Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Serpent Ransomware Help & Support Topic (.Serpent & HOW_TO_DECRYPT_YOUR_FILES_)


  • Please log in to reply
8 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:32 AM

Posted 09 February 2017 - 03:42 PM

A new ransomware was discovered by ProofPoint called Serpent Ransomware that appends the .serpent extension to encrypted files. This ransomware will also drop ransom notes called HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html and HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt throughout a victim's computer.

This topic can be used to discuss this ransomware and receive support on it.

html-ransom-note.png



BC AdBot (Login to Remove)

 


m

#2 Anoniem

Anoniem

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 22 February 2017 - 11:00 AM

My mother has this problem. She opened a spammail, then it asked to restart the computer and now everything is encrypted with the extension .serpent

Is there a tool to decrypt the files? Or will there be a tool created and do we need to wait for it?

How can we delete the virus?

Will deleting the virus cause damage to the files?

 

If you need more information, please ask it.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:32 AM

Posted 22 February 2017 - 05:20 PM

Sorry to hear about this infection your Mom is dealing with.

 

I am not aware of a decryption tool for this infection. If one were available, Grinler would have mentioned that in the write-up above. We have no way of knowing when of if a decryption tool ever will be created. When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

 

In cases where there is no free decryption fix tool and victims are not willing to pay the ransom, the only other alternative is to backup/save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.

 

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus. Disinfection will not help with decryption of any files affected by the ransomware.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes 3.0, HitmanPro and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.
 


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Anoniem

Anoniem

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 23 February 2017 - 06:18 AM

Thank you for the information.

 

I read somewhere that if you have a copy of a file before the infection you can unravel the secret code to decrypt all your files. Is this true?



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:32 AM

Posted 23 February 2017 - 07:49 AM

Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with and a variety of factors. All crypto malware ransomware use some form of encryption algorithms, most of them are secure, but others are not. The possibility of decryption depends on the thoroughness of the malware creator, what algorithm the creator utilized for encryption, discovery of any flaws and sometimes just plain luck. Newer ransomware variants use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key is stored on a central server maintained by the cyber-criminals and not available unless the victim pays the ransom or at some point, law enforcement authorities arrest the criminals...seize the C2 server and release the private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 marcpoppe

marcpoppe

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 11 April 2017 - 10:31 AM

i am also infected by this virus

 

is it possible to decrypt for free?



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:32 AM

Posted 11 April 2017 - 12:48 PM

Unfortunately, there is no known way (free solution) to decrypt files encrypted by Serpent that I am aware of without paying the ransom.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 marcpoppe

marcpoppe

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 12 April 2017 - 02:21 AM

hi quietman7

 

thanks i have decided to pay 0.5 bitcoin ransom to get the decrypting password

got my files back now



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:32 AM

Posted 12 April 2017 - 05:24 AM

Glad to hear you were successful.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users