Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CrypMIC (CryptXXX imposter) Support and Help Topic


  • Please log in to reply
415 replies to this topic

#1 cengizalcan

cengizalcan

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 01 August 2016 - 03:12 AM

Hello THYREX,
 
Today i infected from CrypMic ransomware. Can you help me for decrypto my files ?
,
Sample Files: https://www.sendspace.com/file/qsr3p3
 
 
 
 

@Artifice
 
http://factordb.com/index.php?id=1100000000852053788
 
Here's your PrivateKeyFile: 7E87A98094CC9D532570F1B018F7562879122A38F65CB4B64E2E8F0046BC43F7
Try it for decrypt all files.
 
PrivateKeyBC (C135) I will start only tomorrow and it takes 3-4 days



BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 AM

Posted 01 August 2016 - 03:44 PM

CrypMIC mimics CryptXXX in terms of entry point, ransom notes (README.TXT, README.HTML, README.BMP) and payment sites but it does not append an extension to encrypted files. CrypMic (like TeslaCrypt v4.0) is identified by unique hex patterns in the file header despite having no file extension.Unfortunately, I am not aware of any way to decrypt CrypMIC encrypted data without paying the ransom.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cengizalcan

cengizalcan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 02 August 2016 - 02:44 AM

CrypMIC mimics CryptXXX in terms of entry point, ransom notes (README.TXT, README.HTML, README.BMP) and payment sites but it does not append an extension to encrypted files. CrypMic (like TeslaCrypt v4.0) is identified by unique hex patterns in the file header despite having no file extension.

Unfortunately, I am not aware of any way to decrypt CrypMIC encrypted data without paying the ransom.

 
 
I'm sure Bleepingcomputer team will find solve this virus. I just found my backup files. But i'm everyday will check how to solve this virus.
 
Thanks a lot dear quietman7.. :)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 AM

Posted 02 August 2016 - 03:33 AM

You're welcome.

When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Chano3000

Chano3000

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 02 August 2016 - 10:15 AM

My files have been encrypted. I need help in decrypting them.

 

Thanks



#6 Chano3000

Chano3000

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 02 August 2016 - 11:31 AM

Can someone help me with these encrypted files.

 

https://www.sendspace.com/file/pr7urx

 

Thanks.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 AM

Posted 02 August 2016 - 12:46 PM

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 JonathanAnon

JonathanAnon

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 03 August 2016 - 06:28 AM

I have a customer with this as well. No backup, and all of their images, word docs, excel sheets are encrypted. Tried going to the website to pay for the encryption key, but it doesnt accept the ID that was left on the readme.txt ransom note. I've tried dozens of times, but it just seems to reload the page. Ransom note reads as follows: 

 

 

-------------------------------------------------------------------------------------------------------------------------------------------

NOT YOUR LANGUAGE? USE https://translate.google.com
 
What happened to your files ?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
 
How did this happen ?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
 
What do I do ?
So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way
If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_
 
 
Your personal ID: F7C03F06:4A59AFCA:A956B39E:91BC2766     
 
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
 
 
If for some reasons the addresses are not availablweropie, follow these steps:
 
1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 - Video instruction: https://www.youtube.com/ watch?v=NQrUZdsw2hA
3 - After a successful installation, run the browser
4 - Type in the address bar: http://ccjlwb22w6c22p2k.onion
5 - Follow the instructions on the site
 
--------------------------------------------------------------------------------------------------------------------------------------------

 

Also tried using the RansonWare Decryptor from Kaspersky but it does not work either. Just brings an error in the logs saying that it cannot initalize decrypter. https://noransom.kaspersky.com/ Seems like it hasn't been updated to take note of the account of the new version of the software. 


Edited by JonathanAnon, 03 August 2016 - 06:30 AM.


#9 Croplop

Croplop

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 03 August 2016 - 07:13 AM

Hi JonathanAnon  I'm sorry but with the software "Kaspersky RansomWare Decryptor" not solve anything.

 

I also have been infected and look for a solution


Edited by Croplop, 03 August 2016 - 07:13 AM.


#10 Chano3000

Chano3000

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 03 August 2016 - 07:42 AM

See Quietman7 comment above. I've been hit with the same virus. If you find out anything let us know.



#11 avilaccs80

avilaccs80

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 03 August 2016 - 11:21 AM

I got hit with the same virus and decided to pay ransom. Now the transaction say rejected. I am 100% sure that the transaction is correct but now I don't know what else to do. There is now way to send a message to undersatnd the reason of rejection.

 

Have anyone had this same issue? Did someone manage to solve it?



#12 ruskata

ruskata

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 03 August 2016 - 06:04 PM

I've been hit 3-4 weeks ago (actually when i found this place and registered) with CryptMIC. Still waiting for a decryptor...

 

To the newly arrived - don't pay the ransom. Most of the people i've heard that paid got the decryptor, which doesn't work at all.

 

There are new updates from trend micro. Perhaps, this one will be covered in the next update?



#13 Marylain

Marylain

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 04 August 2016 - 04:19 AM

I think I got infected by this ransomware.

Strange thing is that I was already infected before. 
I noticed all the files already encrypted were skipped. I also noticed some other files were not infected at all (large, uncompressed video files).

 

BTW, I checked the ransom note and the layout is the very same.

Of course, I haven't paid. I rather prefer losing all my files than pay some criminals. 



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 AM

Posted 04 August 2016 - 06:54 AM

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 shawpie

shawpie

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:38 AM

Posted 04 August 2016 - 02:20 PM

Good afternoon,

 

Early this morning, I was handed a Win7 machine that has the "CrypMIC" ransomware virus.  I did use the ID Ransomware tool.

 

Using a hex editor, all the files that was encrypted have the same beginning 32 bits.

1b 2d 24 0f 12 df 4d 23 12 df 4d 23 12 df 4d 23

12 df 4d 23 f4 2d 24 0f f4 2d 24 0f f4 2d 24 0f 

 

In fact, this web page has the same identical information:

http://www.broadanalysis.com/2016/08/03/neutrino-exploit-kit-via-eitest-85-93-0-12-delivers-crypmic-ransomware/

 

I have zipped up some files that have the readme.htm and bmp files, an XML, PDF.  

Also there are 2 files that I found in the "C:\Program Data\Microsoft\Crypto\RSA\Machine Keys" folder.

https://www.dropbox.com/s/t4bwxagvvelgokm/shawpie_crypmic.zip?dl=0

 

 

 

Sincerely

shawn






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users