Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xorist (EnCiPhErEd) Ransomware Support and Help Topic - HOW TO DECRYPT FILES.txt


  • Please log in to reply
380 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:45 AM

Posted 21 March 2016 - 04:51 PM

The EnCiPhErEd ransomware is part of the Xorist family of ransomware infections. This ransomware will encrypt your data with either XOR or TEA encryption and then append the .EnCiPhErEd extension to any encrypted files.

When it is done it will display a ransom note called HOW TO DECRYPT FILES.txt that provides instructions on how to pay and retrieve your decryption password. These instructions by default will be for the victim to send a SMS text message with a special ID to a associated number.

Thankfully, Fabian Wosar of Emsisoft has been able to devise a way to decrypt files encrypted by this family:
 

https://decrypter.emsisoft.com/xorist
 
You will need an encrypted file as well as its unencrypted version. Just select both the encrypted and original version and drag and drop it onto the decrypter executable. The key finding process may take a while, so please be patient. If you run into any issues, please feel free to post.
 
As a general rule I don't accept any donations for my work. If you feel thankful and want to throw some money at something, I suggest investing into a proper backup solution. Personally I am using CrashPlan. However, there are a lot of different solutions out there. Pick one that you feel comfortable with. If you are unsure, I am sure the helpful users in this amazing community will love to help you out picking one that fits your needs and requirements. If you want to spend even more money, I am sure the polar bears would appreciate your help. I know one polar bear in particular that would be very thankful.   :wink:


Edited by xXToffeeXx, 19 May 2016 - 03:36 PM.
Added decrypter info~

Edited by quietman7, 18 September 2016 - 06:23 PM.
Added Xorist in topic title


BC AdBot (Login to Remove)

 


m

#2 pastorok

pastorok

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 23 March 2016 - 12:57 PM

Thankfully, Fabian Wosar

It's the Russian open source malware which has been hacked a long time ago. Here is the source: https://ru-sf.ru/threads/ochen-moschnyj-kriptolokker-by-vazonez.1841/



#3 rengrish

rengrish

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 24 April 2016 - 05:14 AM

Hi

I have been affected by this Virus. Can you please suggest how can i decrypt the files ? I totally lost all the images & Videos .Kindly provide me a way to decrypt the files.



#4 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:45 AM

Posted 24 April 2016 - 09:21 AM

Can you share some of your encrypted files here please, rengrish:

 

http://bleepingcomputer.com/submit-malware.php?channel=170

 

Thanks.


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#5 rengrish

rengrish

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 24 April 2016 - 10:37 AM

Thanks for reply. I have uploaded sample image in the given link. Please let me know if you need any other information. Thanks a lot for this initiatives.



#6 dude10028

dude10028

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 25 April 2016 - 07:31 AM

Hi. Afraid I've been another victim (many files with .EnCiPhErEd extension) and would appreciate help in attempting to get some files back. Many thanks, Andy

#7 TypicalFish

TypicalFish

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 26 April 2016 - 01:02 AM

Hello,

 

I have also gotten this on a server i can upload documents to Bleeping Computers if you need.

I have already uploaded onto 

https://id-ransomware.malwarehunterteam.com/identify.php

And i was directed to this post.

 

Please get back to me.

 

Thank you



#8 rengrish

rengrish

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 26 April 2016 - 10:53 PM

Is there anything that i can recover ? Kindly help me



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:45 AM

Posted 27 April 2016 - 06:07 AM

Edit: This ransomware actually is decryptable. You need to upload one of your encrypted files here. Please leave contact details, either in terms of your forum name (if logged in) or email. We cannot help you otherwise.
xXToffeeXx~
 


As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. These types of infections typically will delete all Shadow Volume Copies so that you cannot restore your files via System Restore, native Windows Previous Versions or using a program like Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do. It is not uncommon for ransomware infections to sometimes fail to properly delete Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work.

If that is not a viable option and if there is no fix tool, the only other alternative is to save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time.

Grinler, (aka Lawrence Abrams), the site owner of Bleeping Computer has said this...

If you are affected by ransomware and do not plan on paying the ransom, the best bet it to immediately image the drive before doing anything else. Then in the future if there is a way to decrypt the files you have everything you may need to do so.
[/quote


Edited by quietman7, 11 May 2016 - 07:05 PM.

.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Mat2016

Mat2016

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 11 May 2016 - 06:34 PM

My HD has been completely affected with EnCiPhErEd unfortunately, any assistance how to  decrypt them would be greatly appreciated.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:45 AM

Posted 11 May 2016 - 06:40 PM

You need to upload one of your encrypted files here Please leave contact details, either in terms of your forum name (if logged in) or email. We cannot help you otherwise.
xXToffeeXx~


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Mat2016

Mat2016

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 11 May 2016 - 11:13 PM

I have sent through one example, fingers crossed :)



#13 jcmicro

jcmicro

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 14 May 2016 - 01:38 PM

all my files have been encrypted with the following message 

 

Attention! All your files are encrypted!
To restore your files and access them,
please send 2 Bitcoin to adress
1PqBLxDShLCBfjV9s4QkLzb3fi9siVZqDd
 
and email to j73419517739xu@163.com proof
(screen or smth) of your payment.
 
After receiving the money, I will send you
your password and decrypt instruction via email.
 
You have 20 attempts to enter the code.
When that number has been exceeded,
all the data irreversibly is destroyed.
 
Be careful when you enter the code!
 
 
I have tried toolf from encipher.it and it needs a password any ideas i have emailed the contact but so far no response from the hackers


#14 jcmicro

jcmicro

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 14 May 2016 - 01:41 PM

i have uploaded a sample of encrypted file using one hte links in the the forum



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:45 AM

Posted 14 May 2016 - 07:18 PM

Please be patient. Staff, Security Colleagues and Security Experts like Fabian Wosar and xXToffeeXx~ are all volunteers who assist members as time permits. This site receives hundreds of requests for help every day. We are grateful for whatever free work our volunteer Security Expert's can dedicate to investigating, analyzing and creating (when possible) fix tools that help so many of our members with malware related problems.

Thanks for understanding.
The BC Staff
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users