Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UltraCrypter / CryptXXX / UltraDeCrypter Ransomware Help Topic ( .crypt .cryp1 )


  • Please log in to reply
1670 replies to this topic

#1036 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:16 AM

Posted 10 July 2016 - 11:06 AM

To victims of the variant that does not change the extension and left "README.HTML" or "!README.HTML":

 

Can you verify something with your encrypted files? I think I may have found a way to at least identify encrypted files.

 

Please open a few encrypted files in a hex editor, and look for the following 32 bytes at the very beginning of the file (shown in hex, UTF-8, and ANSI below). You may use an online hex viewer such as this: http://www.onlinehexeditor.com.

F4 2D 24 0F 12 DF 4D 23 12 DF 4D 23 12 DF 4D 23    ô-$..ßM#.ßM#.ßM#    .-$...M#..M#..M#
12 DF 4D 23 F4 2D 24 0F F4 2D 24 0F F4 2D 24 0F    .ßM#ô-$.ô-$.ô-$.    ..M#.-$..-$..-$.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#1037 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:09:16 AM

Posted 10 July 2016 - 12:41 PM

I took the two files that Dimo70 provided - the hex values are the same for the first 32 bytes in each and are the same as in your post.


We are drowning in information - and starving for wisdom.


#1038 Jack-et

Jack-et

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 10 July 2016 - 06:32 PM

Guys of the "no extension change", u sure its not TeslaCrypt V4 or BadBlock ? I was reading the trendmicro page... http://esupport.trendmicro.com/solution/en-US/1114221.aspx

If its not try to add .crypz and use the trendmicro tool, like lightangel sayd.


Edited by Jack-et, 10 July 2016 - 06:33 PM.


#1039 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:16 AM

Posted 10 July 2016 - 06:36 PM

Guys of the "no extension change", u sure its not TeslaCrypt V4 or BadBlock ? I was reading the trendmicro page... http://esupport.trendmicro.com/solution/en-US/1114221.aspx
If its not try to add .crypz and use the trendmicro tool, like lightangel sayd.


ID Ransomware will pickup on either of those based on hex patterns. Most had cases that IDR was unable to identify (until now possibly). TeslaCrypt is also 100% dead, and BadBlock had an obvious ransom screen that set it apart.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#1040 Jack-et

Jack-et

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 10 July 2016 - 06:40 PM

...anyway...

Kaspersky, I am disappoint! <_< Beated by TrendMicro (good job guys)

...anyway...

I figure that the companies of the world doesn't collaborate, for the money, but they really should !


Edited by Jack-et, 10 July 2016 - 06:45 PM.


#1041 Marylain

Marylain

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 11 July 2016 - 08:55 AM

@Demonslay335

 

Here are 3 screenshots of 3 different encrypted images by CryptXXX (Microsoft Decryptor or whatsoever):

 

https://www.imageupload.co.uk/image/cwIF

 

I can provide a lot more and I also can provide the same file not encrypted if it can help you.

 

Plus, Trendmicro tools do not work... at least, not with the "no change of the extension type".

Please let me know if you need other files/references.

I wanna fight with you! XD



#1042 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:16 AM

Posted 11 July 2016 - 11:13 AM

@Demonslay335

 

Here are 3 screenshots of 3 different encrypted images by CryptXXX (Microsoft Decryptor or whatsoever):

 

https://www.imageupload.co.uk/image/cwIF

 

I can provide a lot more and I also can provide the same file not encrypted if it can help you.

 

Plus, Trendmicro tools do not work... at least, not with the "no change of the extension type".

Please let me know if you need other files/references.

