Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rtyrtyrty extension


  • Please log in to reply
15 replies to this topic

#1 superjoe95

superjoe95

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 17 June 2016 - 06:41 AM

Hi Everyone,

 

My system has ransomware and all files have been encryped and have the extension .rtyrtyrty. The text file spread throughout my system is READ TO DECRYPTIONS_.txt with the following message:

 
All your data files are crypted.
To decrypt files and gain access to them,
please send 0.5 Bitcoin to address
1G3uZtTUN8J3Wd9iQxft6Xej8BWh5EBHhz
 
and email to xg9739517395nb@163.com proof
(screen or TransID) of your payment.
 
After receiving the money, I will send you
your password and decrypt instruction via email.
 
I've had BitDefender 2016 on my system for months now and somehow it was removed when this all took place. I believe I have managed to dig up a pre-encrypted file and it's encrypted counterpart as it looks like that is what is needed. Thank you in advance. 
 


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:38 PM

Posted 17 June 2016 - 09:01 AM

You may submit any suspicious or malicious files, ransom note, and your encrypted/clean pair here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Based on the email address, I was able to dig up a possible sample, but haven't analyzed it yet to see if it matches.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:38 PM

Posted 17 June 2016 - 09:04 AM

Can you try Fabian's Xorist decrypter with your file pair? I have suspicions it may be a variant based on the similar sample's analysis.

 

https://decrypter.emsisoft.com/xorist

 

*Edit: I actually have the name of that ransom note defined on ID Ransomware for Xorist already - I'm 99% sure now you are dealing with Xorist now. :)


Edited by Demonslay335, 17 June 2016 - 09:07 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 superjoe95

superjoe95
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 17 June 2016 - 02:31 PM

You may submit any suspicious or malicious files, ransom note, and your encrypted/clean pair here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Based on the email address, I was able to dig up a possible sample, but haven't analyzed it yet to see if it matches.

I have submitted an encrypted file. 



#5 superjoe95

superjoe95
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 17 June 2016 - 02:37 PM

Can you try Fabian's Xorist decrypter with your file pair? I have suspicions it may be a variant based on the similar sample's analysis.

 

https://decrypter.emsisoft.com/xorist

 

*Edit: I actually have the name of that ransom note defined on ID Ransomware for Xorist already - I'm 99% sure now you are dealing with Xorist now. :)

Yes I came across this when I searched the ransom note that it might be Xorist. I did download the decrypter and it took me a few tries to get it to start doing anything. At first it kept giving me an error message right out of the gate stating the file could not be decrypted and then after trying it a 4th time it started doing something but after it reached 100% it said it would not be able to decrypt the file. I'm not sure how exact the encrypted and non-encrypted file have to be but I can't find any non-encrypted files on my system that have an encrypted counter part. I did retrieve a word file from an email I sent Sunday night and used that as the unencrypted counter part to the original saved on my desktop. 



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:38 PM

Posted 17 June 2016 - 02:43 PM

It has to be the exact same file before and after to retreive a key. Any chance your Sample Pictures were hit? You can easily obtain the originals here: http://download.bleepingcomputer.com/public-sample-pictures/sample-pics.zip

 

If the decrypter doesn't work for you, we may need a sample of the malware to analyze for any changes.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 superjoe95

superjoe95
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 17 June 2016 - 08:25 PM

It has to be the exact same file before and after to retreive a key. Any chance your Sample Pictures were hit? You can easily obtain the originals here: http://download.bleepingcomputer.com/public-sample-pictures/sample-pics.zip

 

If the decrypter doesn't work for you, we may need a sample of the malware to analyze for any changes.

Yes they were. I'll download these and try and report back. 

 

I have submitted an encrypted file for analysis. 



#8 superjoe95

superjoe95
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 18 June 2016 - 05:20 PM

Ok so using the Sample pictures generated a code for me to use. It decrypted most of the files but I still see some random files that are still encrypted. The decrypter tool looks like it just skipped over them if I look at the log. It doesn't say "decrypted" or any sort of error message indicating it couldn't decrypt the file.

 

Also how do I go about removing all the ransom letter .txt files left all over my system? 



#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:38 PM

Posted 18 June 2016 - 05:24 PM

You can use the RansomNoteCleaner in my signature. Select Xorist, and it should find them.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 superjoe95

superjoe95
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 18 June 2016 - 06:03 PM

Thanks, I'll be sure to check that out.

 

Any advice for some of the files left encrypted? 



#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:38 PM

Posted 18 June 2016 - 06:39 PM

I'm not as familiar with the inner workings of how Xorist variants work, but you can zip up several and submit them for analysis. Also include one of the clean pairs you used to decrypt the rest so we can test that.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 ramms001

ramms001

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 01 July 2016 - 01:34 AM

I am also affected by the same ransomware. I downloaded the Xorist decrypter from the link https://decrypter.emsisoft.com/xorist. But i am not able to get it started, it just gives me a No key found error. Please help me to get this to work



#13 ramms001

ramms001

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 01 July 2016 - 02:03 AM

I have just submitted the affected and the original file on the link http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Computers in Office-I.pdf.rtyrtyrty is the affected file and Chapter 1.pdf is the original file
My Email id is ramms001@gmail.com


#14 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:38 PM

Posted 01 July 2016 - 07:33 AM

Tested it with the files you provided. It worked just fine. Are you sure you selected both the encrypted and unencrypted version of your file and dragged them both onto the decrypter at the same time?
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#15 ramms001

ramms001

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 02 July 2016 - 02:34 AM

My bad, i was doing it all wrong . I have got the key Now


Edited by ramms001, 02 July 2016 - 03:15 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users