Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AiraCrop (NMoreira) Ransomware Support Topic (.airacropencrypted!, .maktub)


  • Please log in to reply
182 replies to this topic

#1 ramalho51

ramalho51

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 14 October 2016 - 12:36 PM

Dear friends, earlier this month, my server was infected with a variant of ransomware that encrypts files with the extension .airacropencrypted! .[/size]
I have submitted the file in Ransomware ID site, but was not detected his type.[/size]
Can anybody help me?[/size]
 
Thank you very much!

BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:23 PM

Posted 14 October 2016 - 12:37 PM

Do you have a ransom note? I've seen the extension before, but don't remember if I ever looked deeper into it.

 

If I remember right, it might be a CrySiS variant, which would be picked up by ID Ransomware if you upload the ransom note.


Edited by Demonslay335, 14 October 2016 - 12:39 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:23 PM

Posted 25 October 2016 - 03:43 PM

I'm starting to wonder if the CrySiS detection might be a false-positive. I saw a victim's note actually has Tor links, and I believe CrySiS usually communicates with only email.

 

Do you have the malware itself or know how your server got infected? Was it an RDP breach? We'd need the malware to analyze whether it can be cracked.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 25 October 2016 - 08:59 PM

@Demonslay335,

what information is of a single user.

 

an example of an encrypted file:

https://cloud.mail.ru/public/Mhhg/2iTRvVgVt

 

How to decrypt your files:

Encrypted Files!

All your files are encrypted. Using encryption AES256-bit and RSA-2048-bit.

Making it impossible to recover the files without the correct private key.

If you are interested in getting is key, and retrieve your files

visit one of the link and enter your key;

https://6kaqkavhpu5dln6x.onion.to/

https://6kaqkavhpu5dln6x.onion.link/

https://mvy3kbqc4adhosdy.onion.to/

https://mvy3kbqc4adhosdy.onion.link/

Alternative link:

http://6kaqkavhpu5dln6x.onion

http://mvy3kbqc4adhosdy.onion

To access the alternate link is mandatory to use the TOR browser available on the link

https://www.torproject.org/download/download

Key:

D0809D7FF155EDB518345504C73B507C7A57E23B60D17DEE9F54C27D7143­B3B7

 


Edited by al1963, 25 October 2016 - 09:02 PM.


#5 bee700

bee700

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:23 AM

Posted 04 November 2016 - 04:50 PM

Hello, I don't know if I am allowed to do this but I too have the same exact problem so I will be following the thread very attentively to see if it can help me or if I need to post a new thread. Is that OK? and thanks

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:23 PM

Posted 04 November 2016 - 04:55 PM

Rather than start a new topic, you can continue in this one.

I believe we still need a sample of the malware itself to analyze before anyone can ascertain if the encrypted files can even be decrypted.

Samples of any suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.

These are some common folder variable locations malicious executables and .dlls hide:
%SystemDrive%\ (C:\)
%SystemRoot%\ (C:\Windows, %WinDir%\)
%Temp%\
%AllUserProfile%\
%UserProfile%\
%AppData%\
%LocalAppData%\
%ProgramData%\
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:23 PM

Posted 29 November 2016 - 02:41 PM

Victims of this ransomware, as well as the one using the extension ".maktub", may use Fabian's decrypter here: https://decrypter.emsisoft.com/nmoreira


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 30 November 2016 - 12:59 AM

@Demonslay335,

 

in connection with this issue: the reconstruction of the key is performed for each file,

or only once, and then found the key is used to decipher other files without the reconstruction of the key?

 

Starting decryption ...

Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\3\Бух.rar.__AiraCropEncrypted!
Decryption: Trying to reconstruct encryption key, this will take a bit ...
Destination file: E:\deshifr\_AiraCropEncrypted!\01\3\Бух.rar
Status: Successfully decrypted!

 



#9 bee700

bee700

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:23 AM

Posted 30 November 2016 - 04:49 PM

Rather than start a new topic, you can continue in this one.

I believe we still need a sample of the malware itself to analyze before anyone can ascertain if the encrypted files can even be decrypted.

Samples of any suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.