I wanna fight with you! XD

 

So far it looks like we can definitely identify encrypted files with that pattern then. I've added a definition to ID Ransomware. Even if I cannot help with decryption, I can at least help with identifying and guiding victims to the right information. :)


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#1043 Taty2016

Taty2016

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brazil
  • Local time:12:16 PM

Posted 11 July 2016 - 03:00 PM

 

 

HI,
I WANT TO PAY RANSOM !!!
I WOULD LIKE TO PAY RANSOM TO ACHIEVE MY FILES KEY TO DECRYPT.
BUT WHEN ACCESS TOR AND CONSULT WITH MY ID AND MY FILE STILL SAMPLE IS ENCRYPTED WITH STATUS "WAITING ..."
WHAT HAPPENS IN THIS CASE?
THEY DO NOT SEEN THAT SENT FILE?
OR
CAN NOT DECRYPT MY FILE?
MY FILES WERE ENCRYPTED WITH CRYP1 EXTENT 31/05/2016.
ID: 68F0D99F1937
THANKS,

 

 

Does anyone have news about decrypting files with .cryp1 extension?



#1044 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 AM

Posted 11 July 2016 - 05:31 PM

Kaspersky's tool will not work on CryptXXX 3.x variants...it will detect but not decrypt...see CryptXXX updated to version 3.0, Decryptors no longer Work.

Trend Micro released a Ransomware File Decryptor for victims of CryptXXX v1/v2/v3* but advises that it's decrypter may only do a partial data decryption on CryptXXX 3.0 encrypted files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1045 chemac

chemac

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 12 July 2016 - 04:51 AM

Hello, my name is Javier , I'm Spanish .

I lost all the information , I have codified the external hard drive me .

My son opened an email from the company Endesa .

 

Encoded files 8A983.

 

command the link wetransfer with some files.

 

https://we.tl/ZfeKYkBdN0

 

​Thanks

 

Reedit:

 

With ransomware trend- micro Program Detects Files Infected but not decrypts any files.


Edited by chemac, 12 July 2016 - 06:37 AM.


#1046 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:16 PM

Posted 12 July 2016 - 12:26 PM

Hi,

 

I encountered the latest variant of CryptXXX 3.0 which did not change the extensions of the files. I cleaned the infected system (a photo studio with a lot of encrypted multimedia files). Unfortunately I didn't have the time to collect the dropped files but the ransomware comes with Necurs and It looks like Necurs Botnet is back again. Anyway, I ran RakhniDecryptor and Trend Micro Ransomware File Decryptor Tool without success. The system was with Windows XP so ShadowExplorer was useless there as well. Recuva didn't find any files...and then I ran another file recovery tool which was able to restore most of the files. I don't want to mention the name of the program here in public to safeguard the tool from malware writers. You can ask me via PM for the name if you want to give it a try. Be aware that the program is shareware (there are promotions from time to time) and I don't work for them so I don't have any reason to promote it. I tested it on a real system and was pleased with the results. Also I used it to recover photos only since they were more important files for the studio.

 

Regards,

Georgi


Edited by B-boy/StyLe/, 12 July 2016 - 12:28 PM.

cXfZ4wS.png


#1047 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:09:16 AM

Posted 12 July 2016 - 12:47 PM

@ all:

The current Trend Micro decrypter doesn't appear to work at all on CryptXXX with the random 5 digit file extension or the latest version which doesn't change the file name at all.

We are drowning in information - and starving for wisdom.


#1048 tpapple

tpapple

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 13 July 2016 - 05:30 AM

Microsoft decryptor !!!!!is non-working decryption!!

don't pay to the lier!!!!!!!!!!!



#1049 tpapple

tpapple

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 13 July 2016 - 05:32 AM

THE LIER!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Q - Question: How can I decrypt my files after the payment?

Answer: After the successful payment, you can download Microsoft decryptor on your personal page. We guarantee that all your files will be successfully decoded.

Q - Question: How can I decrypt my files after the payment?

Answer: After the successful payment, you can download Microsoft decryptor on your personal page. We guarantee that all your files will be successfully decoded.



#1050 Tomygun

Tomygun

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 13 July 2016 - 06:30 AM

My english is very bad and i try write english.

I have the latest variant of CryptXXX 3.0 with the extensions ".crypz. I do not pay for decrypt.

 

And now the strange.

I infiszierte on 10/06/2016. Today verifiable go to the pay page and see my decryptcode. Some days ago I sent a tentative picture to decrypten, but without success. Perhaps they are confused. Do you try it.

My code works. :bananas:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users