Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RSA 4209 Converted every file to Crypt


  • This topic is locked This topic is locked
4 replies to this topic

#1 BAS36109

BAS36109

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 22 May 2016 - 07:14 PM

Good evening, everyone,

 

I'm a nervous wreck because my work laptop (I work for a small not-for-profit organization) has just been infected with the RSA 4209 virus as of this afternoon.  Not only can I not access a single file, but my personal SD card with my honeymoon photos was impacted as well because it was loaded in the computer because I recently uploaded a few photos from a work-related event. 

 

Is there any hope for me to recover my files?  The $1500 ransom is simply out of the question.  My employer doesn't have it, and neither do I.

 

Any suggestions and reassurance would be appreciated. 

 

BAS

 

 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:11 PM

Posted 22 May 2016 - 07:25 PM

You will need to provide more details for assistance. What is the file name of the ransom note?

If your files had ".crypt" appended, you were most likely hit by CryptXXX. You can try the Kaspersky tool, but it may not decrypt the very newest variant.

You can upload an encrypted file and ransom note to the service in the signature to confirm.

You can find more details about CryptXXX in the support topic.
http://www.bleepingcomputer.com/forums/t/609690/cryptxxx-ransomware-support-and-help-topic-crypt-ext-de-crypt-readmehtml

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:11 PM

Posted 23 May 2016 - 06:43 PM

CryptXXX Ransomware will leave files (ransom notes) named de_crypt_readme.txt, de_crypt_readme.html, de_crypt_readme.bmp, de_crypt_readme.png. Newer CryptXXX 2.0+ variants have been reported to leave unique Personal ID files using random 12 hexadecimal characters with names like !Recovery_<id-number>.html, !Recovery_<id-number>.txt, !Recovery_<id-number>.bmp (i.e. !Recovery_4582C8FAEB15).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 AndyStewart

AndyStewart

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 22 July 2016 - 10:03 AM

Hello every one.

 

I would like to improve the current decryptors. But for this I would need to know more about the virus.

 

Could you please let me know how is the cryptxxx 2.0+ file structure.

 

From the other users in the forum I imagine that the files are composed of:

 

Encrypted data with RC4 + footer containing (260 or 280 bytes).

 

Does anybody knows if this RC4 is equal to the ARC 4 ? Is it compressed with Ms crypto API or do they use another algorithm ?

 

Are the contents of the file compressed before or after the encryption ?



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:11 PM

Posted 22 July 2016 - 02:43 PM


A repository of all current knowledge regarding CryptXXX is provided by Grinler (aka Lawrence Abrams), in this topic: CryptXXX Ransomware Help, Information Guide and FAQ.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users