Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypt38 Ransomware Help & Support Topic (.crypt38 / regist3030@yandex.ru)


  • Please log in to reply
2 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,999 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:37 PM

Posted 17 June 2016 - 05:28 PM

Fortinet recently released an article analyzing a new ransomware that goes by the name Crypt38.
 
This ransomware encrypts files using AES, and appends the extension ".crypt38". The victim is left with a screen locker that demands a payment of 1000 Rubles, or ~$15 USD. The victim is asked to email a code to regist3030@yandex.ru.
 
Below is an image of this ransom screen, which is completely in Russian.
 
[img=http://www.bleepstatic.com/images/news/ransomware/week-in-ransomware/6-17-16/BRM1[1].png]
 
The ransomware will manually enumerate over drive letters in the following order. It is rather slow at encrypting and decrypting the system partly due to this.
 

C:\, D:\, E:\, Z:\, Y:\, X:\, W:\, V:\, F:\, G:\, H:\, I:\, J:\, K:\, U:\, T:\, S:\, R:\, Q:\, L:\, M:\, N:\, O:\, P:\, A:\, B:\

 
The following file extensions are targeted.
 

.txt, .pdf, .html, .rtf, .dwg, .cdw, .max, .psd, .3dm, .3ds, .dxf, .ps, .ai, .svg, .indd, .cpp, .pas, .php, .cs, .py, .java, .class, .fla, .pl, .sh, .jpg, .jpeg, .jps, .bmp, .tiff, .avi, .mov, .mp4, .amr, .aac, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .accdb, .odt, .odp, .odx, .ibooks, .xlp, .db, .dbf, .mdf, .sdf, .mdb, .sql, .rar, .7z, .zip, .vcf, .cer, .csr, .torrent, .otl, .report, .key, .csv, .xml

 
Paths with the following terms are skipped.
 

Windows, msocache, Program Files, Program Files (x86)

 
The good news is that victims of this ransomware can recover their files. If the program is still running, you may use my keygen to generate the unlock code. It will search for the request.bin the ransomware uses to store the victim ID; if it is not present, you may manually enter the victim ID. Once the code is generated, simply enter it into the malware to start decrypting the files.
 
I highly recommend backing up your .crypt38 files before letting it decrypt; in one instance of my testing, the decryption did fail (despite accepting and acknowledging the correct key) and corrupted files.
 
The keygen may be downloaded here: http://www.bleepingcomputer.com/download/crypt38decrypter/ 
If anyone has been hit by this ransomware, and has closed/deleted the malware, decryption is still possible. Simply backup the .crypt38 files and the %APPDATA%\request.bin file, and post here; I can write a proper decrypter if it is needed.

Edited by Grinler, 28 July 2016 - 09:56 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,999 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:37 PM

Posted 17 June 2016 - 10:22 PM

I have turned the keygen into a full decrypter. Victims may safely kill the lsass.exe process and remove the virus; just save the request.bin located at %APPDATA%\Microsoft\Windows, and load it into the decrypter.

 

Available at the same link: https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Amigo-A

Amigo-A

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:37 AM

Posted 18 June 2016 - 04:06 AM

Demonslay335
Excellent! Well done!
 
I also added a description in Russian in my blog and link to this topic for help in decrypting. 

Need info? Find her here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users