Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypmic and Russian EDA2 encryption


  • Please log in to reply
4 replies to this topic

#1 jeffpowell

jeffpowell

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 17 October 2016 - 01:09 PM

My computer was recently infected with malware that encrypted all my important documents.  They have been encrypted with "crypmic" and "Russian EDA2" encryption.  I tried undeleting those files, but I could not find any valid copies using Recuva recovery software, all possible backups were bad/unrecoverable because they must have already been written over.  I also tried Shadow Copy, but seeing that I was not making any recovery backups, except for Windows updates, I did not have any useful recovery options that way.  I am lost, just hoping someone is able to provide a decryption key.  I saw another posting that someone was given a private key to decrypt their files.  If I sent/uploaded someone a sample file, could they possibly find a decryption key.

 

Thanks



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:08 PM

Posted 17 October 2016 - 01:18 PM

We need more information. I assume you uploaded a ransom note to ID Ransomware, and it identified "Russian EDA2" and "CrypMic", is this correct? Both use "README.html" as the ransom note. You will need to upload an encrypted file to ID Ransomware in order to determine which it is - CrypMic is identified by a specific hex pattern in the header of the file, and it is not decryptable.

 

As for "I saw another posting that someone was given a private key to decrypt their files", this is completely case-by-case, and depends on the ransomware, and whether it is decryptable.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 jeffpowell

jeffpowell
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 22 December 2017 - 02:26 PM

Yes, I did upload an encrypted file to ID Ransomware at it stated on multiple files, some with the EDA2 and some with the CrypMic encryption.  About a week prior to noticing I got the warning that my files were encrypted, but it didn't happen immediately and I didn't notice until about a week later.  By that point it was too late.  I attempted the Windows recovery option and also Shadow Explorer but the malware scrubbed those files; rewrote over the same files multiple times so that the originals were gone.  So, I can't use any recovery software to get those files.  I am lost without a decryption key.   



#4 jeffpowell

jeffpowell
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 22 December 2017 - 02:30 PM

I still have the encrypted files and the readme file.  Can you help or can you point me in the direction of someone who can help in decrypting the files? 



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:08 AM

Posted 22 December 2017 - 03:41 PM

Yes, I did upload an encrypted file to ID Ransomware at it stated on multiple files, some with the EDA2 and some with the CrypMic encryption...

You may have been a victim of dual ransomware infections...both EDA2 and CrypMic. Ransomware does not care about the contents of the data or whether your files or drives are already encrypted...it will just encrypt (re-encrypt) them again.

Unfortunately, there is still no known method at this time to decrypt files encrypted by CrypMIC without paying the ransom.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users