Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nemucod / NemucodAES Ransomware (.crypted - Decrypt.txt) Support & Help Topic


  • Please log in to reply
653 replies to this topic

#16 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:48 AM

Posted 17 March 2016 - 12:28 PM

From this article it appears that the first 2048 bytes are encrypted:

http://blog.fortinet.com/post/nemucod-adds-ransomware-routine

Looks like the script renames the files and then a executable is downloaded that encrypts them. It appears this executable is buggy and doesnt always encrypt the files.

BC AdBot (Login to Remove)

 


m

#17 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,204 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:48 AM

Posted 17 March 2016 - 01:54 PM

So the batch file is just prep so the exe can pickup what files to lock easier? Seems odd to break-up the behavior like that.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#18 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:48 AM

Posted 17 March 2016 - 03:15 PM

Some of the less sophisticated malware developers do not hesitate to try different methods even if it means releasing something that is not quite ready.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#19 macomaco

macomaco

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 17 March 2016 - 04:42 PM

I have released a decryptor written in Perl3 here:

 

http://pastebin.com/Gb9zHJhd

 

The first pars is a KEY recovery script - you need one encrypted file and the same taken from backups, the other section is another script recovering file using the encryption key

 

It works!



#20 afischer

afischer

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 18 March 2016 - 09:24 AM

I have released a decryptor written in Perl3 here:

 

http://pastebin.com/Gb9zHJhd

 

The first pars is a KEY recovery script - you need one encrypted file and the same taken from backups, the other section is another script recovering file using the encryption key

 

It works!

Fantastic work!  I've managed to use this to decrypt one of my files, as well as extract the key.  My biggest question now is how to use the second half of the script to decrypt the rest of my files?  I've tried just moving the second script to a new file and running it on its own, but there are many syntax errors when I do.  How hard would it be to have a script where you just manually feed it the key, and point it at a directory full of encrypted files?  Or is there a better solution I'm not aware of?



#21 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:48 AM

Posted 18 March 2016 - 09:37 AM

I have released a decryptor written in Perl3 here:
 
http://pastebin.com/Gb9zHJhd
 
The first pars is a KEY recovery script - you need one encrypted file and the same taken from backups, the other section is another script recovering file using the encryption key
 
It works!


Nice job! Python may not work well for many. If you dont mind, will see if we can get someone to port your XOR key retrieval code to Windows program?

#22 macomaco

macomaco

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 18 March 2016 - 05:53 PM

Updated code here 

https://github.com/hecko/nemucod_decrypter

accepts files list as params:

 

So you can include all files in a directory with a mask such as

--source_file *.crypted

Yeah - port it to a different language if you please.

 

Marcel



#23 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:05:48 PM

Posted 18 March 2016 - 07:17 PM

Marcel, nice work. Look at the links.

How to create Windows executable (.exe) from Python script. http://logix4u.net/component/content/article/27-tutorials/44-how-to-create-windows-executable-exe-from-python-script

And, py2exe http://www.py2exe.org/
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#24 macomaco

macomaco

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 18 March 2016 - 07:29 PM

Marcel, nice work. Look at the links.

How to create Windows executable (.exe) from Python script. http://logix4u.net/component/content/article/27-tutorials/44-how-to-create-windows-executable-exe-from-python-script

And, py2exe http://www.py2exe.org/

Thanks, but I really dont have time to support the code this much. I am personally really not interested in porting this to Windows at all as I work on NAS FS level, but fell free to fork the code on GitHub and compile for Windows - I believe many users will be very grateful for that.



#25 rmoyers

rmoyers

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 20 March 2016 - 08:39 AM

Thanks for the help guys.  Got hit by this on Thursday and have been recovering ever since.  The python scripts were a life saver.  

I made some modifications to the scripts to handle files with spaces in their names and remove the .crypted from the recovered file name.  Also built a .bat file to run the script on unattended on a drive.  I posted these here:

 

http://pastebin.com/brdHWuf8

 

You will still need the recover_key.py from above.  



