Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ID Ransomware - Identify What Ransomware Encrypted Your Files


  • Please log in to reply
404 replies to this topic

#16 wiserhaus

wiserhaus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 03 May 2016 - 01:43 AM

 

Hello,

ID Ransomware is not able to identify my encrypted files

"Please reference this case SHA1: 0c2fd8ed5906b57b3f60d20703758a1bcbe1aeca"

No tool was able to decypt. Only jpeg-preview is shown after decryption.

Th files are in my dropbox

https://www.dropbox.com/sh/tee9c9tj5ay06kg/AABga2e2nmQQN_FI5hQfY2aIa?dl=0

 

Please Help

Josef

 

It looks like you were hit by KEYHolder, which does not appear to have been decrypted from what I've seen. Some may have had luck using ShadowExplorer or Recuva, always worth a shot. Looks like a rather old one. I'll add detection for that one soon here (missed my spreadsheet somehow).

 

You can read more in this topic: http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml

 

I read this before, but I only have the crypted files and folders. I was asked to help after the admin has formated all server harddisks.

Thanks

Josef



BC AdBot (Login to Remove)

 


m

#17 bullgom

bullgom

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 13 May 2016 - 12:08 AM

Has anyone ever been infected by  CryptXXX 2.0 ?

 

According to ID_Ransome,

 

This ransomware is still under analysis.

 

ransomnote_filename: 0845B236889D.html

 

sample_extension: .crypt

 

 



#18 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,101 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:54 AM

Posted 13 May 2016 - 05:28 AM

There are reports in the CryptXXX Ransomware Support and Help Topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#19 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,101 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:54 AM

Posted 13 May 2016 - 05:32 AM

The original CryptoLocker Ransomware which first appeared in the beginning of September 2013...does not exist anymore and hasn't since June 2014. There are many copycat ransomware variants which pretend to be or use the CryptoLocker name but those infections are not the same. Any references to CryptoLocker and retrieving keys for it will not work anymore.

You also indicated here that you were dealing with CryptXXX 2.0.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#20 vilhavekktesla

vilhavekktesla

  • Members
  • 917 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:54 PM

Posted 14 May 2016 - 03:51 AM

Hi, I just repeat this post. Is this infection added? I don't know if the files are availeble anymore, and I cannot find Genasom on ID-ransomware. I do see that it also states xtbl and troldeshade which might be mentioned on ID-ransomware (shade is). I ask this so no one can slip away.. just in case...

 

That service is proving to be state of the art, so I look forward to see it tuned with less false positives and more advices.

It would be nice to have the code and run it on my server to test different scenarios, and add more advices / tests on different samples I have:) It is probably copyrighted, encrypted and secret :D. I understand you are in the planning phase for another or more permanent service eventually, but the beta here is much better than many released services I have experienced so keep up the hard work, and to all... continu getting trojans so the identification service may be improved... Sorry bad joke, the fact is that it is the users trouble that lead to a service like this, and if more had backups or knew how to make them recover from ransomware would not be neccesary and the criminals would not be multi millinaires / billinaires / tril... hope not, at least not yet..

 

Regards


The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0 or newer (if needed)

The master key is released so there is no need to pay to get the key.

More than 200 different ransomwares exist so think safe backups at all time.


#21 nickhope

nickhope

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 15 May 2016 - 02:50 AM

Hi there,

 

My name is Nick. I was infected by a ransomware. I used ID Ransomware. The site identified the malware as CryptXXX and told me that the file is decryptable and sent me to Kaspersky tool. I used it and it worked very well on .doc, .xls, .pdf, .jpg files, but on .dwg, .dxf and .txt files the tool don't identify them as encrypted files even these files have the .crypt extension. What shall I do to decrypt those files ?

 

Thanks a lot

 

version of the decrypter. 1.9.1.0


Edited by nickhope, 15 May 2016 - 04:41 AM.


#22 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,101 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:54 AM

Posted 15 May 2016 - 06:19 AM

...I used ID Ransomware. The site identified the malware as CryptXXX and told me that the file is decryptable and sent me to Kaspersky tool. I used it and it worked very well on .doc, .xls, .pdf, .jpg files, but on .dwg, .dxf and .txt files the tool don't identify them as encrypted files even these files have the .crypt extension. What shall I do to decrypt those files ?

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#23 nickhope

nickhope

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 15 May 2016 - 09:15 AM

thank you



#24 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,101 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:54 AM

Posted 15 May 2016 - 04:25 PM

You're welcome and good luck.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#25 DStamm

DStamm

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 18 May 2016 - 11:33 AM

Got another "new" one that ends in .crypt but the ransome note is !Recovery followed by a personal ID. Sample and note submitted to ID Ransomeware.


Edited by DStamm, 18 May 2016 - 11:33 AM.


#26 Tauni

Tauni

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Massachusetts
  • Local time:12:54 PM

Posted 22 May 2016 - 02:48 PM

I have been infected with the new Trojan-Ransom.Win32.CryptXXX Variant of the virus and all my files have .crypt extensions... and the ransom note is !Recovery followed by my personal ID just as DStamm mentioned.  I tried Kaspersky Rannohdecryptor with no luck.  I get a popup that states this variant is not supported.  Does anyone know of any recent decryption software handling this variant?  Or are my files going to be in lockup till one comes out in the future?  I have tried system restore but does not go back far enough and I have no shadowcopy.   



#27 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:54 AM

Posted 22 May 2016 - 02:51 PM

@DStamm @Tauni

 

Please refer to the CryptXXX support topic and post there with any questions. Currently there is no way of decrypting files by the newest variant of CryptXXX. You will have to backup your encrypted files, and wait for any possible developments in the future. If there are, they will be posted to that topic.

 

 

The discussion of a particular ransomware that has already been identified is not the subject of this topic.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#28 Amigo-A

Amigo-A

  • Members
  • 249 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:09:54 PM

Posted 23 May 2016 - 06:32 AM

Hi. I noticed in the list  ID Ransomware missing: GNL Locker and EnCiPhErEd.
Why is that?

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#29 DStamm

DStamm

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 23 May 2016 - 08:01 AM

Thanks again, the only reason I posted here was the ransom note was different and unidentified. Wasn't sure if it was something new version or a variant of cryptxxx. 



#30 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:54 AM

Posted 23 May 2016 - 11:22 AM

 

Hi. I noticed in the list  ID Ransomware missing: GNL Locker and EnCiPhErEd.
Why is that?

 

 

EnCiPhErEd is actually confirmed as a variant of Xorist, so I removed the duplication. GNL Locker has become Zylok Locker (we gave it an arbitrary name, then a newer sample added their own name).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users