Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DED Cryptor Help & Support Topic ( dedcrypt@sigaint.org / .ded)


  • Please log in to reply
21 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 PM

Posted 15 June 2016 - 10:11 AM

A new variant of the EDA2 ransomware has been spotted, calling itself DEDCryptor.

 

Files are encrypted with AES-256 using a secure 32-character password unique for each victim, and have the extension ".ded" added.

 

The victim's background is set to the following image after encryption has finished. No ransom note is left behind.

 

ClACg6VWsAAdQkg.jpg

 

The following extensions are targeted.

 

 

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .dll, .lnk, .pdf

 

Unfortunately, there is no way to decrypt victim's data at this time.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:07:12 AM

Posted 16 June 2016 - 02:37 PM

Ded - English: grandfather.
Santa Claus - English: Santa Claus, or literally: Santa Claus
Only in the photo - the evil Frost in the cap.

 

I added

Description DEDCryptor Ransomware in Russian >>


Edited by Amigo-A, 17 June 2016 - 11:47 AM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#3 andrey1

andrey1

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 17 June 2016 - 03:05 PM

how to decrypt?



#4 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 PM

Posted 17 June 2016 - 03:15 PM

how to decrypt?

 

As stated here and in the article, there is currently no way to decrypt DED Cryptor without paying the ransom.

 

If you are given the password from the criminals though, I can provide a reliable decrypter if you do not wish to trust theirs.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 andrey1

andrey1

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 17 June 2016 - 03:25 PM

 

how to decrypt?

 

As stated here and in the article, there is currently no way to decrypt DED Cryptor without paying the ransom.

 

If you are given the password from the criminals though, I can provide a reliable decrypter if you do not wish to trust theirs.

 

The password I got for free. I'm from Russia, and they replied that it was a mistake and Russian, they do not touch. The password is, and where to get them?   Maybe this hidden tear decrypter?

Edited by andrey1, 17 June 2016 - 03:27 PM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 PM

Posted 17 June 2016 - 03:27 PM

That's a very interesting development...
 
Here's a decrypter you may try on your files. You will have to enter the password and ".ded". Test it on a small directory first.
 
http://www.bleepingcomputer.com/download/hidden-tear-decrypter/

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 andrey1

andrey1

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 17 June 2016 - 03:29 PM

That's a very interesting development...
 
Here's a decrypter you may try on your files. You will have to enter the password and ".ded". Test it on a small directory first.
 
http://www.bleepingcomputer.com/download/hidden-tear-decrypter/

Thank you. Sorry for my bad English

#8 andrey1

andrey1

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 17 June 2016 - 03:45 PM

It is their decryptor
115bb9652f2183b7e19f49217223392d.png


#9 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 PM

Posted 17 June 2016 - 03:53 PM

Ya, theirs is derived off the original HiddenTear decrypter as well it looks like. Never know if they injected anything malicious into it. Let me know how my decrypter works for you.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 andrey1

andrey1

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 17 June 2016 - 04:06 PM

I inspected the code (ILSpy) and found interesting strings in it

            if (isVirtualMachine() > 0) {
                MessageBox.Show("VM is not supported", "Trojan Scan Error",
   MessageBoxButtons.OKCancel, MessageBoxIcon.Asterisk);
            }

            ProcessStartInfo psi;
            psi = new ProcessStartInfo("cmd", @"/c vssadmin Delete Shadows  /All /Quiet");
            Process.Start(psi);


Edited by andrey1, 17 June 2016 - 04:45 PM.


#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:12 PM

Posted 17 June 2016 - 04:15 PM

Yeah, I would stay away from that and use Demon's instead. Why use a decryptor that is going to clear your volume shadow copies?

#12 andrey1

andrey1

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 17 June 2016 - 04:18 PM

Yeah, I would stay away from that and use Demon's instead. Why use a decryptor that is going to clear your volume shadow copies?

This is DED Cryptor file, not decryptor. Code decryptor corresponds to the original



#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:12 PM

Posted 17 June 2016 - 04:39 PM

Ahh..yes, all of the EDA2 variants try to clear the shadows.



#14 andrey1

andrey1

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 17 June 2016 - 04:45 PM

Ya, theirs is derived off the original HiddenTear decrypter as well it looks like. Never know if they injected anything malicious into it. Let me know how my decrypter works for you.

I wasn't able to check but I think it works.



#15 andrey1

andrey1

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 17 June 2016 - 04:47 PM

Ahh..yes, all of the EDA2 variants try to clear the shadows.

Гребаные хакеры, не могут найти себе работу и работать как все.

bleep hackers, can't find a job and work like everyone else.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users