Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware - Decryption tool corrupts most files


  • This topic is locked This topic is locked
4 replies to this topic

#1 netixx

netixx

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 13 April 2016 - 07:35 AM

Hi everyone,

 

this is my first post on this site so please forgive me if I violate any "rules" here.

 

We are an IT-Service company and had to pay ransom for a infected System/Server (Windows 10/Server 2012) for one of our clients. Now the problem is, that after further analysis, a bunch of decrypted files are now corrupted or only partially readable. For us it was a new iteration of ransomware and I can't say which type of ransomware it is but I attached a link to the decryption-tool (.exe in a .zip in .7z) but I hope someone of you guys can identify the ransomware to prevent other victims pay for this crappy and not functional decryption software.

 

https://drive.google.com/open?id=0B6NQS3L4GSgKMU84YmxrLVBPUlE


Edited by netixx, 13 April 2016 - 07:37 AM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:55 AM

Posted 13 April 2016 - 08:59 AM

We'll need to identify the ransomware itself before messing with the decrypter, so we know what we are dealing with.

 

You can upload a ransom note and encrypted file to the service in my signature to possibly identify it. We can then try to go from there. If it fails to identify it automatically, I can manually inspect the files if you provide me the SHA1 it gives you.


Edited by Demonslay335, 13 April 2016 - 09:00 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 netixx

netixx
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 13 April 2016 - 09:25 AM

We'll need to identify the ransomware itself before messing with the decrypter, so we know what we are dealing with.

 

You can upload a ransom note and encrypted file to the service in my signature to possibly identify it. We can then try to go from there. If it fails to identify it automatically, I can manually inspect the files if you provide me the SHA1 it gives you.

 

Hi! Thank you for your reply. I did as you said and the result of the analysis is, that "our" ransomware is either Crypt0L0cker or KeRanger. Since the infected systems are running on Windows 7/10 and Server 2012 I think it's safe to say that it's not KeRanger.


Edited by netixx, 13 April 2016 - 09:26 AM.


#4 Slayder

Slayder

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 13 April 2016 - 12:23 PM

 

We'll need to identify the ransomware itself before messing with the decrypter, so we know what we are dealing with.

 

You can upload a ransom note and encrypted file to the service in my signature to possibly identify it. We can then try to go from there. If it fails to identify it automatically, I can manually inspect the files if you provide me the SHA1 it gives you.

 

Hi! Thank you for your reply. I did as you said and the result of the analysis is, that "our" ransomware is either Crypt0L0cker or KeRanger. Since the infected systems are running on Windows 7/10 and Server 2012 I think it's safe to say that it's not KeRanger.

 

What are the Ranson files left behind called? 



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:55 AM

Posted 13 April 2016 - 06:46 PM

Any files that are encrypted with Crypt0L0cker or KeRanger will have the .encrypted extension appended to the end of the affected filename. However, KeRanger is a ransomware that infects the Mac OS X operating system, not Windows 7/10 and Server 2012 so your assessment is most likely correct.

A repository of all current knowledge regarding Crypt0L0cker (TorrentLocker) is provided by Grinler (aka Lawrence Abrams), in this topic: TorrentLocker (fake CryptoLocker) Ransomware Information Guide and FAQ

There are ongoing discussions in these topics where you can ask questions and seek further assistance.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users