Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptON Ransomware Support & Help Topic (<id-number>_x3m, _locked, _r9oj)


  • Please log in to reply
414 replies to this topic

#31 gmaniakbg

gmaniakbg

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 25 February 2017 - 04:00 PM

Went after file servers - Administrative credentials where used.  Uploaded to bleeping computer and virus total a while back. 

 

https://www.virustotal.com/en/file/adab7527fb7d86fd311b5abdbe00ec4268d188b69b01cded89712fd9f5f907de/analysis/1488054837/



BC AdBot (Login to Remove)

 


m

#32 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:44 AM

Posted 25 February 2017 - 08:14 PM

Went after file servers - Administrative credentials where used.  Uploaded to bleeping computer and virus total a while back. 

 

https://www.virustotal.com/en/file/adab7527fb7d86fd311b5abdbe00ec4268d188b69b01cded89712fd9f5f907de/analysis/1488054837/

 

Thanks for the submission. What you submitted is CryptON, so it seems it must be related to this one that we dubbed X3M. What extension did it add to your files? The sample did not encrypt anything on our sandboxes, but I can tell from the strings it is CryptON.

 

https://twitter.com/JakubKroustek/status/829353444632825856


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#33 gmaniakbg

gmaniakbg

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 26 February 2017 - 05:05 AM

Hello,

 

I have uploaded a file to bleeping containing an encrypted file and the original "processmonitor"  archive, ransom ware note and a process trace of the execution of the file. It seems to contact host.ru i will get a pcap shortly. 


Edited by gmaniakbg, 26 February 2017 - 11:49 AM.


#34 NemesisRansomware

NemesisRansomware

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 26 February 2017 - 07:11 PM

Went after file servers - Administrative credentials where used.  Uploaded to bleeping computer and virus total a while back. 
 
https://www.virustotal.com/en/file/adab7527fb7d86fd311b5abdbe00ec4268d188b69b01cded89712fd9f5f907de/analysis/1488054837/

> memurl:"Pattern match: http://izoblock.ru/wp-includes/js/jquery/ui/main/g5nx9.php"
404 .i. =)
 


Hello,
 
I have uploaded a file to bleeping containing an encrypted file and the original "processmonitor"  archive, ransom ware note and a process trace of the execution of the file. It seems to contact host.ru i will get a pcap shortly.

In decoding the files, it will not help you.

 

// Thank you for your help in the development of our product. :thumbup2:


Edited by NemesisRansomware, 26 February 2017 - 07:14 PM.


#35 Guest_AES-NI_*

Guest_AES-NI_*

  • Guests
  • OFFLINE
  •  

Posted 28 February 2017 - 07:13 AM

nemesis dev - its skript kiddie.

 

school boy not know  whats is  TOR,  use white hosting.  :busy:  :busy:  :busy:  :busy:  :bowdown:  :bowdown:  :bowdown:  :bowdown:  :bowdown:



#36 Babana

Babana

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 28 February 2017 - 02:13 PM

Same problem here. Got everything encrypted on the server. File extensions .r9oj

 

I really need to decrypt my files



#37 NemesisRansomware

NemesisRansomware

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 28 February 2017 - 02:26 PM

Same problem here. Got everything encrypted on the server. File extensions .r9oj
 
I really need to decrypt my files

 

 r9oj - this is my extension. Please your personal ID.


Edited by NemesisRansomware, 28 February 2017 - 03:08 PM.


#38 Babana

Babana

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 28 February 2017 - 03:37 PM

 

Same problem here. Got everything encrypted on the server. File extensions .r9oj
 
I really need to decrypt my files

 

 r9oj - this is my extension. Please your personal ID.

 

 

Hah, you can not even imagine what i prepared for you :))))) :* :* . I think you forget to well secure yourself when you was accessing my server via RDP. 

 

Btw, we are already developing decryptor for your childish encryption... 

 

P.S. I prepared everything for you, so you will pay much more than you are asking for decryption. Are you really so stupid to believe someone will pay you for it?

I will pay triple to catch you ;).

 

Arrivederci bleep...



#39 NemesisRansomware

NemesisRansomware

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 28 February 2017 - 04:12 PM

Flag in hand, drum around his neck. :lmao:

Anyway, in the end you'll pay me.


Edited by NemesisRansomware, 28 February 2017 - 04:14 PM.


#40 Babana

Babana

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 28 February 2017 - 04:16 PM

Flag in hand, drum around his neck. :lmao:

Anyway, in the end you'll pay me.

 

jjSia8V.gif

 

:devil:  :devil:  :devil:



#41 Guest_AES-NI_*

Guest_AES-NI_*

  • Guests
  • OFFLINE
  •  

Posted 28 February 2017 - 04:46 PM

like  - if u love trolling Russians scholl boy programmers))))



#42 Guest_AES-NI_*

Guest_AES-NI_*

  • Guests
  • OFFLINE
  •  

Posted 01 March 2017 - 04:44 AM

https://twitter.com/PolarToffee/status/836691431460851719

 

:hysterical:  :hysterical:  :hysterical:  :hysterical:  :hysterical:



#43 Rastien

Rastien

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 06 March 2017 - 07:39 AM

Just a heads up we've managed to de-crypt our files using the method suggested on this page :)

 

https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/


Edited by Rastien, 06 March 2017 - 07:40 AM.


#44 victimone

victimone

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 07 March 2017 - 03:25 AM

Just a heads up we've managed to de-crypt our files using the method suggested on this page :)

 

https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/

Are you sure that it is about x3m ransomware? 



#45 JPKirk

JPKirk

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 07 March 2017 - 03:48 PM

A client of mine recently got hit with this.  The "ID Ransomware" website identified it as "Crypton".  The html file reads:

 

"Your documents, photos, databases and other important files have been encrypted! To decrypt your files you need to buy the special software – «Nemesis decryptor»

To obtain decryptor, please contact me by email: nemesis-decryptor@india.com

**************************************** OR **************************************** Write me in online service: https://bitmsg.me
Address: BM-2cVcW2PHuo8HsWtmoY3oFPcU76bqJdDhBJ

Your personal identification ID: id-2683376296"
 
If this post is missing any information, please let me know.
 
Thank you for your time!

 






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users