Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryakl Ransomware Help & Support Topic


  • Please log in to reply
59 replies to this topic

#1 jason-anderson

jason-anderson

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 14 November 2016 - 04:30 PM

Hi,
 
We found ransomware on our server on 11/11/2016.
 
ID Ransomware site determined it to be Cryakl.
 
I used the Kaspersky RannohDecryptor Version 1.9.3.0 but it is not working.
 
Here is the report from RannohDecryptor:
 
16:23:34.0816 0x23b84  Trojan-Ransom.Win32.Rannoh decryptor tool 1.9.3.0 Sep 27 2016 19:40:47
16:23:35.0776 0x23b84  ============================================================
16:23:35.0776 0x23b84  Current date / time: 2016/11/14 16:23:35.0776
16:23:35.0776 0x23b84  SystemInfo:
16:23:35.0776 0x23b84  
16:23:35.0776 0x23b84  OS Version: 6.0.6002 ServicePack: 2.0
16:23:35.0776 0x23b84  Product type: Domain controller
16:23:35.0776 0x23b84  ComputerName: AMTISRV
16:23:35.0777 0x23b84  UserName: administrator
16:23:35.0777 0x23b84  Windows directory: C:\Windows
16:23:35.0777 0x23b84  System windows directory: C:\Windows
16:23:35.0777 0x23b84  Running under WOW64
16:23:35.0777 0x23b84  Processor architecture: Intel x64
16:23:35.0777 0x23b84  Number of processors: 8
16:23:35.0777 0x23b84  Page size: 0x1000
16:23:35.0777 0x23b84  Boot type: Normal boot
16:23:35.0777 0x23b84  ============================================================
16:23:35.0781 0x23b84  Initialize success
16:23:59.0787 0x22b8c  Can't initialize on pair
16:23:59.0787 0x22b8c  Can't init decryptor
 
The file sizes of the encrypted file and original file are different even though I know they are the same file.
 
The ransom note is in a file named README.txt.  The text says: "to decrypt files write to this mail abu.khan@india.com"
 
Here is an example of the encrypted file names:
"email-abu.khan@india.com.ver-CL 1.3.1.0.vis.id-abu@@@@@AC6C-9A47.randomname-SOIBASLDVNFXQIASLCUMFXPHZSKCUM.IZR.mcu"
 
Is there anything I can do to decrypt the files?  Should I be using an alternative decryption tool?
 
Thank you for your support.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:07 PM

Posted 14 November 2016 - 07:50 PM

If solution did not help
If RannohDecryptor did not succeed in file decryption, download and launch the XoristDecryptor or RectorDecryptor tool.

Kaspersky RannohDecryptor How to Guide


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jason-anderson

jason-anderson
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 14 November 2016 - 08:02 PM

I tried both of those decryptors before posting to the forum and they did not decrypt.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:07 PM

Posted 14 November 2016 - 08:13 PM

Since the decryptor tool is specific to Kaspersky, you may want to report the results and ask at Kasperky Labs Support Forum.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jason-anderson

jason-anderson
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 15 November 2016 - 09:50 AM

I also reported to Kaspersky Labs Support.

 

Is there an alternative to Kaspersky for this specific ransomware?

 

Has anyone reported similar encryption issues to the file naming in my original post?

Thanks.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:07 PM

Posted 15 November 2016 - 11:24 AM

There is no alternative fix tool that I am aware of.

Someone must have reported this infection to ID Ransomware since the service was able to identify it but I would not know who that was.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 ricoleon

ricoleon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 21 February 2017 - 07:24 PM

 
Help me please, my file being attacked by Ransomware, the file name is changing to:
 
email-mserbinov@aol.com.ver-CL 1.3.1.0.id-@@@@@9078-A19A.randomname-CDEFNNOPPQQRSTTUUVVWXYYYZAABCC.DDE
 
 
i have try all the decrypt tools on AVG, kaspersky, avast , still no hope
 
 
Thanks before


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:07 PM

Posted 21 February 2017 - 07:42 PM

I am not aware of any new information for this infection.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 ricoleon

ricoleon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 21 February 2017 - 07:57 PM

oh my god :(



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:07 PM

Posted 21 February 2017 - 08:15 PM

In cases where there is no free decryption fix tool and victims are not willing to pay the ransom, the only other alternative is to backup/save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 ricoleon

ricoleon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 21 February 2017 - 08:31 PM

ok thanks for the info



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:07 PM

Posted 21 February 2017 - 08:35 PM

You're welcome.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:07 PM

Posted 07 March 2017 - 05:32 PM

I derived most of my information on Cryakl from Checkpoint's analysis. It is mostly prevalent with Russian victims.

 

http://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/

 

The Kaspersky decrypter can only handle certain variants of it, that is why ID Ransomware will display decryption as "Possible".


Edited by Demonslay335, 07 March 2017 - 05:32 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 Xtance

Xtance

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 22 March 2017 - 08:52 PM

Ok,   my server got infected with this ransomware too!!  Is a new breed!!

 

I believe is caused by backdoor trojan and malwares.

 

 

The Infection:

email-drakosha_new@aol.com.ver-CL 1.3.1.0.id-@@@@@E62C-0FC6.randomname-KLMNOOPQRRSTUUVWWXYZZAABCDEEFF.GHI

 

According to ID Ransomware: Cryakl

 

 

PLEASE, anybody can fix it?  I had try all the decryptor from kaspersky and it doesnt work! Keeps asking for the original files.....T_T



#15 thyrex

thyrex

  • Members
  • 471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:06:07 AM

Posted 23 March 2017 - 12:02 PM

No way to decrypt latest verions Cryakl

Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users