Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xorist (EnCiPhErEd) Ransomware Support and Help Topic - HOW TO DECRYPT FILES.txt


  • Please log in to reply
475 replies to this topic

#16 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:54 PM

Posted 17 May 2016 - 03:44 PM

I just released a generic decrypter for this type of infection. You can download it here:

https://decrypter.emsisoft.com/xorist

You will need an encrypted file as well as its unencrypted version. Just select both the encrypted and original version and drag and drop it onto the decrypter executable. The key finding process may take a while, so please be patient. If you run into any issues, please feel free to post.
 
As a general rule I don't accept any donations for my work. If you feel thankful and want to throw some money at something, I suggest investing into a proper backup solution. Personally I am using CrashPlan. However, there are a lot of different solutions out there. Pick one that you feel comfortable with. If you are unsure, I am sure the helpful users in this amazing community will love to help you out picking one that fits your needs and requirements. If you want to spend even more money, I am sure the polar bears would appreciate your help. I know one polar bear in particular that would be very thankful.  :wink:
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

BC AdBot (Login to Remove)

 


#17 jcmicro

jcmicro

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 17 May 2016 - 05:59 PM

hi 

 

I have used one of the xls files both encrypted and unencrypted version dradded the on to the tool it ran for more than an hour had the message below

 

"The decrypter could not determine a valid key for your system. Please drag and drop both an encrypted file as well as its unencrypted counterpart onto the decrypter to determine the correct key. Files need to be at least 510 bytes long."
Even though the files are higher than 510 bytes.
What may be problem? Stronger ransomware?



#18 Mat2016

Mat2016

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 17 May 2016 - 06:07 PM

Did you highlight both files (encrypted and original) then drag onto the encrypter? I did the same thing doing individually lol. 

 

It has to be both the same file dragged at the same time.

 

Mine is attempting now, fingers crossed and thank you so much Fabian for helping us all out. I hope this works :)



#19 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:54 PM

Posted 18 May 2016 - 03:40 AM

I have used one of the xls files both encrypted and unencrypted version dradded the on to the tool it ran for more than an hour had the message below

Would you mind sharing both files with me? You can upload them here:

http://www.bleepingcomputer.com/submit-malware.php?channel=170
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#20 NickCh

NickCh

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 18 May 2016 - 01:24 PM

Hi all,

 

I got a virus in my desktop, I don't care about the desktop because I was using it as an arcade cabinet, I will try to format it,

but unfortunately my external drive affected too and probably I lost all of my family pictures.

 

I woke up and I found the following message, "Your personal files are encrypted" with several files to have a strange name,
I would be thankful for any advice of how can I get rid of this virus and if its possible to recover my files on the external drive.

I will upload a file to the following link now ( http://www.bleepingcomputer.com/submit-malware.php?channel=170 )



#21 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:54 PM

Posted 18 May 2016 - 01:39 PM

You can use the decrypter I linked to above. All you need is an encrypted and its unencrypted original. Select both and drag and drop both onto the decrypter executable.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#22 NickCh

NickCh

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 18 May 2016 - 01:43 PM

I tried that already but I got the following message,

 

"The decrypter could not determine a valid key for your system. Please drag and drop both an encrypted file as well as its unencrypted counterpart onto the decrypter to determine the correct key. Files need to be at least 510 bytes long."

 

but whats happening if I don't have any unencrypted file? Plenty of my files are just encrypted without unencrypted part of the same file.

 

I would be thankful for any advice.


Edited by NickCh, 18 May 2016 - 02:26 PM.


#23 NickCh

NickCh

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 19 May 2016 - 11:17 AM

.. So I assume that is not possible to get rid of this malware at the moment, right?

#24 rengrish

rengrish

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 19 May 2016 - 12:51 PM

Hi 

 

Thanks a lot to Fabian Wosar & Emisoft  . I dont have any words to express my gratitude . Xorist Decrypter worked out excellent . It restored all my thousands and thousands of LOCKED files . At one point of time , I thought i lost everything . Now i am fully regained from the big mental stress . I am very very happy after one month. Many many thanks to Faian Wosar / Emisoft for getting me back. I know that thanks b words is not enough. 



#25 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:54 PM

Posted 19 May 2016 - 03:39 PM

.. So I assume that is not possible to get rid of this malware at the moment, right?

It is. Plenty of people before you did it. Just take any of your encrypted files where you have the original as well, select both and drag and drop them onto the decrypter. Even you will have at least one file where you can somehow obtain the original version of. Maybe it was a download that you can re-download. Maybe you emailed the copy of a file to a friend or family member earlier and they can email it back. Maybe the malware encrypted some default or sample files like the default Windows wallpapers.

In the years I have been doing this there hasn't been a single incident where decryption failed because people could not come up with at least one file pair.

Thanks a lot to Fabian Wosar & Emisoft.

You should thank xXToffeeXx who relentlessly continued to kick my ass until I actually took the time to sit down to create the decrypter ;)
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#26 NickCh

NickCh

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 20 May 2016 - 03:14 PM

I dont have words,

I am really thankful about what you did Fabian Wosar,

 

much appreciated!!!!!!

I think I managed to recover my files thanks to your advice!



#27 al1963

al1963

  • Members
  • 887 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 21 May 2016 - 02:53 AM

@Fabian Wosar

 

for more information about the decoder:

1. whether it is possible to add the function "Add directory" to decrypt all files in the selected directory?

2. whether it is possible to save the found the key to it in the future can be used with the new start of the decoder, not only in the current session?

3. whether there is a possibility to start a decoder with an added key found in the previous session start.?

---------



#28 al1963

al1963

  • Members
  • 887 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 21 May 2016 - 10:02 AM

Fabian,

I apologize, I figured out how to get the key found (via copy to clipboard), so the question is removed N2 :)

Add directory (N1) probably also not true, as a group of files can be distinguished in the selected directory

I will add that the decoder works fine for files encrypted encoder, which is created in the specified constructor Encoder build 2.4, regardless of the selected algorithm (XOR or TEA) and arbitrarily added (in the constructor) extension.

-----------

3 ???


Edited by al1963, 21 May 2016 - 10:04 AM.


#29 Mat2016

Mat2016

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 23 May 2016 - 09:49 PM

I want to thank again Fabian and Toffee for their help in this for everyone, I am glad to hear its worked for many so far.

 

I successfully decrypted the files but unfortunately all the files have become corrupt due to unknown reasons, has anyone had this issue as well?

 

One thing I have learnt is how important anti virus and anti malware apps are and shouldn't be taken for granted.

 

I am generally one of those "careful" people who can see when a dodgy email comes along or what sites to view and not to, but it got me.



#30 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:54 PM

Posted 24 May 2016 - 11:01 AM

I want to thank again Fabian and Toffee for their help in this for everyone, I am glad to hear its worked for many so far.
 
I successfully decrypted the files but unfortunately all the files have become corrupt due to unknown reasons, has anyone had this issue as well?
 
One thing I have learnt is how important anti virus and anti malware apps are and shouldn't be taken for granted.
 
I am generally one of those "careful" people who can see when a dodgy email comes along or what sites to view and not to, but it got me.

Please can you upload some encrypted files here, preferably PNGs. It may take a little while to get to it as Fabian is currently injured. 
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users