Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UltraCrypter / CryptXXX / UltraDeCrypter Ransomware Help Topic ( .crypt .cryp1 )


  • Please log in to reply
1664 replies to this topic

#1 ctn3

ctn3

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 31 March 2016 - 03:02 PM

Decrypter can be found here (Rannoh Decryptor) for all versions. You need an encrypted file and a ransom note.

 

 

 

Hello,
 
A relative's computer got infected with some ransomware that I wasn't quite able to identify online. I've tried "ID Ransomware" and it wasn't identified either.
The files left to inform the victim are decrypt_readme.bmp, decrypt_readme.html and decrypt_readme.txt.
 
I found an older ransomware that was cleaned. Thankfully I found a png from its readme in both unencrypted and encrypted (by the newer ransomware) form.
 
Can you help me figure out if it's decryptable, please?
 
Thank you


Edited by xXToffeeXx, 20 December 2016 - 06:39 AM.


BC AdBot (Login to Remove)

 


#2 ctn3

ctn3
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 31 March 2016 - 03:03 PM

The readme files: http://filedropper.com/readme_14

Unencrypted and encrypted png: http://www.filedropper.com/cryptsample


Edited by ctn3, 31 March 2016 - 03:16 PM.


#3 cybercynic

cybercynic

  • Members
  • 549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:10:46 PM

Posted 31 March 2016 - 03:09 PM

Trying to figure out how to attach the files.

You dont. Upload them to Sendspace and post the link here.


We are drowning in information - and starving for wisdom.


#4 ctn3

ctn3
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 31 March 2016 - 03:17 PM

Uploaded (see previous post).



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:46 PM

Posted 31 March 2016 - 03:27 PM

Might be new. I only know of Chimera using .crypt as an extension (haven't added that one yet), but the ransom note is called something different. The contents talk about RSA4096, which is commonly used as a lie by TeslaCrypt, but the encrypted file doesn't match the pattern of any TeslaCrypt version. The onion link goes to a site that looks like a TeslaCrypt page though...

 

I found an older ransomware that was cleaned. Thankfully I found a png from its readme in both unencrypted and encrypted (by the newer ransomware) form.

 

What ransomware did you have before? Were all of the files successfully decrypted from that, and are you sure the malware is gone?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 ctn3

ctn3
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 31 March 2016 - 03:47 PM

What ransomware did you have before? Were all of the files successfully decrypted from that, and are you sure the malware is gone?

 

I'm not sure, the readmes were different (check out one of the PNGs in crypt_samples.rar). My relative deleted the old encrypted files, they weren't that many.

I'm not at my relative's place anymore, but if needed I can get more files if they're required.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:46 PM

Posted 31 March 2016 - 04:24 PM

CryptInfinite Ransomware (Uniquekey@dr.com and crydhellsek@gmail.com) encrypts your data and appends a .crypt, .pzdc, or .good extension to the end of each filename. These infections typically leave files (ransom notes) with names like README!!.TXT and Help_Decrypt.txt similar to CryptoWall.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 tlorences

tlorences

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 31 March 2016 - 05:34 PM

Hey! I got infected by the same ransomware today. Currently fighting against it. If you get something that works please let me know! I will do too.

 

 

edit: actually I didn't get infected, a customer's computer did.

 

Doesn't look like gomasom. Gonna try chimera and cryptinfinite and post back.

 

 

Update: Crpytinfinite decripter DOES NOT work. Gomasom seems to be looking for the key as of now.

It's not Chimera also.


Edited by tlorences, 31 March 2016 - 05:41 PM.


#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:46 PM

Posted 31 March 2016 - 05:49 PM

Hey! I got infected by the same ransomware today. Currently fighting against it. If you get something that works please let me know! I will do too.

 

 

edit: actually I didn't get infected, a customer's computer did.

 

Doesn't look like gomasom. Gonna try chimera and cryptinfinite and post back.

 

 

Update: Crpytinfinite decripter DOES NOT work. Gomasom seems to be looking for the key as of now.

It's not Chimera also.

 

 

Can you submit a few encrypted files and the ransom note for analysis? You may upload them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 tlorences

tlorences

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 31 March 2016 - 05:56 PM

 

Hey! I got infected by the same ransomware today. Currently fighting against it. If you get something that works please let me know! I will do too.

