Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypren Support and Help Topic (.Encrypted and READ_THIS_TO_DECRYPT.html)


  • Please log in to reply
15 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:06 AM

Posted 14 May 2016 - 12:44 PM

This topic is to provide support and help for the Crypren Ransomware.

When Crypren infects your computer it will encrypt your data and append the .encrypted extension to the encrypted file. This ransomware will target the following file extensions:

txt, jpg, png, xml, doc, docx, xls, xlsx, ppt, pptx, gif, bmp, sql, php, html, cpp, docm, docb, rar, zip, xlm, mp3, mp4, xlsb, xla , xlam , xll , xlw , pdf, pps , pot, accdb, accde, accdt, accdr, cert, swf, mdb, rtf, gzip, tar, css
A decryptor for this infection is available, but requires some more work to make it run properly in Windows. For those who wish to test this on linux, you can find the decryptor here:

https://github.com/pekeinfo/DecryptCrypren

The ransom note displayed by Crypren is called READ_THIS_TO_DECRYPT.html and looks like the following:

crypren-ransom-note.png



BC AdBot (Login to Remove)

 


m

#2 inkoalawetrust

inkoalawetrust

  • Members
  • 310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Internet
  • Local time:05:06 PM

Posted 14 May 2016 - 01:41 PM

Why have a Linux version though ? The developers of the ransomware would have almost no point to target Linux because (usually)the people who use Linux are smart enough to keep backups of their data and (probably)have already done it because Linux isnt pre-packaged with most computers so it needs to be installed and may cause damage and also the amount of people who use it are WAY less than Windows or Mac users because Windows comes with almost EVERY computer. (If thats what you mean)


Edited by inkoalawetrust, 14 May 2016 - 01:44 PM.

Twitter

Discord:inkoalawetrust#9783

Website


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:06 AM

Posted 14 May 2016 - 02:01 PM

There are some ransomware that have hit Linux before, but that's beside the point here. The decrypter is written in pure C, which normally compiles on Linux easier. Once it is compiled with the correct symbols, it can usually be patched to run on Windows. It may just be what the developer is most comfortable in developing with. As long as it works, someone else can always port it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 inkoalawetrust

inkoalawetrust

  • Members
  • 310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Internet
  • Local time:05:06 PM

Posted 14 May 2016 - 02:18 PM

There are some ransomware that have hit Linux before, but that's beside the point here. The decrypter is written in pure C, which normally compiles on Linux easier. Once it is compiled with the correct symbols, it can usually be patched to run on Windows. It may just be what the developer is most comfortable in developing with. As long as it works, someone else can always port it.

oh


Twitter

Discord:inkoalawetrust#9783

Website


#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:06 AM

Posted 14 May 2016 - 03:41 PM

I am working on a Windows port for this. If anyone is affected by this ransomware, post here, and I can see if it will work with your files. Requires an encrypted .docx file to derive the key to begin with, may be able to adapt for other formats. Otherwise, it would be possible to derive a key from comparing a before and after of a file if a clean copy is obtainable, additional coding required.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 blackmaxpayne

blackmaxpayne

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 15 May 2016 - 10:49 PM

I am working on a Windows port for this. If anyone is affected by this ransomware, post here, and I can see if it will work with your files. Requires an encrypted .docx file to derive the key to begin with, may be able to adapt for other formats. Otherwise, it would be possible to derive a key from comparing a before and after of a file if a clean copy is obtainable, additional coding required.

 

Hey, how are you? im new to this and since youve answered this question before, i did exactly what you did here:

http://www.bleepingcomputer.com/forums/t/609661/ccc-rsa-2048-dropped-how-to-recover-opmtxt/

and ive ran into a roadblock. can you help me with this problem ASAP? I have a bunch of music files encrypted. and im using a 4 core win7 and the sample file can be cracked.

 

  • sample_extension: .ccc
  • sample_bytes: [0x0 - 0x8] 0xDEADBEEF

Edited by blackmaxpayne, 15 May 2016 - 10:51 PM.


#7 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 16 May 2016 - 12:03 AM

@blackmaxpayne.

 

if you have encrypted files with the extension .ccc, then create your message in this thread,
http://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-etc-files-decryption-support-requests/
+
If you need help deciphering these files,
add one or more encrypted files on sendspace.com and give a link to the files in your message



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:06 AM

Posted 16 May 2016 - 05:53 AM

...im new to this and since youve answered this question before, i did exactly what you did here:
http://www.bleepingcomputer.com/forums/t/609661/ccc-rsa-2048-dropped-how-to-recover-opmtxt/
and ive ran into a roadblock. can you help me with this problem ASAP? I have a bunch of music files encrypted. and im using a 4 core win7 and the sample file can be cracked.

  • sample_extension: .ccc
  • sample_bytes: [0x0 - 0x8] 0xDEADBEEF

 

This topic is for Crypren Ransomware Support.

 

Support for TeslaCrypt 2.0 (and older versions) is provided in this topic where you can ask questions and seek further assistance.


Support for decryption requests ia provided here:


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Jammed_Death

Jammed_Death

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 26 May 2016 - 02:36 PM

Can i use a live Linux to decrypt file in windows infected pc?

#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:06 AM

Posted 26 May 2016 - 02:39 PM

Can i use a live Linux to decrypt file in windows infected pc?

 

You should be able to by following the instructions on the Github page to compile and run the program. I haven't had a chance to get my port fully tested and working yet.

 

If you have an encrypted .docx file and need help with getting the key, I can help with that. I do have key extraction working on my beta build.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 Jammed_Death

Jammed_Death

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 26 May 2016 - 02:45 PM

It's customer computer with .encrypted files on windows xp. I can't take files from it. I will see if i Can work on it, hope we Can get a full working executable soon.

#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:06 AM

Posted 26 May 2016 - 03:12 PM

Is the ransom note the exact same filename and contents? There are a few ransomwares that use the ".encrypted" extension, the most common one being Crypt0L0cker (TorrentLocker). Crypren was much less wide-spread to our knowledge.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 Jammed_Death

Jammed_Death

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 26 May 2016 - 03:19 PM

Googling this was the only One with .encrypted extension

#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:06 AM

Posted 26 May 2016 - 03:56 PM

What ransom note do you have? That's the only way to confirm. You can upload one along with an encrypted file to the service in my signature to confirm.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 Jammed_Death

Jammed_Death

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 27 May 2016 - 03:17 AM

you're right...the customer send me a pick and is the Crypt0L0cker






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users