Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nemucod / NemucodAES Ransomware (.crypted - Decrypt.txt) Support & Help Topic


  • Please log in to reply
653 replies to this topic

#1 screensavers

screensavers

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arkansas, USA
  • Local time:07:38 PM

Posted 15 March 2016 - 10:42 AM

Thankfully, Fabian Wosar of Emsisoft has been able to devise a way to decrypt files encrypted by this family:
 
https://decrypter.emsisoft.com/nemucod
 
 
 
Hello all,
 
I have a client who was infected with ransomware that threatened to permanently encrypt all of her files unless she paid for a key to decrypt her data.  Turns out all the ransomware did was add '.crypted' to the end of her file extensions.  If you remove the .crypted part from a file i.e. 'test.docx.crypted' and make it just 'test.docx' it works fine.  The problem I am running into is that she has a massive amount of files that have been modified.  I am looking for an easy way to remove '.crypted' from the end of her files without using System Restore, preferably.  She will be working on her computer this week and I will not have access to it until Monday.  I would rather her not lose any of her progress that she has made.  I was able to remove .crypted from some of her critical work files today so she could work.
 
I was trying to think of a way to write a batch file that could target '.crypted' and remove it.
 
Any help would be great!!!
 
Thanks,
Matt

Edited by quietman7, 21 July 2017 - 06:45 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:38 PM

Posted 15 March 2016 - 06:38 PM

At first glance it would appear you are dealing with a variant of Win32/Filecoder...(aka Gpcode ransomware or Encoder) which has been around for years, uses a secure encryption algorithm and has never been decryptable. Detailed description for the Win32/Filecoder.E and Win32/Filecoder.J variants include appending a .crypted extension to the end of the file name.

Typically just removing the appended extension to the encrypted file does not work so this may be something new.

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. They typically are found in every directory where data was encrypted. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.

There are suggestions for using bulk file renaming utilities in this article.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:38 PM

Posted 15 March 2016 - 07:03 PM

I've heard of this one, but I gotta dig up where I saw it... the ransomware itself is just a batch file and a troll message I think. #bluffware

 

Simply using System Restore would not alter the files by the way. A batch file to rename would work the best (backup files to be safe). Once I get ahold of the ransomware sample I saw, it'll be easy to just flip the extensions to undo it.


Edited by Demonslay335, 15 March 2016 - 07:08 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 screensavers

screensavers
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arkansas, USA
  • Local time:07:38 PM

Posted 16 March 2016 - 08:52 AM

Thanks guys.  Yeah Demonslay335, I'm 99.9% sure it is just a case of bluffware that has made life difficult rather than actually encrypt and hold for ransom.  The message was located in her /Temp folder and displayed itself once in Internet Explorer.  It had a yellow background and black text.  Most, if not all, traces of it have since been deleted and removed though.  Bluffware or not, when I hear unwanted 'encryption' or 'ransomware' I rush to remove whatever it is as quickly as possible.

 

My previous employer got a real bad case of the CryptoLocker ransomware when it was first coming out.  I'll never forget how much fun that was...



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:38 PM

Posted 16 March 2016 - 09:07 AM

Ya, they definitely prey on the scare tactic. Thankfully this one is a total sham.

 

The bulk renaming utilities @quietman7 lists might actually be safer to use (especially with a GUI). Make sure she considers herself extremely lucky this time around, and implements a backup immediately. Identifying the vector of attack may be the next priority to help with prevention; check emails, downloads, internet activity, etc. If this was just a personal system, no server, I wouldn't suspect anything manual like RDP hacks or the like that have been really common lately. Worth double-checking if she has any other remote software capability like TeamViewer, there has been some others hit through those channels.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:38 PM

Posted 16 March 2016 - 09:20 AM

@malwrhunterteam pointed me to where I saw it.

 

https://twitter.com/malwrhunterteam/status/708974389052706816

 

They confirmed it is a real malware that drops it though, so definitely scan the system for real infections. It comes by an email, so check her email account.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 screensavers

screensavers
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arkansas, USA
  • Local time:07:38 PM

Posted 16 March 2016 - 09:29 AM

@Demonslay335 I can confirm that it came via an e-mail attachment in her Outlook account.  We have since quarantined and removed it though.  Luckily she was running Norton that detected it and attempted to stop it. 

