Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Customer system - infected and lost all files to CRYPT


  • This topic is locked This topic is locked
3 replies to this topic

#1 cornerstone

cornerstone

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Appleton - WI - USA
  • Local time:06:53 PM

Posted 14 June 2016 - 06:13 AM

Hi - I have a clients system here that has been infected with on of the Ransom Viruses. I have tried all three of the Kaspersky unencryption engines but to no avail in Unencrypting the clients files. I am short on time at the moment and will provide more information later but my first two questions are:

 

1 - can the files be placed onto a USB drive and stored until there is a unencrypting tool available - or do they need to stay on the clients computer to be unencrypted?

 

2 - Id be more than happy to have anyone of the team members of Bleeping look at this thing over the Internet and see what they can glean from it.

 

Todd.


Cornerstone

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:53 PM

Posted 14 June 2016 - 06:41 AM

Any files that are encrypted with CryptXXX Ransomware will have the .crypt extension appended to the end of the affected filename and leave files (ransom notes) named de_crypt_readme.txt, de_crypt_readme.html, de_crypt_readme.bmp, de_crypt_readme.png. CryptXXX 2.x/3.x variants will leave unique Personal ID files using random 12 hexadecimal characters with names like <id-number>.html, <id-number>.txt, <id-number>.bmp (i.e. S45CC72F3463.txt, !4AD604B8AE89.txt), !Recovery_<id-number>.html, !Recovery_<id-number>.txt, !Recovery_<id-number>.bmp (i.e. !Recovery_4582C8FAEB15.txt).

Any files that are encrypted with CryptXXX 3.x / UltraDeCrypter / UltraCrypter will have the .cryp1, .crypz extension appended to the end of the affected filename. More information about CryptXXX Version 3.100 is provided in this article.

Any files that are encrypted with Chimera Ransomware appends a .crypt extension to the end of each filename and leaves files (ransom notes) named YOUR_FILES_ARE_ENCRYPTED.HTML.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cornerstone

cornerstone
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Appleton - WI - USA
  • Local time:06:53 PM

Posted 14 June 2016 - 10:12 PM

Thanks for taking time out to help - I DO appreciate it. However - I ran the ID Ransomware and the result is a bit confusing. I saved the results to a Word document and would attach it but I do not see how to do that here so here is a copy / paste................. What I hope for is someone to give me some idea of what I looking at here - this almost appears as if the system was hit with more than one Ransomware program - right ???

 

ID Ransomware

Upload a ransom note and/or sample encrypted file to identify the ransomware that has encrypted your data.

Knowing is half the battle! GI Joe

4 Results

CryptXXX 3.0

This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • ransomnote_filename: !Recovery_0BCB1C7B915C.html
  • sample_extension: .crypt

Click here for more information about CryptXXX 3.0

CryptXXX

This ransomware is decryptable!

Identified by

  • sample_extension: .crypt

Click here for more information about CryptXXX

Chimera

This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • sample_extension: .crypt

Click here for more information about Chimera

CryptXXX 2.0

This ransomware is decryptable!

Identified by

  • sample_extension: .crypt

Click here for more information about CryptXXX 2.0

© Copyright 2016 MalwareHunterTeam. All rights reserved.

App v1.2.6, Updated 06/14/2016


Cornerstone

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:53 PM

Posted 15 June 2016 - 06:46 AM

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Note: Various victims of CryptXXX reported they paid the ransom but the cyber criminals did not provide a key to decrypt the files, while others reported the key and decryption software they received did not work or resulted in errors. Keep this in mind if you are considering paying the ransom since there is no guarantee decryption will be successful.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users