 

 

edit: actually I didn't get infected, a customer's computer did.

 

Doesn't look like gomasom. Gonna try chimera and cryptinfinite and post back.

 

 

Update: Crpytinfinite decripter DOES NOT work. Gomasom seems to be looking for the key as of now.

It's not Chimera also.

 

 

Can you submit a few encrypted files and the ransom note for analysis? You may upload them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

 

 

Hey man! Thanks for you reply.

I just uploaded two of the ransom notes that appear (they all say the same, but one is .html, one txt and one bmp) and a .7z with an excel file and a pdf that are encrypted on the user's desktop.

 

Also! I used the link on your comments, and using the .bmp as ransom note it says that it might be tesla 3.0 or 4.0 and that there's no solution.

 

Thanks for all the help! Really appreciate it

 

 

Edit: The ransom website allows you to decrypt 1 file for free, so im gonna try and decrypt one file and upload both the encrpyted and decrypted versions.

 

Edit 2: also, i have enough restore points on this computer so that i could try with a couple and see if the files are reverted, do you guys think that may work?


Edited by tlorences, 31 March 2016 - 06:03 PM.


#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:46 PM

Posted 31 March 2016 - 06:05 PM

System Restore won't restore files, but you can try ShadowExplorer. I'll take a look at the files you uploaded in a bit.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 tlorences

tlorences

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 31 March 2016 - 06:06 PM

Yeah I already gave ShadowExplorer a go and had no luck.

 

Thanks again!

 

 

edit: Screenie of the ransom website ant the soft it claims to provide me after payment

http://snag.gy/p8X8p.jpg


Edited by tlorences, 31 March 2016 - 06:18 PM.


#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:46 PM

Posted 31 March 2016 - 06:12 PM

The TeslaCrypt 3.0/4.0 detection was a false-positive since the BMP had many zeros at the beginning of the file; I plan on fixing that in the future.

 

The ransom note looks similar to TeslaCrypt, but we're not convinced since it only has one listed website. The structure of the encrypted files don't match either; even if they changed the scheme, every file on the same host would have the same header more or less, where these don't.

 

We'll continue investigating. If you find any suspicious executables, you can submit those to the submission link I provided as well. You can run MalwareBytes and HitmanPro to try detecting anything.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 tlorences

tlorences

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 31 March 2016 - 06:20 PM

Alright! Thanks for the help, I really appreciate it.

 

Will run HitmanPro and MBAM and update.

 

Let me know if I can provide you with anything else!

 

And, once again, thank you!

 

Edit: Just submitted the only weird files that MBAM found. HitmanPro didn't find anything other that some tracking cookies. I'm not sure but that kmservice malware might be related to this user running pirated windows and office, but since i found it i uploaded.

 

Edit2: Uploaded an unencrypted file and it's crypted version. Filename: Ransom.7z


Edited by tlorences, 31 March 2016 - 07:26 PM.


#15 capuchapopo

capuchapopo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 05 April 2016 - 02:49 PM

Hi i´m Luis, Spain. I entered a virus, malware CryptoWall (Help_Your_Files ransomware) on the computer and has encrypted or locked me lots of files, mainly lots of family photos and my daughter will not be able to recover. I read in a forum that you could help me if I send some files that can not be opened. I'd appreciate it a lot and my wife is very upset. Thank you. I hope you tell me something and you can help me. How I can send you the files? If you tell me your mail I send documents out there ... My email is *removed*

 

Hola. Soy Luis, de España. Me ha entrado un virus, un CryptoWall malware (Help_Your_Files ransomware) en el ordenador y me ha encriptado o bloqueado gran cantidad de archivos, principalmente gran cantidad de fotos familiares y de mi hija que no podré recuperar. He leido en un foro que tú me podrías ayudar si te mando unos archivos de los que no puedo abrir. Te lo agradecería mucho y más mi mujer que tiene un gran disgusto. Gracias. Espero que me digas algo y puedas ayudarme. ¿Cómo puedo mandarte los archivos? Si me dices tu mail te envio por ahí los documentos...


Edited by xXToffeeXx, 07 April 2016 - 06:54 AM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users