Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AES-NI Ransomware (.aes256, .aes_ni, !!Read This_Important!!.txt) Support Topic


  • Please log in to reply
227 replies to this topic

#31 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 AM

Posted 21 December 2016 - 04:32 PM

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

Some ransomware victims have reported they paid the ransom and were successful in decrypting their data. Other victims reported they paid the ransom but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the key and decryption software they received did not work or resulted in errors. Still others have reported paying the ransom only to discover the criminals wanted more money. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all.

There is never a guarantee that the decrypter provided by the cyber-criminals will work as they claim and using a faulty or incorrect decryptor may damage or corrupt the files. Keep all this in mind if you are considering paying the ransom since there is no guarantee decryption will be successful.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#32 Retsiem

Retsiem

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 22 December 2016 - 07:04 PM

They are able to decypt the data. We paid and received a tool that unlocked our files. They are being scanned now for any oddities. If I can do any more to help with this topic please let me know. I wouldlove it if no one else had to pay to get their data back. :angry: I feel dirty now.



#33 CrazyGio

CrazyGio

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 22 December 2016 - 08:35 PM

It might come to that for us. What bit coin merchant did you use. It is such a pain to get bit coin, and most sites want social security number and Drivers license ID. We don't want to have to provide that.

#34 CrazyGio

CrazyGio

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 23 December 2016 - 06:32 PM

I have received the decryption tool from them. It appears to have worked. Need to test integrity of data, but the decryption tool appears to be legit.

#35 mod123

mod123

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 29 December 2016 - 11:05 AM

Can you send the tool for me to see what it is and if it can be altered.
Can you send the tool for me to see what it is and if it can be altered.
Can you send the tool for me to see what it is and if it can be altered.

#36 CrazyGio

CrazyGio

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 29 December 2016 - 11:32 AM

Well, the way it works, they included a key along with the tool to import in so that it can decrypt. My guess, is that the key is specific to everyone's encryption situation. I would contact them and see. 



#37 mod123

mod123

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 29 December 2016 - 12:01 PM

We've just been told the same thing by the email address in the text. Out of interest what were you charged. USD

#38 CrazyGio

CrazyGio

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 29 December 2016 - 12:05 PM

They are watching this thread, FYI.



#39 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 AM

Posted 29 December 2016 - 01:27 PM

They are watching this thread, FYI.

It wouldn't be the first time...sometimes they even reply.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#40 cryptoinfo

cryptoinfo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 02 January 2017 - 03:31 PM

Also now someone hit with this. Where can one get a hold of the required Bitcoins easily? It seems limits on most sites don't allow this to happen. 



#41 CrazyGio

CrazyGio

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 02 January 2017 - 05:07 PM

I used Paxful, and found that you can deposit cash into a Bitcoin merchants account. They then release the Bitcoin funds into your Paxful account to send to the recipient.

#42 MaciejH

MaciejH

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:56 AM

Posted 23 January 2017 - 11:57 AM

We too have been attacked by this ransomware. Unfortunately, encrypted were 3 machines. Can someone tell me more about decrypt the data? Do you got a decryption key that was dependent on the machine ID that was encrypted? Do you got a couple of keys?



#43 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 AM

Posted 26 January 2017 - 06:03 AM


Unfortunately, I am not aware of a decryption solution for victims of AES256 Ransomware.

Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#44 AES-NI

AES-NI

  • Banned
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:56 AM

Posted 27 January 2017 - 06:28 PM

Unfortunately, I am not aware of a decryption solution for victims of AES256 Ransomware.

Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

yes  its true, but  software use RSA-2048 bit  keys, without private key file,  files not restore.

 

generate private and public RSA key pair, for every files generate  unique AES 256 bit key(ECB mode), after encrypt, in files insert RSA signature  with aes key...

private rsa key not store in memory\hdd.


Edited by AES-NI, 27 January 2017 - 06:43 PM.


#45 AES-NI

AES-NI

  • Banned
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:56 AM

Posted 27 January 2017 - 06:44 PM

Bad news to everyone who was encrypted with this ransomware.
 
Malware researchers really do not want you to receive your keys and to decrypt your files.
That's why they sent an abuse and blocked our e-mail addresses; so clients are not able to write us and we are not able to send decryption keys.
Anyway, the BitMessage address is still available: BM-2cVgoJS8HPMkjzgDMVNAGg5TG3bb1TcfhN
 
Also I ask everyone who can not contact us or is waiting for the answer to PM me on this forum and discuss alternative methods of communication.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users