Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crysis (.<extension>.<id-number>.<email>.arena/.CrySiS) Ransomware Support Topic


  • Please log in to reply
679 replies to this topic

#31 al1963

al1963
  • Topic Starter

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 12 April 2016 - 11:48 AM

decrypt these files available, as required.

 

[2016.04.12 22:30:30.218] - INFO: Cleaning file [encode_files\inf.txt.IDF5A4D1.Vegclass@aol.com.xtbl]
[2016.04.12 22:30:30.218] - INFO: Cleaned.
[2016.04.12 22:30:30.218] -
[2016.04.12 22:30:30.218] - INFO: Cleaning file [encode_files\keygpg.rar.IDF5A4D1.Vegclass@aol.com.xtbl]
[2016.04.12 22:30:30.228] - INFO: Cleaned.

 

 



BC AdBot (Login to Remove)

 


m

#32 Rjsoft

Rjsoft

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 16 April 2016 - 06:25 AM

Hello @ll,

 

On the past 11/04/2016 all my computers have been infected with a new variant of Win32/Filecoder.NFY. {mahakala@india.com}.xtbl

 

My Server and all my stations are now encrypted and i really need your help.

 

I already contact {mahakala@india.com} (same story 2 Bitcoins...) and they already decrypt a few files.

 

So for you guys help me wich files i should  send?

 

Thanks



#33 al1963

al1963
  • Topic Starter

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 16 April 2016 - 06:49 AM

Rjsoft,

add some encrypted files from one of the computers or servers to sendspace.com


Edited by al1963, 16 April 2016 - 06:50 AM.


#34 Rjsoft

Rjsoft

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 16 April 2016 - 07:02 AM

Hi,

 

I'm sending two folders one with the encrypt files original form the server and another folder with the same files already decryted by Mahakala for prove.

 

If you need more info or files please tell me.

 

Thanks

 

https://www.sendspace.com/file/xxkaih

 

A few more infos:

 

The Virus income in one of the stations and it toke about 25 minutes to encrypt all the files in all the network computers,

The server have ESET File Security, ESET detect the virus but didn't stop the encryption of the files.


Edited by Rjsoft, 16 April 2016 - 07:23 AM.


#35 al1963

al1963
  • Topic Starter

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 16 April 2016 - 07:23 AM

RjSoft,

 

I recommend to address the anti-virus company, if the license for antivirus. Most likely, there will help you decrypt the files. The decoder is insufficient to decode, it is necessary to calculate the key for your files.



#36 Rjsoft

Rjsoft

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 16 April 2016 - 07:27 AM

Al1963,

 

I already send the files to ESET and a few logs they request with ESET Log Collector.

 

Thanks for your help.

 

Regards,

 

Rjsoft



#37 al1963

al1963
  • Topic Starter

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 16 April 2016 - 07:28 AM

Rjsoft,

I think, ESET can help you decrypt the files.

--------------------

 

@Rjsoft,

on other computers encrypt probably only shared folders or drives.


Edited by al1963, 16 April 2016 - 07:33 AM.


#38 AllPro

AllPro

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 18 April 2016 - 04:48 PM

i paid the money and got the file to decrypt the files. however the files I tried to fix by changing the file type were unable to be decrypted. I am meeting with the FBI on Wednesday to give them the files and all communications with the perpetrators. They told me I was the first to report this strain of the xtbl virus. as of now there is no way to fix it from what I am told by everyone I found that does internet security.



#39 al1963

al1963
  • Topic Starter

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 18 April 2016 - 09:13 PM

@AllPro,

Give the FBI the topic, will be aware that not all * .xtbl intimidating as hell draws them :)
---------
if you have a copy of the encrypted files * .xtbl, add a few files on sendspace.com

Edited by al1963, 18 April 2016 - 09:15 PM.


#40 avk88

avk88

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 19 April 2016 - 12:58 PM

 
Hello. Sorry for my English. This Google translation. The files were encoded by the virus. But there were some of the original files . Maybe someone can help . How to send files on sendspace.com?


#41 joraye

joraye

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 19 April 2016 - 05:11 PM

I've been working with Kaspersky on this.  At first, they were unable to decrypt anything, then they came back with an update that they had updated the Rakhni Decryptor and asked me to try it.  It didn't clean up anywhere near all of the files, it was able to clean up about 1,000 files that I can now access.  I am manually sending them zipped directories that are required to see if they have any luck with the rest of the files.  If you use the decryptor, I recommend copying the encrypted files to another system.  I ran an earlier version of the decryptor that didn't work (but it did create seemingly "clean" copies of the files) and I am not sure if the failed attempt affected the original encrypted files.



#42 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:06 AM

Posted 19 April 2016 - 06:08 PM

...If you use the decryptor, I recommend copying the encrypted files to another system.  I ran an earlier version of the decryptor that didn't work (but it did create seemingly "clean" copies of the files) and I am not sure if the failed attempt affected the original encrypted files.

Backing up the encrypted files is a good thing to do with any ransomware infection. In fact, if possible create a copy or image of your entire hard drive.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#43 avk88

avk88

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 23 April 2016 - 01:58 AM

Differences between the original file and encrypted. It is added to each file. 04_0. On skinshote - JPG.
If we compare the two encrypted JPG, that is, in equal parts, for example 04, 41.
I think every encrypted file is different this line in the added part. 04_41


#44 clownguts

clownguts

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 27 April 2016 - 05:48 AM

I've been working with Kaspersky on this.  At first, they were unable to decrypt anything, then they came back with an update that they had updated the Rakhni Decryptor and asked me to try it.  It didn't clean up anywhere near all of the files, it was able to clean up about 1,000 files that I can now access.  I am manually sending them zipped directories that are required to see if they have any luck with the rest of the files.  If you use the decryptor, I recommend copying the encrypted files to another system.  I ran an earlier version of the decryptor that didn't work (but it did create seemingly "clean" copies of the files) and I am not sure if the failed attempt affected the original encrypted files.

 

Joraye where did you get this updated version of the Rakhni Decryptor as the one on the Kapersky site is only current from December last year. I have had all my files encrypted including a connected network drive. Over 200,000 files in total. Price is 3 BTC which we paid however looks like we have been shafted as we no longer have any contact from them and my files are all still encrypted.



#45 michup

michup

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 29 April 2016 - 07:09 AM

Hello guys. First of all: sorry for my English. My computer got infected with ecovector3@aol.com virus. I'm noob in stuff like this, so can I ask for a help? I need to decrypt just one file from my HDD, so maybe it could be possible. I'm sending rar with one of encrypted files(not the one I need, just test file): https://www.sendspace.com/file/xa2xm3 

Maybe you could help or give any advices? Thanks in advance.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users