eCh0raix Ransomware - QNAPCrypt/Synology NAS (.encrypt) Support Topic

Unfortunately, newer versions (July 19, 2019 and later) are still not decryptable without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the master private RSA key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way that cannot be brute-forced.

Despite being an expanding threat, ransomware infections are rarely reported to law enforcement agencies, according to conclusions from the 2016 Internet Crime Report, released yesterday by the FBI’s Internet Crime Complaint Center (IC3)...FBI urges victims to file official complaints.

FBI: Victims Aren't Reporting Ransomware Attacks
 

Hi Team Please help for decrypt file with .!Encrypted  

I have just decided to check the "order" page - just to see, if the pricing remained unchanged once the BTC is half of its original price.

But the page seems to be dead. Has anyone tried it recently?

any latest tool for recovering data... please help 

file ext     .!Encrypted   

Hello vijayrajput

Attach several encrypted files and a ransom note here or give me in PM. 

file ext .!Encrypted  

I found an interesting coincidence of file names and your extension in a neighboring topic

!Encrypted.exe

https://www.virustotal.com/gui/file/394ba143556e813fcaea7919b670cf4b3c89680f682bf56c02997ad782c824f2/detection

It seems that a rather old encoder is used, but this does not make it safe. 

DrWeb knows how as Trojan.Ransom.690 (the middle of 2014).

Edited by Amigo-A, 18 March 2020 - 06:18 AM.

any latest tool for recovering data... please help 

 

file ext     .!Encrypted   

Are you sure this is eCh0raix Ransomware? How did you identify it?

I have just decided to check the "order" page - just to see, if the pricing remained unchanged once the BTC is half of its original price.

But the page seems to be dead. Has anyone tried it recently?

I just tried yesterday and today and I can report the same: page is not reachable. Very bad news actually as I always considerd this as a last resort.

Best regards

hodsenplods

Edited by hodsenplods, 30 March 2020 - 08:00 AM.

Had a HDD fail so I went to restore all my kids' photos from my synology to discover they were encrypted. Looks like from back in August, so the 2nd version. 172 character hash in the readme =(

Any updates? Also I found their site to be dead as well, just as a last resort =(

There are no updates that I am aware of.

I have my files encrypted since yesterday, with the .encrypt extension and the README_FOR_DECRYPT.txt in each folders, it encrypts only documents and images files (no video or uncommon file extensions). The ransom note does not contain the key at the end, just this :

----

All your data has been locked(crypted).
How to unlock(decrypt) instruction located in this TOR website: http://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion/order/1L1WwajFy1MCSzvPzbi5YabcVWsi7JGwhf
Use TOR browser for access .onion websites.
https://duckduckgo.com/html?q=tor+browser+how+to
----

I isolated the binaries responsible for this (crp_linux_386 and crp_linux_arm), and there is a log file (screenlog.0) that lists the operation of the ransom ware :

----

share/MD0_DATA/Web/crp_linux_arm: /share/MD0_DATA/Web/crp_linux_arm: cannot execute binary file
Init...
BTC addr: 1L1WwajFy1MCSzvPzbi5YabcVWsi7JGwhf
open /share/MD0_DATA/.@centerim/README_FOR_DECRYPT.txt: permission denied
open /share/MD0_DATA/.@mysql/mysql: permission denied
open /share/MD0_DATA/.@mysql/test: permission denied
open /share/MD0_DATA/.@qmonitor: permission denied
...

Encrypt file: /share/MD0_DATA/.@twonkymedia.db/twonkymedia/db/0.tms.dat
(0x831e7d0,0xa099960)
open /share/MD0_DATA/.@twonkymedia.db/twonkymedia/db/0.tms.dat.encrypt: permission denied
Encrypt file: /share/MD0_DATA/.@twonkymedia.db/twonkymedia/db/1.tms.dat
(0x831e7d0,0xa099980)
...
Encrypt file: /share/MD0_DATA/corpo.html
Encrypt file: /share/MD0_DATA/enviar.pl
Encrypt file: /share/MD0_DATA/ftp.txt
...
open /share/MD0_DATA/lost+found: permission denied
Encrypt file: /share/MD0_DATA/pass.txt
Encrypt file: /share/MD0_DATA/user.txt
Done!
----

Do you know which variant is it ? Or is it a variant or muhstik ?

Thanks

Hello. I am victim of hacker attack on QNAP NAS TS-491, all my files ale encrypted and all my documents and fotos files have extension .encrypt. I try to use ECh0raixDecoder2, but no success. Cant find key. I try pair of files, encrypted and original, also known header files and whole encrypted dir. Is it any other way to decrypt my files without payment to attacker?

Thanks for advice.

Newer versions (July 19, 2019 and later) are not decryptable without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the master private RSA key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way that cannot be brute-forced...the public RSA key alone that encrypted files is useless for decryption.