Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SCL Ransomware Decryption Tool Not Working


  • This topic is locked This topic is locked
4 replies to this topic

#1 goodsamaritan

goodsamaritan

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 25 September 2016 - 11:55 AM

Hi there,

 

We got infected with ransomware back in June that changed all of the files to the following:

 

ORIGINALFILENAME.id_98b1fa52ec46f9dc_email_vexa@usa.com.scl

 

After scouring this site and others, we could not find any existing decryption tool and it totally wiped all of our backups - we now have cloud backup going forward to prevent this.

 

We paid the ransom and the criminal sent us the decryption tool which we ran but although it seemed to run for a while, nothing was decrypted.

When we told this to the criminal he said it should work and asked us to send a sample file for him to test on - I sent a generic JPG that comes with Windows and since then he has ignored our emails.

 

At first I thought that he just was playing with us but why would he ask for the sample file then? Just to continue playing with us?

 

If I post the decryption tool he gave us would anyone be able to help us?

 

The customer is a not for profit school that we provide IT support for free as a kindness to them.

Any help would be much appreciated.



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:55 PM

Posted 25 September 2016 - 12:25 PM

If you have the original malware that caused this, it would be the most helpful. I believe this is CryptoMix, also known as CryptFile2. You may share a few encrypted files and anything they gave you, we can try to take a look.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 goodsamaritan

goodsamaritan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 25 September 2016 - 01:38 PM

Sorry for the delay - the email went to my junk mail -just whitelisted bleepingcomputer

 

I just submitted the test file - it was originally tulips.jpg which I think comes with Windows.

I also submitted the decryption tool the criminal sent that didn't work as both the original RAR he sent me as well as the EXE that I extracted from the original RAR.

 

Also, just FYI, Grinler posted this about .SCL files back in March - not sure if it's relevant as I guess they can change the extension to whatever they want:

http://www.bleepingcomputer.com/forums/t/609634/zeta-ransomware-support-and-help-topic-zetadrcomscl-help-your-fileshtml/

 

Thanks again



#4 goodsamaritan

goodsamaritan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 25 September 2016 - 02:01 PM

Also just submitted an unencrypted tulips.jpg from another PC to help you - not sure if it does but figured it doesn't hurt



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:55 PM

Posted 25 September 2016 - 03:48 PM


Any files that are encrypted with CryptoMix Ransomware (CryptFile2) will have an <id number>.<email>_.code or <id number>.<email>_.scl extension appended to the end of the encrypted data filename and leave files (ransom notes) named HELP_YOUR_FILES.HTML, HELP_YOUR_FILES.TXT.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users