Any decypriton tools for this one?
Any help is much appreicated
Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
infected with Variant: nomoneynohoney.xtbl, Any decypriton tools for this one?
Started by
Shonuf888
, Oct 27 2016 11:31 AM
2 replies to this topic
#1
Shonuf888
-
- Members
- 1 posts
- OFFLINE
- Local time:09:46 AM
Back to top
#2
Demonslay335
-
- Security Colleague
- 3,591 posts
- OFFLINE
Ransomware Hunter
- Gender:Male
- Location:USA
- Local time:07:46 AM
Posted 27 October 2016 - 04:04 PM
Have you used ID Ransomware to identify the ransomware? Troldesh/Shade uses similar formats. It is best to upload a ransom note as well as the encrypted file for it to identify by. There are a few other variants going around using the .xtbl extension, but ID Ransomware will pick them up based on known email addresses or patterns with the filenames.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
#3
quietman7
-
- Global Moderator
- 52,095 posts
- ONLINE
Bleepin' Janitor
- Gender:Male
- Location:Virginia, USA
- Local time:08:46 AM
Posted 27 October 2016 - 04:35 PM
Any files that are encrypted by newer variants of Troldesh/Shade Ransomware are completely renamed with the format Base64(AES_encrypt(original file name) but still have the .xtbl or .ytbl extension appended to the end of the filename (i.e. ArSxrr+acw970LFQw.043C17E72A1E91C6AE29.xtbl. Troldesh (Shade) leaves files (ransom notes) named README1.txt, READEME2...README10.txt and How to decrypt your files.txt.
Any files that are encrypted with CrySiS Ransomware will have an .<id-number>.<email>.CrySiS or .<id-number>.<email>.xtbl extension appended to the end of the encrypted data filename (i.e. mypicture.jpg.id-12345678.Vegclass@aol.com.xtbl) and leave files (ransom notes) named How to decrypt your data.txt, How to decrypt your files.txt, How to get data back.txt.
Any files that are encrypted with CrySiS Ransomware will have an .<id-number>.<email>.CrySiS or .<id-number>.<email>.xtbl extension appended to the end of the encrypted data filename (i.e. mypicture.jpg.id-12345678.Vegclass@aol.com.xtbl) and leave files (ransom notes) named How to decrypt your data.txt, How to decrypt your files.txt, How to get data back.txt.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
If I have been helpful & you'd like to consider a donation, click
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
If I have been helpful & you'd like to consider a donation, click
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
