Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptON Ransomware Support & Help Topic (<id-number>_x3m, _locked, _r9oj)


  • Please log in to reply
297 replies to this topic

#286 route66por

route66por

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 19 June 2017 - 01:49 AM

I've got a reply today from Kaspersky Lab Technical Support. I have the .830s7 extension on all my files.

 

"The files have been encrypted by Trojan-Ransom.Win32.Cryptoff.
Unfortunately, currently we cannot decrypt files encrypted by this malware variant. If we manage to decrypt them in the future, we will notify you."

 

 



BC AdBot (Login to Remove)

 


#287 bboyblank

bboyblank

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 19 June 2017 - 03:10 AM

Has anyone used HiddenTear bruteforcer with success ?



#288 alessandrosam

alessandrosam

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 19 June 2017 - 08:09 AM

I still keep hoping someone will post some correction, but the only alternative will be to make the payment, 4BTC

I still keep hoping someone will post some correction, but the only alternative will be to make the payment, 4BTC



#289 robinnnn

robinnnn

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 19 June 2017 - 12:50 PM

I've got a reply today from Kaspersky Lab Technical Support. I have the .830s7 extension on all my files.

 

"The files have been encrypted by Trojan-Ransom.Win32.Cryptoff.
Unfortunately, currently we cannot decrypt files encrypted by this malware variant. If we manage to decrypt them in the future, we will notify you."

 

 

Hmmm submitted a file sample with an _[m.reptile@aol.com].47kv5 extension 2 days later, getting curious now about the results.. hopefully they will be able to decrypt this Cryptoff variant one day.. did your files have the same size?



#290 Ruben-e

Ruben-e

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 20 June 2017 - 12:36 AM

I've got a reply today from Kaspersky Lab Technical Support. I have the .830s7 extension on all my files.

 

"The files have been encrypted by Trojan-Ransom.Win32.Cryptoff.
Unfortunately, currently we cannot decrypt files encrypted by this malware variant. If we manage to decrypt them in the future, we will notify you."

 

 

I received the same email from Kaspersky on my support ticket. A week later (last week) I received the download link for the working decryptor. Just hang in there.



#291 LeandroMachado

LeandroMachado

  • Members
  • 22 posts
  • OFFLINE
  •  

Posted 23 June 2017 - 02:58 PM

 

I've got a reply today from Kaspersky Lab Technical Support. I have the .830s7 extension on all my files.

 

"The files have been encrypted by Trojan-Ransom.Win32.Cryptoff.
Unfortunately, currently we cannot decrypt files encrypted by this malware variant. If we manage to decrypt them in the future, we will notify you."

 

 

I received the same email from Kaspersky on my support ticket. A week later (last week) I received the download link for the working decryptor. Just hang in there.

 

Please, share the file.



#292 Deltark7

Deltark7

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 23 June 2017 - 03:07 PM

Hi guys, I'm helping a victim of a ransomware attack.
All his data has been encrypted. Access was gained through an open 3389/RDP port.
Password has been found by brute force.
Everything, including backups, have been encrypted.
The extention of the files is::     FILENAME.id-1234567890_[mk.stryker@aol.com].i05fp   ID has been replaced by 1234567890 for privacy reasons.

Encrypted files are 36 bits larger then the original ones!

I tried to upload the ransom note here, but was unsuccessfull.
 

Cracking the key of this 'bastard' would be great, but first of all, I like to know if this ransomware is already known to other people.
Together we might achieve more, also tracking the bastards down. Because they leave interesting trails!!

 

If you're a victim or want to help, pls reply to this post.



#293 Deltark7

Deltark7

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 23 June 2017 - 03:24 PM

I tried these decryptors so far: RakhniDecryptor, decrypt_Cry128 by Emsisoft  ==> no luck.

 

Any suggestions?



#294 flash1979

flash1979

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 23 June 2017 - 04:43 PM

Hi.

I also got hit from this crypton / cry36 variant today from rdp. The file size of original and encrypted is the same though. The files are renamed to filename.id-xxxxxxxxxxxxxx_[mk.cyrax@aol.com].b1m74 so it has extension b1m74.

ID ransonmware identifies this as 2 types, as Cry36 and Dharma (Wallet). Dharma only comes from the email that is listed on the filename i guess.

I tried all decryptors in this long thread but none works. I hope someone comes up with a deprytor solution at some point... :/

 

I can upload original and encrypted files if someone thinks it can help.



#295 flash1979

flash1979

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 23 June 2017 - 05:08 PM

Hey Deltark, from your other post:

 

If you've got access to the infected PC, can you do the following:

Pls check in the windows log files, the logs for the originating IP addresses used for the RDP-connection.
In the logs: Computer Management /  Logs Applications & Services / Microsoft / Windows/ TerminalServices-RemoteConnectionManager / Operational   
Here you'll find all connecting IP's.

 

I checked and the IPs and this is what i got. First from 23.247.155.3 from Atlanta, Georgia USA when they started the encryption and then later today after encryption from 91.200.12.77 Ukraine



#296 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 AM

Posted 23 June 2017 - 06:09 PM

...I also got hit from this crypton / cry36 variant today from rdp. The file size of original and encrypted is the same though. The files are renamed to filename.id-xxxxxxxxxxxxxx_[mk.cyrax@aol.com].b1m74 so it has extension b1m74.
ID ransonmware identifies this as 2 types, as Cry36 and Dharma (Wallet). Dharma only comes from the email that is listed on the filename i guess...

Any files that are encrypted with Cry9, Cry36 will have a random 5 character hexadecimal extension appended to the end of the encrypted data filename (i.e. .id-1163283255_[liukang@mortalkombat.su].08c85, .id-1163283255_[mk.baraka@aol.com].830s7) and leave files (ransom notes) named ### DECRYPT MY FILES ###.txt.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#297 flash1979

flash1979

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 23 June 2017 - 06:15 PM

I say it must be the latest variant this one because the file sizes of the original and encrypted files are the same, unlike the cry36 or cry128 where sizes were different. I uploaded both files here at bleepingcomputer website, if that will help.



#298 robinnnn

robinnnn

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted Yesterday, 01:26 AM

I say it must be the latest variant this one because the file sizes of the original and encrypted files are the same, unlike the cry36 or cry128 where sizes were different. I uploaded both files here at bleepingcomputer website, if that will help.

You might try to send to 'newvirus@kaspersky.com' so they can analyse the files, and are working on new versions of the raknidecryptor, I have the same variant, no change in file size, only a different 5 characters at the end, but i have seen two people already who have the exact same extension and no change in file size as well. 






9 user(s) are reading this topic

0 members, 9 guests, 0 anonymous users