Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Apocalypse ( .Encrypted) Ransomware Help Topic - *filename*.How_To_Decrypt.txt


  • Please log in to reply
120 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:15 PM

Posted 13 June 2016 - 10:02 AM

A new ransomware called Apocalypse was discovered by Emsisoft that encrypts your data and then requires you to email decryptionservice@mail.ru for ransom instructions. Thankfully, Fabian Wosar of Emsisoft was able to create a decryptor for this ransomware.

 

When files are encrypted they will have the .encrypted extension appended to file names. Furthermore, for each file encrypted a ransom note will be created. For example, if Apocalypse encrypts a file called test.jpg, a test.jpg.encrypted file and a test.jpg.encrypted.How_To_Decrypt.txt file will be created.

 

The ransomware will also create an autorun entry that points to C:\Program Files (x86)\windowsupdate.exe so that the ransomware is started when a user logs into Windows. Once started, it will display a lock screen like the one below.  You can reboot into safe mode to bypass the lock screen and run the decryptor.

 

lock-screen.png



BC AdBot (Login to Remove)

 


m

#2 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:15 AM

Posted 13 June 2016 - 10:41 AM

Thanks for the info. Very interesting!
Tell me, please, and the name of the Apocalypse - is the name of extortionists, or has been given to Emsisoft?

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:15 PM

Posted 13 June 2016 - 11:37 AM

Its a name given by the malware devs.



#4 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:15 AM

Posted 13 June 2016 - 12:30 PM

Ye know, how much BTC extortionists want for the decryptor?


Edited by Amigo-A, 13 June 2016 - 12:31 PM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:15 PM

Posted 13 June 2016 - 12:40 PM

No, I have not contacted them.



#6 rp-57

rp-57

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:oklahoma
  • Local time:10:15 PM

Posted 13 June 2016 - 01:06 PM

A new ransomware called Apocalypse was discovered by Emsisoft that encrypts your data and then requires you to email decryptionservice@mail.ru for ransom instructions. Thankfully, Fabian Wosar of Emsisoft was able to create a decryptor for this ransomware.

 

When files are encrypted they will have the .encrypted extension appended to file names. Furthermore, for each file encrypted a ransom note will be created. For example, if Apocalypse encrypts a file called test.jpg, a test.jpg.encrypted file and a test.jpg.encrypted.How_To_Decrypt.txt file will be created.

 

The ransomware will also create an autorun entry that points to C:\Program Files (x86)\windowsupdate.exe so that the ransomware is started when a user logs into Windows. Once started, it will display a lock screen like the one below.  You can reboot into safe mode to bypass the lock screen and run the decryptor.

 

 

lock-screen.png

 

Have a question, should this program that you are talking about be downloaded to our desktop and have it ready in case it is ever needed or just not down load it until it is needed? Thanks for reading.



#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:15 PM

Posted 13 June 2016 - 01:20 PM

Just download as needed.



#8 rp-57

rp-57

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:oklahoma
  • Local time:10:15 PM

Posted 13 June 2016 - 02:59 PM

Ok

 

Just download as needed.

Ok thankyou.



#9 volk4n

volk4n

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 13 June 2016 - 04:11 PM

It did not solve my files . I think I'm the same, but different extensions derivatives

my file

https://www.sendspace.com/file/eo5klt

extention encrypted but variant maybe torrentlocker

It did not solve my files . I think I'm the same, but different extensions derivatives



#10 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:11:15 PM

Posted 13 June 2016 - 05:35 PM

Upload an encrypted file and the ransom note to ID-Ransomware for an identification of your encryption.

We are drowning in information - and starving for wisdom.


#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:15 PM

Posted 13 June 2016 - 05:51 PM

It did not solve my files . I think I'm the same, but different extensions derivatives

my file

https://www.sendspace.com/file/eo5klt

extention encrypted but variant maybe torrentlocker

It did not solve my files . I think I'm the same, but different extensions derivatives

 

Unfortunately, there will be many false-positives with people believing this is their variant, when in fact Crypt0L0cker/TorrentLocker is much more wide-spread. If you do not have the exact same ransom note as mentioned in the first post (".How_To_Decrypt.txt" for each file encrypted), then you were not hit by Apocalypse. If you upload a ransom note to ID Ransomware (link in my signature), it should be able to guide you to the correct topic.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 djorgensen

djorgensen

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 14 June 2016 - 04:42 PM

I have a similar problem,  ID Ransomware reports Apocalypse 

 

my ransom note looks like this

 

Attention!

All your data was Encrypted!
 
If you wanna get it back contact via email:
 
decryptservice@inbox.ru
Your Personal ID: XXXXXXXX
 
WARNING: If you don't contact next 72 hours, then all DATA will be damaged unrecoverably!!!

Edited by djorgensen, 15 June 2016 - 04:35 AM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 PM

Posted 14 June 2016 - 05:08 PM

Unfortunately with ransomware infections, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 djorgensen

djorgensen

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 14 June 2016 - 05:11 PM

Unfortunately with ransomware infections, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

wishful thinking I suppose on my part

 

You'd think they'd get more payouts if people thought they'd get a result. money down the drain, but if it had worked a lot of money saved!



#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:15 PM

Posted 14 June 2016 - 05:15 PM

 

I have a similar problem,  ID Ransomware reports Apocalypse but i cannot decrypt the files

 

ive paid them their ransom of 2 bitcoins and they have now gone quite on me.

 

my ransom note looks like this

 

Attention!

All your data was Encrypted!
 
If you wanna get it back contact via email:
 
decryptservice@inbox.ru
Your Personal ID: XXXXXXXX
 
WARNING: If you don't contact next 72 hours, then all DATA will be damaged unrecoverably!!!

 

 

That ransom note is definitely from Apocalpyse.

 

Instead of paying the ransom immediately, I would have contacted Fabian for assistance in this topic. There is always a chance you were hit by a modified variant if they updated it, or some other environmental change caused an issue (I don't know the specifics on how this ransomware was cracked). Try to locate any malicious files, they may be needed if it needs analyzed.

 

You can share a few encrypted files here for investigation as well. A third-party service such as SendSpace is sufficient.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users