Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What is this ransomware and can I decrypt it?


  • This topic is locked This topic is locked
1 reply to this topic

#1 stevenwill22

stevenwill22

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 13 July 2016 - 01:30 AM

I opened my work laptop today to find that all my documents and images on specific drives were encrypted, they remain with the same name and extension but with .4A5C4 at the end.

 

There was a ransom notes in almost every folder on those drives  (G and H) in form of txt html and bmp with the name A301.... as explained by the ransom note, my public key.

 

A few google searches told me that this is a ransomware and most links directed me to tesla ransomware solutions and I followed the manual solutions as in rebooting into safe mode and deleting everything ransom related, thankfully it did not infect my documents inside the user folder or the sample pictures, I believe that the C folder was safe.

 

I deleted all ransom-related stuff from the drive and when it came to decrypting, tesla decryptors did not work, I found out that this is not tesla but another ransomware since tesla only uses specific file extensions not a random string, I found nobody with the same string in the extension.

 

When I used ransomware ID, it said that this was CryptXXX 3.0 but it said that was only due to the fact that the extension is a 5 letter hex, the file size is almost the same with an addition of a couple of KBs or something, like from 30 to 32KBs or 749 to 756KBs.

 

I don't have a ransom note, but it was almost identical to the samples people post, what happened to my files, RSA 4096 encryption, public key, 3 onion links.

 

I have some backups but they are over a year old, a lot has happened since then and I really need those files.

 

Finally I tried Rannoh decryptor from kaspersky, it says it can identify CryptXXX V3 but it says nothing when I compare 2 same files (encrypted and non) this is the report.

09:25:00.0583 0x06f0  Initialize success
09:25:22.0407 0x0aa0  Can't initialize on pair
09:25:22.0408 0x0aa0  Can't init decryptor
 
I don't have any ransom notes unfortunately, I restarted but nothing changed,  no new ransoms and there is absolutely no way I will pay a ransom, so are my files lost forever?


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:27 AM

Posted 13 July 2016 - 07:52 AM

Any files that are encrypted with CryptXXX 3.x will have the .cryp1, .crypz or a random 5 hexadecimal character extension (i.e. ..AC0D4, .DA3D1, .73E61, .EF538) appended to the end of the encrypted data filename as explained here.

Kaspersky Lab's RannohDecryptor tool will work for those infected with older variants of CryptXXX. However, Kaspersky's tool will not work on CryptXXX 3.x variants...it will detect but not decrypt.

Trend Micro released a Ransomware File Decryptor for victims of CryptXXX v1/v2/v3* but advises that it's decrypter may only do a partial data decryption on CryptXXX 3.0 encrypted files.

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. These types of infections typically will delete all Shadow Volume Copies so that you cannot restore your files via System Restore, native Windows Previous Versions or using a program like Shadow Explorer...but it never hurts to try in case the malware did not do what it was supposed to do. It is not uncommon for ransomware infections to sometimes fail to properly delete Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work.

If that is not a viable option and there is no decryption fix tool, the only other alternative is to backup/save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users