/3K9ntlZG55OyJifhm87O3R3RLFO3YD1EmQBY53kizVlhljOoL00BTqHV8L3pSEFQjUwlaxxY6lzNdXOGiNaBEvbsSKZAsX2fblYw64/66GMVxNnQ=
 
Sent: Wednesday, March 30, 2016 at 11:26 AM
From: "Eco Vector" <ecovector3@aol.com>
To: fixit1111@mail.com
Subject: Re: locked data
Run the program decryptor ,
Don't need to select a folder for scanning. Let this window will be empty
and click the button "Scan PC" .
As a result the program will generate a key, send me this key
here is the payment and proof. please send the decoder and password.
   
-----Original Message-----
From: help me <fixit1111@mail.com>
To: Eco Vector <ecovector3@aol.com>
Sent: Wed, Mar 30, 2016 8:23 pm
Subject: Re: locked data
 
here is the payment and proof. please send the decoder and password.
 
 
Sent: Tuesday, March 29, 2016 at 11:43 PM
From: "Eco Vector" <ecovector3@aol.com>
To: fixit1111@mail.com
Subject: Re: locked data
take a screenshot or send the number of transaction in BTC should be about 1.2 BTC
i'm really have a hard time setting up a account at localbitcoin. if i purchase them a another exchange how do i get them to you and how do you know the are from me?

 
 
-----Original Message-----
From: help me <fixit1111@mail.com>
To: Eco Vector <ecovector3@aol.com>
Sent: Wed, Mar 30, 2016 2:27 am
Subject: Re: locked data
 
i'm really have a hard time setting up a account at localbitcoin. if i purchase them a another exchange how do i get them to you and how do you know the are from me?
 
 
Sent: Tuesday, March 29, 2016 at 11:35 AM
From: "Eco Vector" <ecovector3@aol.com>
To: fixit1111@mail.com
Subject: Re: locked data
In the attachment the decrypted file is a Sample work decoder.
Yes . You will receive the decryption of all files.
In attachment the program - decoder. Password of decoder you will receive after payment
Go to the website https://localbitcoins.com/ or https://www.xmlgold.eu/ or any other exchanger, sign up, 
buy from people BTC ( Bitcoins ), buy Bitcoins for USD 500$
and send me BTC to this address 1DonJwaWm3qseuQtkdntY3SN9Y3SRREb4 
After 3 days the cost of recovery will be 1000$
If you have questions you can always email me
Here are instructions for buying bitcoins - https://localbitcoins.com/guides/how-to-buy-bitcoins
Here are instructions for send bitcoins - https://www.sendspace.com/file/dy6nxp
   
-----Original Message-----
From: help me <fixit1111@mail.com>
To: Eco Vector <ecovector3@aol.com>
Sent: Tue, Mar 29, 2016 7:50 pm
Subject: Re: locked data
 
 
 
Sent: Tuesday, March 29, 2016 at 2:20 AM
From: "Eco Vector" <ecovector3@aol.com>
To: fixit1111@mail.com
Subject: Re: locked data

Your files cannot be downloaded send a bit larger
 
-----Original Message-----
From: help me <fixit1111@mail.com>
To: Eco Vector <ecovector3@aol.com>
Sent: Tue, Mar 29, 2016 12:57 am
Subject: Re: locked data
 
 
 
Sent: Monday, March 28, 2016 at 1:47 PM
From: "Eco Vector" <ecovector3@aol.com>
To: fixit1111@mail.com
Subject: Re: locked data

Send 5 (Five) encrypted files no more 2Mb only: .doc .xls .jpeg .pdf .txt .
 
-----Original Message-----
From: help me <fixit1111@mail.com>
To: Ecovector3 <Ecovector3@aol.com>
Sent: Mon, Mar 28, 2016 10:59 pm
Subject: locked data
 
how do i get my data back?


#27 al1963

al1963
  • Topic Starter

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 01 April 2016 - 02:22 AM

@AllPro,

If you do not wish,

share a decoder&key, and a few encrypted files to study the decryption process.


Edited by al1963, 01 April 2016 - 02:36 AM.


#28 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 PM

Posted 01 April 2016 - 06:03 AM


Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) and here (http://www.bleepingcomputer.com/submit-malware.php?channel=170) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#29 al1963

al1963
  • Topic Starter

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 01 April 2016 - 07:33 AM

sent two samples of the encoder in the archives with the password infected

 

I think of these options

 

<id-number>.Vegclass @ aol.com.xtbl

<id-number>redschitline@india.com.xtbl



#30 thyrex

thyrex

  • Members
  • 472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:11:24 PM

Posted 02 April 2016 - 05:27 AM

TechGuru11

 

I think that other files was encrypted with another key. You needed pack about ten of encrypted files on problem computer, upload archive on sendspace.com and send link. If you have virus which encrypted your files please add it to archive with password virus and send link me to  PM


Edited by thyrex, 02 April 2016 - 05:27 AM.

Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016





14 user(s) are reading this topic

0 members, 14 guests, 0 anonymous users