Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CrypMIC (CryptXXX imposter) Support and Help Topic


  • Please log in to reply
427 replies to this topic

#16 Chano3000

Chano3000

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 04 August 2016 - 02:54 PM

Has anyone had any luck with the decryption



BC AdBot (Login to Remove)

 


#17 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:49 AM

Posted 04 August 2016 - 03:25 PM

Unfortunately, I am not aware of any way to decrypt CrypMIC encrypted data without paying the ransom.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#18 billyng7900

billyng7900

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 04 August 2016 - 08:58 PM

Hi everyone. Just want to share some information.

 

One of my client got hit by this virus. When the virus attempted to encrypt share drive's file, the process is terminated by the client.

We attempt to follow the instruction wrote in ransomnote, but the website cannot recognize the personal id. (maybe the process is terminated before uploading the key into their server).

Also, DON'T PAY to decrypt. You can get the reason in the comment part in this page: http://www.bleepingcomputer.com/news/security/new-cryptxxx-changes-name-to-microsoft-decryptor/ Someone had already paid but couldn't decrypt his files. 



#19 JonathanAnon

JonathanAnon

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 05 August 2016 - 02:03 AM

Good afternoon,

 

Early this morning, I was handed a Win7 machine that has the "CrypMIC" ransomware virus.  I did use the ID Ransomware tool.

 

Using a hex editor, all the files that was encrypted have the same beginning 32 bits.

1b 2d 24 0f 12 df 4d 23 12 df 4d 23 12 df 4d 23

12 df 4d 23 f4 2d 24 0f f4 2d 24 0f f4 2d 24 0f 

 

 

 

Hi Shawn, I have a similar 32 BYTE (or 256 bit) value at the start of my encrypted files. It is a different number to the number you have above, but the number I have is the same across all encrypted documents. I will look into it further later this evening. 



#20 JonathanAnon

JonathanAnon

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 05 August 2016 - 11:46 AM

Just wondering, does anybody know exactly what they clicked on to cause the infection. 

 

(I'm just trying to warn my other customers what to look out for). 



#21 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:49 AM

Posted 05 August 2016 - 11:58 AM

Section :step2: in this topic explains the most common methods Crypto malware and other forms of ransomware is typically delivered and spread.

Have them read that.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#22 pockybum522

pockybum522

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 05 August 2016 - 02:16 PM

I had a client get hit by what has been identified by https://id-ransomware.malwarehunterteam.com/identify.php as CrypMIC. I have submitted encrypted file samples, unecrypted/encrypted versions of the same file, and the ransom notices that appeared in every folder. Hope this helps.



#23 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:49 AM

Posted 05 August 2016 - 02:25 PM

Samples of any suspicious executables (installer, malicious files) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.

These are some common locations malicious executables hide:
%SystemDrive% (C:\)\<random>.exe
%SystemRoot% (C:\Windows)\<random>.exe
%Temp%\<random>.exe
%AppData%\<random>.exe
%LocalAppData%\<random>.exe
%ProgramData%\<random>.exe
%WinDir%\<random>.exe
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#24 foduck

foduck

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 07 August 2016 - 11:14 PM

Hi  

 

My PC got the virus again and after checked on the website I'm infect CrypMic. How can I do for next step. :(



#25 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:09:49 AM

Posted 08 August 2016 - 01:23 AM

See post #17 - still applies.

We are drowning in information - and starving for wisdom.


#26 love24you

love24you

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 09 August 2016 - 10:31 AM

I have evidence that CRYPXXX and CRYPMIC are made by the same group.



#27 Third-Eye

Third-Eye

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 10 August 2016 - 11:58 AM

Joining those unfortunate enough to have been hit by this mess. I am uploading a .zip file containing what I believe to be the culprit .dll of this incident, along with some sample encrypted files and copies of the ransom messages that were dropped as well. Hopefully this provides some help to those who may be looking at the possibility of finding a way to decrypt what's been lost. In our particular case, we lost all files on one client and tens of thousands of files on one server it had a drive mapped to.

 

All I can offer is three words of advice... backup, backup, backup...

 

And to all those working here thanklessly to help out us unknowns... Thank You! for many years of service to the computing community.

 

 

Edit: Also interesting to note that as I am still maintaining the infected client in it's current condition for educational purposes, no scan has been able to detect this .dll as malicious. It has been scanned with up to date Malwarebytes Anti-Malware, Hitman Pro and Symantec Endpoint Protection, and none of these applications have detected it at all...


Edited by Third-Eye, 10 August 2016 - 01:57 PM.


#28 matejh

matejh

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 11 August 2016 - 01:59 AM

Joining those unfortunate enough to have been hit by this mess. I am uploading a .zip file containing what I believe to be the culprit .dll of this incident, along with some sample encrypted files and copies of the ransom messages that were dropped as well. Hopefully this provides some help to those who may be looking at the possibility of finding a way to decrypt what's been lost. In our particular case, we lost all files on one client and tens of thousands of files on one server it had a drive mapped to.

 

All I can offer is three words of advice... backup, backup, backup...

 

And to all those working here thanklessly to help out us unknowns... Thank You! for many years of service to the computing community.

 

 

Edit: Also interesting to note that as I am still maintaining the infected client in it's current condition for educational purposes, no scan has been able to detect this .dll as malicious. It has been scanned with up to date Malwarebytes Anti-Malware, Hitman Pro and Symantec Endpoint Protection, and none of these applications have detected it at all...

 

In which folder did you find this dll?



#29 ziozioporcozio

ziozioporcozio

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 11 August 2016 - 02:45 AM

Hi guys, can you tell me if this infection after the attack may continue to infect or i can remove it from the pc and at least know that does not infect other files?

 

Edit. 2 events I've noticed:

1, I do not know if it's an important thing but, i have two "Adobe illustrator" files in a infected folder that were not infected.

2, analyzing the desktop and affected folders, this virus seems hit big dimension folder (minimum 2 gb) with subfolders. of course it is my impression.


Edited by ziozioporcozio, 11 August 2016 - 03:34 AM.


#30 matejh

matejh

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 11 August 2016 - 03:44 AM

Hi guys, can you tell me if this infection after the attack may continue to infect or i can remove it from the pc and at least know that does not infect other files?

 

 

That would also interest me. Or should I format the drive and carefuly copy back the files?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users