Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crysis (.<extension>.<id-number>.<email>.CrySiS/.xtbl) Ransomware Support Topic


  • Please log in to reply
691 replies to this topic

#676 jhhl74

jhhl74

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 29 September 2017 - 08:45 PM

 

I'm not a cryptographer, just a "hacker" with some experience in cracking encryption. Obviously, brute forcing every infected machine isn't feasible. Here's an example of how the virus might work and how to find it's weakness:
 
The virus/agent finds its way into the system.  It generates a random number, it's ID number, and then phones home to the ransomer's server ala "I'm agent 2CBF342A, send me a public key".  On the server, there's the private master key, from which it generates a private key upon request sending it to the agent.  The agent then encrypts all of the files it can using this public key and deletes itself.
 
The victim then contacts the ransomer, downloads the decrypter which gives out the public key's fingerprint. Upon payment, the ransomer then sends the passphrase for the decryption key. 
 
Proposed attack strategy: gather MANY samples of files before and after encryption and look for a cryptographic weakness in the key generating mechanism.  If enough samples can be obtained, most possible key combinations can be eliminated, thus making cracking the public key possible. 
 
Although now pretty much obsolete, aircrackn-g used this very method using a weakness in the RC4 encryption method.  It makes repeated packet injections of DEAUTH packets forcing the router to send out hundreds of IV packets a second, each one a different 40-bit public key generated from the private one. After around 20k+ packets are obtained, running wepcrack will spit out the correct 104 bit WEP key.
 
I wasn't personally affected by ransomware, however, I volunteer at a non-profit who had their entire NAS encrypted by arena crysis and very much would like to help find a solution to this. 

 

Hi Technophant,

I am facing similar situation today at a non-profit , their data is encrypted with .arena ransomware. I was onsite this morning to examine the extend of the damage.... not good. I have grabbed few files to my USB stick as sample (below are the filenames), and I have also initiated the contact with the perpetrator. Perpetrator replied arrived few hours later demanding for 1 Bitcoin. Anyway, I would just want to know how is your situation progress? 

 

Files Names:
download.2 release_5191730.zip.id-DCB7B664.[batmanbitka1@cock.li].arena
download.3 release_5210456.zip.id-DCB7B664.[batmanbitka1@cock.li].arena
download.4 release_5220440.zip.id-DCB7B664.[batmanbitka1@cock.li].arena
download.5 release_5230316.zip.id-DCB7B664.[batmanbitka1@cock.li].arena
download.6 release_5240706.zip.id-DCB7B664.[batmanbitka1@cock.li].arena
 
The ransom note in txt file was rather sample; just like the last one of Crysis type that I dealt with earlier this year (filename.pdf.xxxx.xxxx@india.com.... style). Below is the content of the txt file: FILES ENCRYPTED.txt
 
all your data has been locked us
You want to return?
write email batmanbitka1@cock.li or batmanbitka1@tutanota.com
 
==> 1 Bitcoin was demanded. Anyone with experience of paying this style of ransomware, please advise if decryptor is really provided upon payment? My prev. experiences with paying for ransomware was to crytolocker type; where I open the onion address in TOR, everything else were pretty much automated. Provided BT payment Transaction ID, an hour later the decryptor software with key became available for download from the URL. BUT those instances, the ransom demand were $500 USD in Bitcoin. Now these new breeds of Crysis, Arena and variant type seems to ask ransom directly by the amount of BT. I know it is standard policy not to pay ransom as per ALL threads I have read, but when you have no choice, what else can I do? For this interested, below is the reply I got today from batmanbitka1:
 
FROM: batmanbitka1@cock.li
1. Decoding cost

The cost of decryption is 1 bitcoin. (Bitcoin is a form of digital

currency)

 

2. Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

 

3. Free decryption as guarantee

You can send us up to 3 files for free decryption. The total size of files must be less than 1 Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets,

etc.) ==> The ransom note promised 5 files for free decryption...but now 3?

 

4. Decryption process:

To decrypt the files, transfer money to our bitcoin wallet number:

"16hNzU5VrpdypVxsCgD74Nc6bHtwnzVucf". As we receive the money we will send you:

1. Decryption program.

2. Detailed instruction for decryption.

3. And individual keys for decrypting your files.

 

5. The process of buying bitcoins:

The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.

https://localbitcoins.com/buy_bitcoins [1] [1] [1] [1] [1][1][1][1] [1] [1] Also you can find other places to buy Bitcoins and beginners guide

here:

http://www.coindesk.com/information/how-can-i-buy-bitcoins/ [2] [2] [2] [2] [2][2][2] [2] [2] Localbitcoins Buy bitcoins online or with cash - fast and easy

