Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nemucod / NemucodAES Ransomware (.crypted - Decrypt.txt) Support & Help Topic


  • Please log in to reply
649 replies to this topic

#31 rmoyers

rmoyers

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 21 March 2016 - 11:05 AM

The line has been munged.  It should read:

print('key = (', end="")              Notice that you have ==



BC AdBot (Login to Remove)

 


#32 xchaos1

xchaos1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 21 March 2016 - 12:27 PM

I was just contacted by a client that has been infected with this ransomware. Apparently I really suck at programming because I can't get the Python script to run. I don't have a infected/noninfected version of the file, but I did notice something interesting. You CANNOT rename a JPG or DOC file and have it work without decrypting, but ZIP files work by renaming the files.

 

So I guess I have 2 questions:

 

1.) What can I do without the noninfected version of the file?

 

2.) Can someone help me with these scripts or a Windows version of the script so that I can help this client?

 

What's so ironic is that I just met with this client last week and convinced her of buying an external drive to back up her files. Her plan was to back the files up today. Procrastination can really suck.

 

Also I had just installed Bitdefender on her computer with the latest updates. It appears it blocked and deleted the virus, but somehow she still got infected. Not sure about that one.



#33 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:48 PM

Posted 21 March 2016 - 12:34 PM

@xchaos1

 

Any chance it hit the Sample Pictures (under Public)? Those are common and a clean copy can be retrieved from the web.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#34 macomaco

macomaco

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 21 March 2016 - 01:17 PM

I was just contacted by a client that has been infected with this ransomware. Apparently I really suck at programming because I can't get the Python script to run. I don't have a infected/noninfected version of the file, but I did notice something interesting. You CANNOT rename a JPG or DOC file and have it work without decrypting, but ZIP files work by renaming the files.

 

So I guess I have 2 questions:

 

1.) What can I do without the noninfected version of the file?

 

2.) Can someone help me with these scripts or a Windows version of the script so that I can help this client?

 

What's so ironic is that I just met with this client last week and convinced her of buying an external drive to back up her files. Her plan was to back the files up today. Procrastination can really suck.

 

Also I had just installed Bitdefender on her computer with the latest updates. It appears it blocked and deleted the virus, but somehow she still got infected. Not sure about that one.

 

1-A) you can try to find the key in a brute-force way - this may however take some signifficant time (up to 255^255 iterations) and its kind of hard to detect the right one

1-B ) what Demonslay335 suggested is a quite nice trick

1-C) search for USB drives, backups, emails you have sent out, any other media for at least one original file (downloaded MP3s, videos - whatever....)

 

2) that version is compatible with windows - download yourself Python3 from here: https://www.python.org/downloads/ and ask someone who konws Windows (not me :) ) to help - should not be too difficult


Edited by macomaco, 21 March 2016 - 01:18 PM.


#35 xchaos1

xchaos1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 21 March 2016 - 01:31 PM

OK I now have an unencrypted file that I was able to download from her iCloud account. Now on to figuring out how to run this script in Windows :-)

 

Thanks



#36 cymbaline

cymbaline

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 21 March 2016 - 02:21 PM

I created an account here just so I could post to say THANK YOU to the folks who created and shared the scripts to decrypt this mess! 

 



#37 xchaos1

xchaos1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 21 March 2016 - 02:31 PM

Finally got the script working and when I try to find my key this is what I get. Isn't there supposed to be something in the KEY: field?

 

 

key.png



#38 macomaco

macomaco

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 21 March 2016 - 02:35 PM

I created an account here just so I could post to say THANK YOU to the folks who created and shared the scripts to decrypt this mess! 

 

Happy to help! Enjoy your recovered files :)



#39 macomaco

macomaco

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 21 March 2016 - 02:36 PM

Finally got the script working and when I try to find my key this is what I get. Isn't there supposed to be something in the KEY: field?

 

 

key.png

Well done, and no - the key is the full string starting with 'key = ('   up until the last ')' so copy+paste this full paragraph to the other script and you are ready to decrypt the files.


Edited by macomaco, 21 March 2016 - 02:36 PM.


#40 xchaos1

xchaos1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 21 March 2016 - 03:07 PM

I hate to be "that guy" with a million questions, but this is whooping me!

 

I run the decrypt script and this is what I'm seeing

 

decrypt.png

 

The file name I'm trying to decrypt is called IMG_1129.JPG

 

I really do appreciate all the help!



#41 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:48 PM

Posted 21 March 2016 - 03:21 PM

I hate to be "that guy" with a million questions, but this is whooping me!

 

I run the decrypt script and this is what I'm seeing

 

decrypt.png

 

The file name I'm trying to decrypt is called IMG_1129.JPG

 

I really do appreciate all the help!

 

Did you recover the key first with recover_key.py? The '[-h]' is an optional parameter - you don't use the actual brackets around it. Try this.

decrypt.py -s IMG_1129.JPG.crypted

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#42 xchaos1

xchaos1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 21 March 2016 - 03:33 PM

Yes, I used the first script to get the key. I then copied and pasted the key into the other script. I run the command like you posted above and this is my output. 

 

decrypt2.png



#43 rmoyers

rmoyers

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 21 March 2016 - 03:41 PM

By the way, don't waste time paying the ransom.  All you get is a javascript program that erases their tracks.  



#44 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:48 PM

Posted 21 March 2016 - 03:48 PM

Yes, I used the first script to get the key. I then copied and pasted the key into the other script. I run the command like you posted above and this is my output. 

 

decrypt2.png

 

Mind posting the decrypt.py (recommend PasteBin) so we can check it for syntax?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#45 xchaos1

xchaos1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 21 March 2016 - 03:49 PM

Here you go: http://pastebin.com/bmLSbPzc






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users