Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Crysis (.<extension>.<id-number>.<email>.arena/.CrySiS) Ransomware Support Topic

  • Please log in to reply
679 replies to this topic

#676 jhhl74


  • Members
  • 10 posts
  • Local time:10:38 AM

Posted 29 September 2017 - 08:45 PM


I'm not a cryptographer, just a "hacker" with some experience in cracking encryption. Obviously, brute forcing every infected machine isn't feasible. Here's an example of how the virus might work and how to find it's weakness:
The virus/agent finds its way into the system.  It generates a random number, it's ID number, and then phones home to the ransomer's server ala "I'm agent 2CBF342A, send me a public key".  On the server, there's the private master key, from which it generates a private key upon request sending it to the agent.  The agent then encrypts all of the files it can using this public key and deletes itself.
The victim then contacts the ransomer, downloads the decrypter which gives out the public key's fingerprint. Upon payment, the ransomer then sends the passphrase for the decryption key. 
Proposed attack strategy: gather MANY samples of files before and after encryption and look for a cryptographic weakness in the key generating mechanism.  If enough samples can be obtained, most possible key combinations can be eliminated, thus making cracking the public key possible. 
Although now pretty much obsolete, aircrackn-g used this very method using a weakness in the RC4 encryption method.  It makes repeated packet injections of DEAUTH packets forcing the router to send out hundreds of IV packets a second, each one a different 40-bit public key generated from the private one. After around 20k+ packets are obtained, running wepcrack will spit out the correct 104 bit WEP key.
I wasn't personally affected by ransomware, however, I volunteer at a non-profit who had their entire NAS encrypted by arena crysis and very much would like to help find a solution to this. 


Hi Technophant,

I am facing similar situation today at a non-profit , their data is encrypted with .arena ransomware. I was onsite this morning to examine the extend of the damage.... not good. I have grabbed few files to my USB stick as sample (below are the filenames), and I have also initiated the contact with the perpetrator. Perpetrator replied arrived few hours later demanding for 1 Bitcoin. Anyway, I would just want to know how is your situation progress? 


Files Names:
download.2 release_5191730.zip.id-DCB7B664.[batmanbitka1@cock.li].arena
download.3 release_5210456.zip.id-DCB7B664.[batmanbitka1@cock.li].arena
download.4 release_5220440.zip.id-DCB7B664.[batmanbitka1@cock.li].arena
download.5 release_5230316.zip.id-DCB7B664.[batmanbitka1@cock.li].arena
download.6 release_5240706.zip.id-DCB7B664.[batmanbitka1@cock.li].arena
The ransom note in txt file was rather sample; just like the last one of Crysis type that I dealt with earlier this year (filename.pdf.xxxx.xxxx@india.com.... style). Below is the content of the txt file: FILES ENCRYPTED.txt
all your data has been locked us
You want to return?
write email batmanbitka1@cock.li or batmanbitka1@tutanota.com
==> 1 Bitcoin was demanded. Anyone with experience of paying this style of ransomware, please advise if decryptor is really provided upon payment? My prev. experiences with paying for ransomware was to crytolocker type; where I open the onion address in TOR, everything else were pretty much automated. Provided BT payment Transaction ID, an hour later the decryptor software with key became available for download from the URL. BUT those instances, the ransom demand were $500 USD in Bitcoin. Now these new breeds of Crysis, Arena and variant type seems to ask ransom directly by the amount of BT. I know it is standard policy not to pay ransom as per ALL threads I have read, but when you have no choice, what else can I do? For this interested, below is the reply I got today from batmanbitka1:
FROM: batmanbitka1@cock.li
1. Decoding cost

The cost of decryption is 1 bitcoin. (Bitcoin is a form of digital



2. Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.


3. Free decryption as guarantee

You can send us up to 3 files for free decryption. The total size of files must be less than 1 Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets,

etc.) ==> The ransom note promised 5 files for free decryption...but now 3?


4. Decryption process:

To decrypt the files, transfer money to our bitcoin wallet number:

"16hNzU5VrpdypVxsCgD74Nc6bHtwnzVucf". As we receive the money we will send you:

1. Decryption program.

2. Detailed instruction for decryption.

3. And individual keys for decrypting your files.


5. The process of buying bitcoins:

The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.

https://localbitcoins.com/buy_bitcoins [1] [1] [1] [1] [1][1][1][1] [1] [1] Also you can find other places to buy Bitcoins and beginners guide


http://www.coindesk.com/information/how-can-i-buy-bitcoins/ [2] [2] [2] [2] [2][2][2] [2] [2] Localbitcoins Buy bitcoins online or with cash - fast and easy


BC AdBot (Login to Remove)



#677 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 49,905 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:38 PM

Posted 30 September 2017 - 03:55 AM

Any files that are encrypted with Dharma (CrySiS) Ransomware will have an id-<8 random hexadecimal characters>.[email address] followed by an .dharma, .wallet, .zzzzz, .onion, .cesar (.cezar) or .arena extension appended to the end of the encrypted data filename (i.e. .id-A04EBFC2.[bitcoin143@india.com].dharma, .id-480EB957.[legionfromheaven@india.com].wallet, .id-5FF23AFB.[Asmodeum_daemonium@aol.com].onion, .id-EB214036.[amagnus@india.com].zzzzz, .id-01234567.[gladius_rectus@aol.com].cesar, id-BCBEF350.[chivas@aolonline.top].arena) and leave files (ransom notes) with names like README.txt, README.jpg, Hello my vichtim.txt, Your personal data are encrypted!.txt, FILES ENCRYPTED.txt, info.hta.

Unfortunately, there is no known way to decrypt files encrypted by .zzzzz or the newer .cesar (.cezar) and .arena variants of Dharma without paying the ransom. If possible, your best option is to restore from backups or wait for a possible solution at a later time.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance but as I noted above, this variant is not decryptable.

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#678 horaceingram


  • Members
  • 4 posts
  • Local time:05:38 PM

Posted 13 October 2017 - 07:42 AM


Every one who was encrypted with instertcoin@usa.com and paid ransom.

instertcoin@usa.com email address is locked!

email to horaceingram@mail.com for any question.


#679 horaceingram


  • Members
  • 4 posts
  • Local time:05:38 PM

Posted 18 October 2017 - 12:44 PM


Every one who was encrypted with emailme@italymail.com and paid ransom or need keys

emailme@italymail.com email address is locked!

email to horaceingram@mail.com for any question.


#680 help-decrypt


  • Members
  • 1 posts
  • Local time:07:38 PM

Posted 06 November 2017 - 08:32 AM

Someone who used the decryptor and got the key for decryption from intruders, please write to me private message.
There are a few questions...

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users