Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptConsole (unCrypte@outlook.com_) Support Topic - How decrypt files.hta


  • Please log in to reply
46 replies to this topic

#1 Fedor

Fedor

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 26 January 2017 - 05:31 AM

I will be releasing an updated decrypter for CryptConsole2 soon.

 

Victims who are affected by CryptConsole2 (has email "something_ne@india.com", unsure of other emails), please contact Demonslay335 for help. He will be able to help decrypt your files.

 

 

 

There is a decrypter for this ransomware, which calls itself "CryptConsole". It does not encrypt the file contents but does encrypt the filenames.
 
C3IVseDWMAImRam.jpg
 
https://download.bleepingcomputer.com/demonslay335/CryptConsoleDecrypter.zip
 
Password is false-positive.
 
Note: If the decrypter cannot rename your files, we will need a sample of the malware and/or the ransom note in order to add support for it. The malware is usually called "sv.exe". Please submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168 (leave an email address, otherwise we cannot contact you to help).
 
 
 
I am referencing: [/size]SHA1: a393aa0f8ba8709107f0726909b0a4babf956b4f[/size]
 
The encrypted files have so view. Example: [/size]unCrypte@outlook.com_91CFABE91D02B572FFD6EBFABCFC123D86DBCEAB5B33902D229477A5020C40A188EE08194D0301838C914FD6CF94DD48
 
Ransom note: How decrypt files.hta
 
 
Your files are encrypted!

Your personal ID
764F6A6664514B414373673170615339554A534A5832546A55487169644B4A35



Discovered a serious vulnerability in your network security.

No data was stolen and no one will be able to do it while they are encrypted.
For you we have automatic decryptor and instructions for remediation.
How to get the automatic decryptor:
1) Pay 0,25 BTC

 
Buy BTC on one of these sites:

bitcoin adress for pay:

1KG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm
Send 0,25 BTC

 

2) Send screenshot of payment to unCrypte@outlook.com. In the letter include your personal ID (look at the beginning of this document).


3) You will receive automatic decryptor and all files will be restored


* To be sure in getting the decryption, you can send one file (less than 10MB) to unCrypte@outlook.com In the letter include your personal ID (look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0,25 btc...


Attention!

  • No Payment = No decryption
  • You really get the decryptor after payment
  • Do not attempt to remove the program or run the anti-virus tools
  • Attempts to self-decrypting files will result in the loss of your data
  • Decoders other users are not compatible with your data, because each user's unique encryption key 

Please, help it identify and cure


Edited by xXToffeeXx, 04 March 2017 - 10:37 AM.


BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:36 AM

Posted 26 January 2017 - 02:26 PM

Please upload some files here. I believe that they may not be encrypted at all (just the file name is), and we are looking into this, so please don't pay the criminals yet.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:36 AM

Posted 26 January 2017 - 05:28 PM

I have created a decrypter for this ransomware, which calls itself "CryptConsole". It does not encrypt the file contents, but does encrypt the filenames.

 

C3IVseDWMAImRam.jpg

 

https://download.bleepingcomputer.com/demonslay335/CryptConsoleDecrypter.zip

 

Password is false-positive.

 

Note: If the decrypter cannot rename your files, I will need a sample of the malware and/or the ransom note in order to add support for it. The malware is usually called "sv.exe".


Edited by Demonslay335, 30 January 2017 - 11:51 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Fedor

Fedor
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 27 January 2017 - 12:01 AM

As it turned out, the malware does not encrypt the files. Pictures are opening, documents format  .doc, docx - too. The problem was with the excel document. He can not recognize where the .xls and .xlsx .
But in any case, to rename thousands of documents would not be possible. A decrypter "CryptConsole" did it for a few minutes. All files are restored. Thank you so much for your help in solving this problem.
P.S. Even Emsisoft could not find a suitable decrypter.


#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:36 AM

Posted 27 January 2017 - 04:55 AM

As it turned out, the malware does not encrypt the files. Pictures are opening, documents format  .doc, docx - too. The problem was with the excel document. He can not recognize where the .xls and .xlsx .
But in any case, to rename thousands of documents would not be possible. A decrypter "CryptConsole" did it for a few minutes. All files are restored. Thank you so much for your help in solving this problem.
P.S. Even Emsisoft could not find a suitable decrypter.