 



BC AdBot (Login to Remove)

 


m

#677 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,372 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:55 AM

Posted 30 September 2017 - 03:55 AM

Any files that are encrypted with Dharma (CrySiS) Ransomware will have an id-<8 random hexadecimal characters>.[email address] followed by an .dharma, .wallet, .zzzzz, .onion, .cesar (.cezar) or .arena extension appended to the end of the encrypted data filename (i.e. .id-A04EBFC2.[bitcoin143@india.com].dharma, .id-480EB957.[legionfromheaven@india.com].wallet, .id-5FF23AFB.[Asmodeum_daemonium@aol.com].onion, .id-EB214036.[amagnus@india.com].zzzzz, .id-01234567.[gladius_rectus@aol.com].cesar, id-BCBEF350.[chivas@aolonline.top].arena) and leave files (ransom notes) with names like README.txt, README.jpg, Hello my vichtim.txt, Your personal data are encrypted!.txt, FILES ENCRYPTED.txt, info.hta.

Unfortunately, there is no known way to decrypt files encrypted by .zzzzz or the newer .cesar (.cezar) and .arena variants of Dharma without paying the ransom. If possible, your best option is to restore from backups or wait for a possible solution at a later time.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance but as I noted above, this variant is not decryptable.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#678 horaceingram

horaceingram

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 13 October 2017 - 07:42 AM

!!!!!!!!!!!!!!!!!

Every one who was encrypted with instertcoin@usa.com and paid ransom.

instertcoin@usa.com email address is locked!

email to horaceingram@mail.com for any question.

!!!!!!!!!!!!!!!!!



#679 horaceingram

horaceingram

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 18 October 2017 - 12:44 PM

!!!!!!!!!!!!!!!!!

Every one who was encrypted with emailme@italymail.com and paid ransom or need keys

emailme@italymail.com email address is locked!

email to horaceingram@mail.com for any question.

!!!!!!!!!!!!!!!!!



#680 help-decrypt

help-decrypt

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 06 November 2017 - 08:32 AM

Hello!
Someone who used the decryptor and got the key for decryption from intruders, please write to me private message.
There are a few questions...
Thanks!



#681 none00

none00

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 09 December 2017 - 09:49 AM

hello

 

just to report a new extension .java (https://twitter.com/demonslay335/status/932628728139612161)

 

for me it's like <filename>.<ext>.id-[8 RANDOM VALUE].[somemail@protonmail.com].java

 

if someone know a way to decrypt file send me a private message or reply to my topic.

 

best regards



#682 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,372 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:55 AM

Posted 09 December 2017 - 11:23 AM

Unfortunately, there is no known method to decrypt files encrypted by the .java variant of Dharma without paying the ransom. If possible, your best option is to restore from backups, try native Windows Previous Versions or programs like Shadow Explorer and ShadowCopyView if the malware did not delete all shadow copy snapshots as it typically does or try file recovery software. If that is not a viable option, the only other alternative is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#683 none00

none00

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 09 December 2017 - 03:31 PM

thanks for your reply



#684 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,372 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:55 AM

Posted 09 December 2017 - 04:20 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#685 dannywilson095

dannywilson095

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 09 December 2017 - 06:17 PM

Got these guys to decrypt 3 files for me through email. I have the original and encrypted versions. I even took time to put a file on the PC that was infected and reboot to it would infect a file about 3 gigs in size. that way if a btcware decryptor comes out maybe we can decrypt the smaller files. .id-383CA5CC.[C2H5OH@cock.li].arena. Feel free to post if anyone pays this crazy high ransom. they wanted about 6800 dollars.



#686 none00

none00

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 12 December 2017 - 03:00 AM

Hello

Just to say that photorec do a god job to recover files.

#687 ahmerr3

ahmerr3

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 18 December 2017 - 12:28 PM

hi. We have just been hit by the .arena ransomware, all of our important files have been encrypted. we are a small business and we do not have IT and did not keep a backup, which was agreed, very foolish of us. however we got a note as given above 

"all you data has been locked us.
you want to return ?
email Macgregor@aolonline.top"

Please Please Please if anyone has a solution please help me!



#688 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,372 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:55 AM

Posted 18 December 2017 - 06:22 PM

@ ahmerr3

I already replied to your question here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#689 rex67

rex67

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 04 January 2018 - 03:53 AM

.lnk.id-B252B84D.[stopstorage@qq.com].java

 

Your sql files have been locked with this extension. can there be help



#690 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,372 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:55 AM

Posted 04 January 2018 - 06:11 AM

@ rex67

I replied to you in the Dharma Support Topic....there is nothing we can do at this time to help with the .java variant.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users