 

Thanks for all of the help so far guys! I will let you all know how it goes when I attempt to rename everything next week.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:38 PM

Posted 16 March 2016 - 11:24 AM

Email is one of the most common delivery methods. The developers of TeslaCrypt, CryptoWall, Locky, Ransom32 Ransomware, KeyBTC and XRTN Ransomware all have been known to use malicious .js files often found in zipped email attachments so your client was lucky.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 jwhitted24

jwhitted24

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR USA
  • Local time:05:38 PM

Posted 16 March 2016 - 03:50 PM

Adding a me too on this.

 

A part-time client (their main IT is in Ohio and I am in Oregon)  called and said that they got this.  No real encryption, just changed the file name on some files to .crypted.   I just took off the .crypted extension and the file opened.  Now have to put on my old DOS script hat and remember how to change all the file names back easily.  

 

Found the email and have the attachment that cause this.  It was an email stating that they were needed to appear in district court.  A zip file that contained a file called 00000954088.doc.js.  I also have the html file that it drops stating where to go to make payment and saying things are encrpyted.  This is what the HTML file has in it, with a yellow background:  I can send both, the java script and the html file to the link you have above if you wish.

 

 

Attention!

All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.

Nobody can help you except us. It is useless to reinstall Windows,
use antiviruses, rename files, etc.

To unlock your files you have to make payment.

Please click one of the following links for details:



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:38 AM

Posted 16 March 2016 - 03:58 PM

Adding a me too on this.
 
A part-time client (their main IT is in Ohio and I am in Oregon)  called and said that they got this.  No real encryption, just changed the file name on some files to .crypted.   I just took off the .crypted extension and the file opened.  Now have to put on my old DOS script hat and remember how to change all the file names back easily.  
 
Found the email and have the attachment that cause this.  It was an email stating that they were needed to appear in district court.  A zip file that contained a file called 00000954088.doc.js.  I also have the html file that it drops stating where to go to make payment and saying things are encrpyted.  This is what the HTML file has in it, with a yellow background:  I can send both, the java script and the html file to the link you have above if you wish.
 
 
Attention!
All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.
Nobody can help you except us. It is useless to reinstall Windows,
use antiviruses, rename files, etc.
To unlock your files you have to make payment.
Please click one of the following links for details:

Please upload them both here, would be interesting to have a look at it.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 jwhitted24

jwhitted24

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR USA
  • Local time:05:38 PM

Posted 16 March 2016 - 04:50 PM

Files uploaded.  The system had the latest corp version of Symantec on it and it did not stop the file at all.  My desktop has Kaspersky on it and it would strip the java script out and I had to temporarily disable it to upload the files.

I also found a batch file that worked well for removing the extension.  Just follow the directions on the batch file that is on the page and worked perfectly.

 

Will get some errors on duplicate filename but all good so far for this customer.

 

http://www.windows-commandline.com/rename-file-extensions-bulk/



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:38 PM

Posted 16 March 2016 - 05:03 PM

As I noted earlier, there are also some simple Bulk File Renaming Utilities which can be used.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:38 PM

Posted 16 March 2016 - 05:59 PM

Got em. The decoded js is:

http://pastebin.com/raw/XPGD0U7h

This does download a executable to the %temp% folder. The name of the file is 137698.exe on my system.

Vt scan is:

https://www.virustotal.com/en/file/b804ad89eed2d409b13518bf399f4d2405d8928a4971e9f8baeb33597f81f01a/analysis/1458169109/

Not exactly sure what it does.

#14 macomaco

macomaco

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 17 March 2016 - 12:06 PM

Well, to be completely honest, this does not look like a simple rename to me - we have also been affected and some of the files are definitely corrupted - Im not sure how much yet, but I definitely cant detect the type of file any more in linux via 'file' cli utility. Therefore at least on some of the files the file headre is corrupted.

 

Any more details on this are very appreciated.

 

We did not find any ransom requesting file on any of our systems so far so really cant say whether this really is the same case, but the extension at least is the same.


Edited by macomaco, 17 March 2016 - 12:06 PM.


#15 macomaco

macomaco

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 17 March 2016 - 12:18 PM

Looking at the files from backups - I have selected one JPG file and I can see that the first 2032 bytes are definitely corrupted - meaning - I believe JPEG contains exif data here and these are replaced by some other data.

 

Just to cmpare the FIRST 16 bytes of the non-corrupted, and then corrupted (.crypted) file:

 

Original file:

ff d8 ff e1 18 eb 45 78 69 66 00 00 49 49 2a 00

.crypted file:

a6 b2 aa d5 56 af 2e 0f 27 0c 49 79 06 1d 4d 7a

 

The rest of the file, after the 2032 byte is the same - and the sizes are the same, therefore this is not an append, it is a change of file.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users