Glad we could help :)

 

Turned out it was a new ransomware so a decrypter had to made especially for it. Emsisoft are usually involved with ransomware, but sometimes just behinds the scenes :wink:
 
xXToffeeXx~


Edited by xXToffeeXx, 27 January 2017 - 04:55 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 Fedor

Fedor
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 27 January 2017 - 05:01 AM

Yes, I was just lucky! Newbies caught! :)



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:36 AM

Posted 27 January 2017 - 07:02 AM

...P.S. Even Emsisoft could not find a suitable decrypter.

We all work together and share information in forums like this and via social media like Twitter, Facebook.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:36 PM

Posted 27 January 2017 - 12:27 PM

We all work together and share information in forums like this and via social media like Twitter, Facebook. 

 

 

Gold words! 

b822300f03.gif


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#9 thyrex

thyrex

  • Members
  • 471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:01:36 PM

Posted 27 January 2017 - 03:19 PM

https://www.sendspace.com/file/9b2onw

 

I have got 

Starting decryption...
[-] File: D:\Documents\CryptConsoleDecrypter\unCrypte@outlook.com_23A45BA59F5D8821B9D6893FA000ED17FAB54AE113EA6AA53935F4B9A173D0B4 skipped
 
Successfully decrypted 0 files!
Skipped 1 files

 

 


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:36 AM

Posted 27 January 2017 - 03:21 PM

 

https://www.sendspace.com/file/9b2onw

 

I have got 

Starting decryption...
[-] File: D:\Documents\CryptConsoleDecrypter\unCrypte@outlook.com_23A45BA59F5D8821B9D6893FA000ED17FAB54AE113EA6AA53935F4B9A173D0B4 skipped
 
Successfully decrypted 0 files!
Skipped 1 files

 

 

 

 

I'm doing a retrohunt for more samples.

 

Do you have the ransom note for that infection?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 thyrex

thyrex

  • Members
  • 471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:01:36 PM

Posted 27 January 2017 - 04:38 PM

User could continue only tomorrow


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#12 steveg82

steveg82

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 30 January 2017 - 06:25 AM

Hi, we received a new release of this ransom, it renames all the files with this standard:

 

decipher_ne@india.com_<ID>

 

The decrypter doesn't work on these files

 

Let me know if you need some files to test!



#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:36 AM

Posted 30 January 2017 - 10:41 AM

Hi, we received a new release of this ransom, it renames all the files with this standard:

 

decipher_ne@india.com_<ID>

 

The decrypter doesn't work on these files

 

Let me know if you need some files to test!

 

Do you have your ransom note? If you have a sample of the malware as well, that would be very helpful. Please submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168 (leave an email address, otherwise we cannot contact you to help).


Edited by xXToffeeXx, 31 January 2017 - 07:34 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 vicu

vicu

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 PM

Posted 31 January 2017 - 02:14 AM

There are two files - ciphered and the original. There is no requirement about repayment.
I apply samples.
Please, help to decipher.

 

original name - !!!_ЧИТАТЬ_ПЕРЕД_ЗАПУСКОМ_!!!.txt

 

ciphered - unCrypte@outlook.com_A41725E2EC13FB847C846B93A6AD87B25ABF36EE0B8D3CAD6731B70E43586F5C7EA3341E98B133F149DC469BC33BDE2AA92CEF2F002E3CC3D5391C4DFD13280E

 

Please, help to decipher.



#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:36 AM

Posted 31 January 2017 - 06:19 AM

There are two files - ciphered and the original. There is no requirement about repayment.
I apply samples.
Please, help to decipher.

 

original name - !!!_ЧИТАТЬ_ПЕРЕД_ЗАПУСКОМ_!!!.txt

 

ciphered - unCrypte@outlook.com_A41725E2EC13FB847C846B93A6AD87B25ABF36EE0B8D3CAD6731B70E43586F5C7EA3341E98B133F149DC469BC33BDE2AA92CEF2F002E3CC3D5391C4DFD13280E

 

Please, help to decipher.

Do you have your ransom note? If you have a sample of the malware as well, that would be very helpful. Please submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168 (leave an email address, otherwise we cannot contact you to help)

 

xXToffeeXx~


Edited by xXToffeeXx, 31 January 2017 - 07:34 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users