These are some common folder variable locations malicious executables and .dlls hide:
%SystemDrive%\ (C:\)
%SystemRoot%\ (C:\Windows, %WinDir%\)
%Temp%\
%AllUserProfile%\
%UserProfile%\
%AppData%\
%LocalAppData%\
%ProgramData%\

 

Hi sorry for the delay in reaction. I will see if I can do that. But thank you for being there. The work you do is invaluable.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:23 PM

Posted 30 November 2016 - 05:05 PM

No problem...you can now try Fabian's decrypter in the link provided by Demonslay335 in Post #7.

Before attempting decryption, it is recommended to back up the original encrypted files first and perform a test decryption on sample copies of the encrypted files first in case something goes awry.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 bee700

bee700

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:23 AM

Posted 30 November 2016 - 06:19 PM

No problem...you can now try Fabian's decrypter in the link provided by Demonslay335 in Post #7.

Before attempting decryption, it is recommended to back up the original encrypted files first and perform a test decryption on sample copies of the encrypted files first in case something goes awry.

Yes exactly, but if need be I will come back to you and if not, its always a pleasure to come to this site, over the years, I don't know how many times it has been a resource of info and solutions.

Thank you again



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:23 PM

Posted 30 November 2016 - 06:34 PM

You're welcome. We appreciate your thoughtful comments about the Bleeping Computer community and taking the time to express your sentiments.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 30 November 2016 - 08:39 PM

It seems to work decoder.

 

 

Starting decryption ...

Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\1\Бух.rar.__AiraCropEncrypted!
Decryption: Trying to reconstruct encryption key, this will take a bit ...
Destination file: E:\deshifr\_AiraCropEncrypted!\01\1\Бух.rar
Status: Successfully decrypted!

Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\2\1sys_buh 2016-08-31 19;21;16 (Full).zip.__AiraCropEncrypted!
Decryption: Successfully recovered encryption keys based on previous key.
Destination file: E:\deshifr\_AiraCropEncrypted!\01\2\1sys_buh 2016-08-31 19;21;16 (Full).zip
Status: Successfully decrypted!

Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\3\Бух.rar.__AiraCropEncrypted!
Decryption: Trying to reconstruct encryption key, this will take a bit ...
Destination file: E:\deshifr\_AiraCropEncrypted!\01\3\Бух.rar
Status: Successfully decrypted!

Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\4\04-2016_подр_6606087 (1).txt.__AiraCropEncrypted!
Decryption: Trying to reconstruct encryption key, this will take a bit ...
Could not guess key. Most likely the original file format is not supported.

Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\4\1sys_buh 2016-08-31 19;21;16 (Full).zip.__AiraCropEncrypted!
Decryption: Successfully recovered encryption keys based on previous key.
Destination file: E:\deshifr\_AiraCropEncrypted!\01\4\1sys_buh 2016-08-31 19;21;16 (Full).zip
Status: Successfully decrypted!

Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\4\Выгрузка каталога и коммерческих предложений на сайт в формате CommerceML версии 2.docx.__AiraCropEncrypted!
Decryption: Successfully recovered encryption keys based on previous key.
Destination file: E:\deshifr\_AiraCropEncrypted!\01\4\Выгрузка каталога и коммерческих предложений на сайт в формате CommerceML версии 2.docx
Status: Successfully decrypted!

Finished!

 



#14 imediaOne

imediaOne

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 05 December 2016 - 08:53 AM

Hello everybody,

We now have the AiraCrop Ransomware on the system.

 

All files are with .__ AiraCropEncrypted! Encrypted.

We also have the software https://decrypter.emsisoft.com/nmoreira Tried, but we do not get a decoded file.

 

Our payment request is also different in content and has the extension .html instead of .txt.

 

We have uploaded an encrypted file.

 

Can anybody help me?

Link:

http://xup.in/dl,15273915
and

http://xup.in/dl,21132066



#15 Norma22

Norma22

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 05 December 2016 - 10:38 AM

Hi guys, i tried NMmoeira to decrypt my encripted files, without success.
 
The tool seems frozen...
 
Starting decryption ...
 
Encrypted file: C:\Users\ILARIA\Downloads\aira\impegno preventivo.docx.__AiraCropEncrypted!
Decryption: Trying to reconstruct encryption key, this will take a bit ...

 
I tried four times and waited for hours: same result.

Can you help me?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users