Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AES-NI Ransomware (.aes256, .aes_ni, !!Read This_Important!!.txt) Support Topic


  • Please log in to reply
227 replies to this topic

#211 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:02:56 AM

Posted 19 June 2017 - 12:37 PM

You can try PM to AES_NI. with the ID. Tell him you couldn't find the local key anywhere on your computer.


We are drowning in information - and starving for wisdom.


BC AdBot (Login to Remove)

 


m

#212 AES__NI

AES__NI

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 19 June 2017 - 12:43 PM

Can anyone help with this?  My ID is:

SRSBSVR#20A7A6F6E0E093206F1C52D3454C3A14

 

Server is in original state but I can not find key in ProgramData or any other folders.

download last LEAKS  archive

unzip

find u key

read HOW TO

start decode

Untitled.png


Edited by AES__NI, 19 June 2017 - 12:48 PM.


#213 ejm41

ejm41

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 19 June 2017 - 01:06 PM

Where can I download the newest leaks.zip?  I got the one from post #153 in this thread but it doesn't contain that key.


Edited by ejm41, 19 June 2017 - 01:06 PM.


#214 AES__NI

AES__NI

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 19 June 2017 - 01:10 PM

Where can I download the newest leaks.zip?  I got the one from post #153 in this thread but it doesn't contain that key.

 

post #183  whats is it???

 

Posted 11 June 2017 - 10:08 AM

keys        :    https://www.sendspace.com/file/8co1k2

pass        :    dT3FfWkaOKaWGLk

MD5        :    269802A70BEC0D74DA42D74DB7EEDE6F
SHA-256 :    72CD9E37779910B9CCDA99489455FAF0A44EDA823DE1AF2376F5589DE8194E15



#215 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:02:56 AM

Posted 19 June 2017 - 01:18 PM

:Post #187 is the latest.


We are drowning in information - and starving for wisdom.


#216 AES__NI

AES__NI

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 19 June 2017 - 01:23 PM

People, i released  master key (to decrypt offline keys), all online keys from Feb.

for first see my posts with leaks, if u cannot found You key or really having problem - write me to PM.


Edited by AES__NI, 19 June 2017 - 01:26 PM.


#217 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:02:56 AM

Posted 19 June 2017 - 01:56 PM

Keys have been released:  See posts 153, 167,187. Check those before PM to AES_NI


We are drowning in information - and starving for wisdom.


#218 al1963

al1963

  • Members
  • 824 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 20 June 2017 - 09:18 PM

Interesting,
Judging by Symantec's message, SOREBRECT uses AES_NI as the encoder?

Https://www.symantec.com/security_response/writeup.jsp?docid=2017-061913-4515-99&tabid=2

 

 

----------

Or TrendMicro & Symantec - later ignition, and they called SOREBRECT, what is already known as AES_NI?


Edited by al1963, 20 June 2017 - 09:35 PM.


#219 neco423

neco423

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 20 June 2017 - 10:09 PM

Hi friends,

 

My name is Neco, I found this page searching for a solution or any help in internet. Recently I was attacked by hacker that exploited rdp protocol to enter to my servers, Im desesperated because all my files are unaccesible. The rasomware added a extension decrypr_helper@freemail_hu in all my files and put a html file with the title !!! READ THIS - IMPORTANT !!!.hta.

 

 

The hash is

WKS-BYRON#4E6231DEBB047A7991A01B54A9762955

These are the example files, an encrypted file, an uncrypted file, and the hta file.

 

https://ufile.io/bo7yx

 

 

Thanks for any information or help,

 

 

Blessings,

 

NECO



#220 al1963

al1963

  • Members
  • 824 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 20 June 2017 - 10:13 PM

 


These are the example files, an encrypted file, an uncrypted file, and the hta file.

 

https://ufile.io/bo7yx

 

 

Sorry it's gone...

This file has expired and been automatically deleted.



#221 al1963

al1963

  • Members
  • 824 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 20 June 2017 - 10:19 PM

@neco423,

 

Perhaps the ESET utility will help you decrypt your files.

Https://download.eset.com/com/eset/tools/decryptors/aesni/latest/esetaesnidecryptor.exe

[2017.06.01 08: 27: 46.641] - INFO: Supported AES-NI file extensions: .aes256, .aes_ni_0day, .aes_ni, .decrypr_helper @ freemail_hu,. ~ Xdata ~



#222 neco423

neco423

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 21 June 2017 - 12:21 AM

Thaaaaaaaaaaaaanks to everyone and special thanks to AES_NI!!!!!

 

The latest tool that AES_NI have posted works for meeeeeeee!!!!! one of the keys was my key file and my files started to be decrypted.

 

AES_NI thank you so much, please write me a pm to give you a special thanks.

 

 

 

@neco423,

 

Perhaps the ESET utility will help you decrypt your files.

Https://download.eset.com/com/eset/tools/decryptors/aesni/latest/esetaesnidecryptor.exe

[2017.06.01 08: 27: 46.641] - INFO: Supported AES-NI file extensions: .aes256, .aes_ni_0day, .aes_ni, .decrypr_helper @ freemail_hu,. ~ Xdata



#223 AES__NI

AES__NI

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 21 June 2017 - 05:30 AM

Interesting,
Judging by Symantec's message, SOREBRECT uses AES_NI as the encoder?

Https://www.symantec.com/security_response/writeup.jsp?docid=2017-061913-4515-99&tabid=2

 

 

----------

Or TrendMicro & Symantec - later ignition, and they called SOREBRECT, what is already known as AES_NI?

 

Ransom.Sorebrect Discovered: June 19, 2017 Updated: June 20, 2017 8:42:54 AM  

 

its AES-NI April Editions.. he works 1 weeks, and already have decrypt.  Symantec really stupid.

 https://twitter.com/hashtag/Sorebrect?src=hash


Edited by AES__NI, 21 June 2017 - 05:50 AM.


#224 AES__NI

AES__NI

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 21 June 2017 - 05:41 AM

 https://www.virustotal.com/it/file/4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76/analysis/

 

You will see 2-3 normal company who really work.

:smash:  :smash:  :smash:  :smash:  :smash:


Edited by AES__NI, 21 June 2017 - 05:49 AM.


#225 BloodDolly

BloodDolly

  • Security Colleague
  • 473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:08:56 AM

Posted 21 June 2017 - 06:01 AM

 

Thaaaaaaaaaaaaanks to everyone and special thanks to AES_NI!!!!!

 

The latest tool that AES_NI have posted works for meeeeeeee!!!!! one of the keys was my key file and my files started to be decrypted.

 

AES_NI thank you so much, please write me a pm to give you a special thanks.

 

 

 

 

 

 

Just keep in mind that you are thanking cyber terrorist. Without him and his comrades your data would not be encrypted at all in the first place.

 

I really do not understand this strong occurrence of Stokholm syndrom among ransomware's victims.


Edited by BloodDolly, 21 June 2017 - 06:09 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users