#26 macomaco

macomaco

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 20 March 2016 - 04:35 PM

Thanks for the help guys.  Got hit by this on Thursday and have been recovering ever since.  The python scripts were a life saver.  

I made some modifications to the scripts to handle files with spaces in their names and remove the .crypted from the recovered file name.  Also built a .bat file to run the script on unattended on a drive.  I posted these here:

 

http://pastebin.com/brdHWuf8

 

You will still need the recover_key.py from above.  

 

Happy to help. Im currently recovering 91.374 files affected by this and can confirm again that as of 5.713th file all looks well and my original scripts work well.



#27 fikstyler

fikstyler

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 21 March 2016 - 08:19 AM

hello guys, can you help me?

i got this infection last night, i try to get the key from infected file and compared to the original file using phyton script above but doesnt work,

im no good at programming, im new to phyton, just downloaded the 2.7

 

the script is error like this

7brmTxx.png

 

if i add = on the highlighted text, it runs but after finding key it caught error like this

 

ftluK1m.png

 

anyone can help me?

do you need me to upload the original and decrypted file also to get the key?

 

thank you in advance



#28 macomaco

macomaco

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 21 March 2016 - 08:21 AM

hello guys, can you help me?

i got this infection last night, i try to get the key from infected file and compared to the original file using phyton script above but doesnt work,

im no good at programming, im new to phyton, just downloaded the 2.7

 

the script is error like this

7brmTxx.png

 

if i add = on the highlighted text, it runs but after finding key it caught error like this

 

ftluK1m.png

 

anyone can help me?

do you need me to upload the original and decrypted file also to get the key?

 

thank you in advance

Simple - you need Python3, not Python2 :)



#29 fikstyler

fikstyler

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 21 March 2016 - 08:34 AM

 

hello guys, can you help me?

i got this infection last night, i try to get the key from infected file and compared to the original file using phyton script above but doesnt work,

im no good at programming, im new to phyton, just downloaded the 2.7

 

the script is error like this

7brmTxx.png

 

if i add = on the highlighted text, it runs but after finding key it caught error like this

 

ftluK1m.png

 

anyone can help me?

do you need me to upload the original and decrypted file also to get the key?

 

thank you in advance

Simple - you need Python3, not Python2 :)

 

thanks, just downloaded python3, got this error after running tthe script

 

KEY: 
key = (Failed to find decryption key!
Traceback (most recent call last):
  File "G:\CRYPTED\recover_key.py", line 33, in <module>
    sys.exit(1)
NameError: name 'sys' is not defined
>>> 

 

nevermind... just googled..

still no key found..

any info on this?


Edited by fikstyler, 21 March 2016 - 08:40 AM.


#30 macomaco

macomaco

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 21 March 2016 - 08:45 AM

 

 

hello guys, can you help me?

i got this infection last night, i try to get the key from infected file and compared to the original file using phyton script above but doesnt work,

im no good at programming, im new to phyton, just downloaded the 2.7

 

the script is error like this

7brmTxx.png

 

if i add = on the highlighted text, it runs but after finding key it caught error like this

 

ftluK1m.png

 

anyone can help me?

do you need me to upload the original and decrypted file also to get the key?

 

thank you in advance

Simple - you need Python3, not Python2 :)

 

thanks, just downloaded python3, got this error after running tthe script

 

KEY: 
key = (Failed to find decryption key!
Traceback (most recent call last):
  File "G:\CRYPTED\recover_key.py", line 33, in <module>
    sys.exit(1)
NameError: name 'sys' is not defined
>>> 

 

nevermind... just googled..

still no key found..

any info on this?

 

Well in that case the key is not found because you dont have the original, non-encrypted version of the same file.

 

You can send the files to me - both the original and encrypted and Imay find some time this evening (GMT) to find the key for you. - use PM


Edited by macomaco, 21 March 2016 - 08:46 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users