Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Crypt0 Ransomware (_crypt0) - HELP_DECRYPT.TXT

  • Please log in to reply
2 replies to this topic

#1 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,391 posts
  • Gender:Male
  • Location:USA
  • Local time:05:44 PM

Posted 12 September 2016 - 10:20 PM

A new variant of the Detox Ransomware kit was discovered by MalwareHunterTeam dubbed "Crypt0" based on the extension it uses and project name.


This ransomware encrypts files using AES, and adds "_crypt0" before the extension of the file; for example, "picture.jpg" would become "picture_crypt0.jpg". It also leaves the ransom note "HELP_DECRYPT.TXT" in every folder, asking the victim to contact the criminals at the email address fndimaf@gmail.com. Due to a bug in the ransomware, ransom notes may also appear with the same filename several times, such as "HELP_DECRYPT.TXTHELP_DECRYPT.TXT", shown below.





Good news is this one is decryptable, and I have released a decrypter for it. Simply select the affected directory, and click "Decrypt". :)




Please note, the password for the zip file is "false-positive". This is a temporary response to false positives being triggered by Google SafeBrowsing and antivirus.



Edited by Demonslay335, 17 January 2017 - 06:49 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

BC AdBot (Login to Remove)



#2 Amigo-A


  • Members
  • 348 posts
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:44 AM

Posted 13 September 2016 - 04:56 AM

Demonslay335, perfect!

Before we meet him, and You had already deciphered him!



My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 

#3 Karolenas


  • Members
  • 1 posts
  • Local time:01:44 AM

Posted 15 September 2016 - 02:45 AM

Well done!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users