Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ID Ransomware - Identify What Ransomware Encrypted Your Files


  • Please log in to reply
292 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,991 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:05 PM

Posted 24 March 2016 - 04:19 PM

ID Ransomware
 
logo-150.png
 
 
ID Ransomware is a website I have created where a victim can identify what ransomware encrypted their files.
 
All too often after a ransomware attack, the first question is, "what encrypted my files?", followed by "can I decrypt my data?". This web service aims to help answer those questions, and guide a victim to the correct information relating to their infection.
 
By simply uploading a ransom note, and/or an encrypted file (preferably both for best results), the site will use several techniques to help identify what ransomware may have encrypted the files. This includes assessing the ransom note name, file name patterns of the encrypted file, and in some cases, even byte patterns in the encrypted file itself.
 
When the ransomware(s) has been identified, a clean-cut answer will be displayed on the current known status of decrypting the data, along with a link to more information on the particular ransomware.
 
Naturally, there are cases where multiple ransomwares could be detected, as some ransomware share signs. It is best to review the provided links for more information on manually determining which is the real infector. It is also possible there could be dual-infections. There is also the chance that no ransomware will be identified. Some ransomware show few, or very complicated signs, and cannot be determined simply from the ransom note and encrypted sample.
 
A current list of ransomware that are supported is displayed on the front page, with newest additions in bold (all will be bold at launch here naturally).
 
I will be continuously trying to keep the database as accurate as possible when new developments are found, and when new ransomware are discovered. I also have plans for new detection techniques in the future.
 
This project is technically in beta, so let me know if there are any bugs, or if you believe detection was not accurate for a case. I can be reached on this forum, and my Twitter handle is at the bottom of the page.
 
In a way, I see this as a spiritual successor of Nathan's IDTool, so I thank him for the inspiration. :)
 
The website is accessible at the following link: https://id-ransomware.malwarehunterteam.com/
 
Special thanks to @malwrhunterteam for usage of their sub-domain. :)
 

Please see the dynamic list on the front page of the website for a list of ransomwares that can currently be identified by ID Ransomware.

 

Edited by Demonslay335, 03 May 2017 - 08:06 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:05 PM

Posted 24 March 2016 - 06:18 PM

Good job...it looks promising even as a beta.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:12:35 AM

Posted 25 March 2016 - 03:57 AM

The '?' need some formatting so that each entry is in a new line. (easy for reading)

 

I have a suggestion:

  • Can you please add some description for 'Ransome note; like : the file when opened shows the ransom note / payment info.
  • for 'Sample encrypted file' like :  your file which is now unable to be opened

Can the message telling the user if their file can be successfully recovered be in 'Green' , non-recognizable files as 'Grey' , un-recoverable files as 'Red' ?

 

Also,

 

You may post a new topic on BleepingComputer for further assistance and analysis.

May be you can redirect users to Security or Ransomware Tech Support and Help  subforums. :)

 

A good site and a great job! :)


Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#4 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,991 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:05 PM

Posted 25 March 2016 - 09:56 AM

@Nikhil_CV
 
Thanks for the feedback. I've added a bit of a description to the upload fields, and the link for support. I honestly didn't know this sub-forum existed until a few days ago, lol. :P
 
I'll look into tweaking the colors of the results. I'm rather new to Bootstrap styling, coming off the wheels of jQuery UI.
 
 

The '?' need some formatting so that each entry is in a new line. (easy for reading)


I'm not sure what you mean by this. Do you mean the '?' next to the upload fields, or the perhaps the FAQ?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:05 PM

Posted 25 March 2016 - 04:50 PM

May be you can redirect users to Security or Ransomware Tech Support and Help  subforums. :)

Just redirect them to the Ransomware Tech Support and Help forum. Anything in General Security is going to get moved here.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:12:35 AM

Posted 03 April 2016 - 07:09 AM

 

I'm not sure what you mean by this. Do you mean the '?' next to the upload fields, or the perhaps the FAQ?

Do you mean the '?' next to the upload fields?

Yes that is what I meant. Some extension specifications are broken into 2 lines. Can it be given a separate line?

 

And about FAQ listing, doesn't bulleted listing look better (so you may add the extensions to it too next to the names or may be you can divide the section into 3 or 4 columns)

 

I almost forgot about the site while I jumped in to the other topic . 


Edited by Nikhil_CV, 03 April 2016 - 07:10 AM.

Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#7 donaldpillai

donaldpillai

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 06 April 2016 - 08:27 AM

BleepingComputer help me get rid of Cryptolocker virus but my files are still encrypted. I do not have the Cryptolocker ransom notice anymore. How do I decrypt my files. Please help.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:05 PM

Posted 06 April 2016 - 08:32 AM

BleepingComputer help me get rid of Cryptolocker virus but my files are still encrypted. I do not have the Cryptolocker ransom notice anymore. How do I decrypt my files. Please help.

