Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DXXD Ransomware (dxxd) Help & Support - ReadMe.TxT


  • Please log in to reply
99 replies to this topic

#16 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:24 AM

Posted 01 October 2016 - 08:14 AM

It looks like yours has a different key and possibly a different key length. I'll have to play with it a bit to get it right, but it is definitely decryptable.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#17 rhvjr

rhvjr

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 02 October 2016 - 07:20 PM

demon, my private email to your email bounced.



#18 chase303

chase303

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 03 October 2016 - 06:05 AM

@Demonslay335 Hi I hope you can help.

One of the servers I look after has been compromised and multiple files encrypted with dxxd.

I downloaded your decryptor but it says access is denied. Although it creates a copy of the files, with the correct file extension. but they still can't be opened.

Any help would be much appreciated..



#19 iceonfire

iceonfire

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 03 October 2016 - 08:15 AM

@Demonslay335 Hi I hope you can help.

One of the servers I look after has been compromised and multiple files encrypted with dxxd.

I downloaded your decryptor but it says access is denied. Although it creates a copy of the files, with the correct file extension. but they still can't be opened.

Any help would be much appreciated..

 

Mine has same issues as chase303 above .

Kindly help.

 

W.K



#20 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:24 AM

Posted 03 October 2016 - 08:51 AM

@chase303 @iceonfire

 

That's odd. Are you running it with administrator privileges? You may need to disable your antivirus temporarily, some give a false-positive with my tools due to the obfuscation I use to help protect it from the bad guys.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#21 chase303

chase303

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 03 October 2016 - 09:10 AM

Hi,Thanks for getting back. Yes to admin account privileges

And the dxxd "installer" removed the antivirus so it's not that either.

Tried in normal and safe modes..


Edited by chase303, 03 October 2016 - 09:10 AM.


#22 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:24 AM

Posted 03 October 2016 - 09:25 AM

Can you share a few files that were encrypted, preferably that you also have a clean copy of for me to compare.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#23 iceonfire

iceonfire

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 03 October 2016 - 10:10 AM

@chase303 @iceonfire

 

That's odd. Are you running it with administrator privileges? You may need to disable your antivirus temporarily, some give a false-positive with my tools due to the obfuscation I use to help protect it from the bad guys.

Yeah, It does the same. I don't have antivirus installed.

I have also tried to generate key using two files 2 good and two old before attack . They give different key. let me paste it here if you may allow.

86CFFAD5DAB1519F533B36EA7D6AC746E84FEFD878F5C9111F067A17766CD4A7D68ECDFA9FDAB1513661B52D467D6AC7D8A84FED1D1BF5A9E6A0362FA7766CD4FAD48E8D519FDAB136EA533BC7467D6AEDD8A84FA91D1BF53EB563A3E4A67E6A8FFA948E9E517FDF3B36EA5384C8F87831FD98A7B7B9DB0BE92F7B727EC77B64
86CFFAD5DAB1519F533B36EA7D6AC746884FECD878F5C911A6094552766CD4A7D58EADFAF3FA355CBA723B3C477D4AC7D8A84FED1D1BF5A94CC4B727A7766CD4FAD48E8D519FDAB136EA533BC7467D6AEDD8A84FA91D1BF53EB563A3E4A67E6A8DFAD48E9C513FDF3B36EA5306C8BC78B5E2E4A7CBB95F14652FFF73E2C7FF67

 

They don't look identical. The files were in the same folder .

 

Thank you



#24 chase303

chase303

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 03 October 2016 - 01:24 PM

Here's a file before:  https://www.dropbox.com/s/ub3rut77xt655ng/3.08C%20File%20Note%20or%20Telecon.doc?dl=0

and encrypted: https://www.dropbox.com/s/0hnj7vxep0lhpkr/3.08c%20file%20note%20or%20telecon.docdxxd?dl=0

thanks 



#25 chase303

chase303

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 03 October 2016 - 01:29 PM

I have also now discovered that this hasn't only encrypted shared data, but also Windows operating system files and Exchange files,

And application files, so programs like Backup Exec don't work, (and theres something stopping me reinstalling it) so currently I can't restore anything from tape backups at the moment.

Fortunately we have the majority of the data backed up in the cloud.. But this is not the best start to a week I've had... 



#26 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:24 AM

Posted 03 October 2016 - 05:03 PM

Do you have a pair of files larger than 1.05MB? The encryption goes for 0x100000 bytes (with starting at 0x4), and the key may not repeat, so I need the full block to figure out what has changed.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#27 iceonfire

iceonfire

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 04 October 2016 - 12:44 AM

@Demonslay335

[-] File: C:\Users\xxxx.KR\Desktop\Utilities\test\desktop.inidxxd skipped, error: Access to the path 'C:\Users\xxxx.KR\Desktop\Utilities\test\desktop.ini' is denied.
[-] File: C:\Users\xxxx.KR\Desktop\Utilities\test\process hacker 2.zipdxxd skipped, error: Access to the path 'C:\Users\xxxx.KR\Desktop\Utilities\test\process hacker 2.zip' is denied.
Successfully decrypted 0 files!
Skipped 2 files
 

This is the error am getting.

 

Kindly help.

 

W.K.



#28 iceonfire

iceonfire

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 05 October 2016 - 03:35 AM

hello,
Has anyone succeeded in decrypting?

WK

Edited by iceonfire, 05 October 2016 - 03:52 AM.


#29 chase303

chase303

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 05 October 2016 - 03:45 AM

hello,
Has anyone succeed decrypting?

WK

@iceonfire not yet sadly. i have tried loads of different things and nothing has helped so far..



#30 rhvjr

rhvjr

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 05 October 2016 - 12:05 PM

backups encrypted as well, what a mess.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users