The original CryptoLocker Ransomware which first appeared in the beginning of September 2013...does not exist anymore and hasn't since June 2014. There are many copycat ransomware variants which pretend to be or use the CryptoLocker name but those infections are not the same. Any references to CryptoLocker and retrieving keys for it will not work anymore.

In order for anyone to assist you, we need to identify specifically want ransomware infection you are dealing with.

Please read and follow these instructions.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 vilhavekktesla

vilhavekktesla

  • Members
  • 917 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:05 PM

Posted 14 April 2016 - 12:19 AM

Hi, here is one ransomware that might not exist on id-ransomware:

 

Question:
http://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-etc-files-decryption-support-requests/page-205#entry3979333

Answer:
http://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-etc-files-decryption-support-requests/page-205#entry3979335
@slstaut,
It is not Teslacrypt,
write in this topic: Filecoder.NFY / Genasom
http://www.bleepingcomputer.com/forums/t/607680/troldeshshade-extensionid-numberemailxtbl-support/

User to answer: al1963

File location:
https://www.sendspace.com/file/rwg3n8
 

I have no more information about this.

 

Regards


The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0 or newer (if needed)

The master key is released so there is no need to pay to get the key.

More than 200 different ransomwares exist so think safe backups at all time.


#10 Irishwolf3

Irishwolf3

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 17 April 2016 - 05:45 PM

Hello I was scammed now locked out of my Asus. I have black screen the box startup password. Asus can't Microsoft can't help. I called the person and was told the can't help me unless pay $200....what can I do? I don't know a lot about computers.

#11 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,991 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:05 PM

Posted 17 April 2016 - 06:21 PM

Hello I was scammed now locked out of my Asus. I have black screen the box startup password. Asus can't Microsoft can't help. I called the person and was told the can't help me unless pay $200....what can I do? I don't know a lot about computers.


Please do not hijack another thread with an unrelated topic. It can be considered rude. You are already being helped by others in another topic, where you have been requested to share a picture numerous times in order to help further. Others have also already given you suggestions. If you are unable to follow them, I would suggest bringing the computer to a local expert or computer shop. Your data is most likely safe if it is what they are suspecting.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 pblevy

pblevy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 26 April 2016 - 04:11 PM

Hi. My name is Brent. I have used the ID Ransomware site by uploading an encrypted file. The site identified the malware as CryptXXX and told me that the file is decryptable. I have already used Malwarebytes Antimalware to remove the virus. I now need to "decrypt" all the affected files and I was hoping someone could tell me how to do that. Thank you very much in advance for any help you can provide. Brent.



#13 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,991 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:05 PM

Posted 26 April 2016 - 04:16 PM

Hi. My name is Brent. I have used the ID Ransomware site by uploading an encrypted file. The site identified the malware as CryptXXX and told me that the file is decryptable. I have already used Malwarebytes Antimalware to remove the virus. I now need to "decrypt" all the affected files and I was hoping someone could tell me how to do that. Thank you very much in advance for any help you can provide. Brent.

 
The service will have given you a link to the appropriate topic for support with CryptXXX, where you may ask for help, and read other victim's testimonies on how they recovered their data.

Kaspersky recently released a tool that may decrypt your files. Check post #140.


Edited by Demonslay335, 26 April 2016 - 04:16 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 wiserhaus

wiserhaus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 02 May 2016 - 07:14 AM

Hello,

ID Ransomware is not able to identify my encrypted files

"Please reference this case SHA1: 0c2fd8ed5906b57b3f60d20703758a1bcbe1aeca"

No tool was able to decypt. Only jpeg-preview is shown after decryption.

Th files are in my dropbox

https://www.dropbox.com/sh/tee9c9tj5ay06kg/AABga2e2nmQQN_FI5hQfY2aIa?dl=0

 

Please Help

Josef


Edited by wiserhaus, 02 May 2016 - 07:14 AM.


#15 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,991 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:05 PM

Posted 02 May 2016 - 11:29 AM

Hello,

ID Ransomware is not able to identify my encrypted files

"Please reference this case SHA1: 0c2fd8ed5906b57b3f60d20703758a1bcbe1aeca"

No tool was able to decypt. Only jpeg-preview is shown after decryption.

Th files are in my dropbox

https://www.dropbox.com/sh/tee9c9tj5ay06kg/AABga2e2nmQQN_FI5hQfY2aIa?dl=0

 

Please Help

Josef

 

It looks like you were hit by KEYHolder, which does not appear to have been decrypted from what I've seen. Some may have had luck using ShadowExplorer or Recuva, always worth a shot. Looks like a rather old one. I'll add detection for that one soon here (missed my spreadsheet somehow).

 

You can read more in this topic: http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





2 user(s) are reading this topic

1 members, 1 guests, 0 anonymous users


    Ponya777