Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recovery of files...


  • This topic is locked This topic is locked
6 replies to this topic

#1 walmslan

walmslan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 11 February 2017 - 12:57 PM

Hi, 

 

Hopefully someone can assist.

 

In short, my father-in-law's PC was infected, and despite attempts last year, he was unable to recover the files - i'd specifically told him not to pay the ransom, and as such the PC was wiped, but not before we copied his data from it. I have these files, and that's all.

 

They dont seem to have the extensions changes, (as reported by various sites i have looked at),  but clearly when you open one of the files, its encrypted by the looks of things. There are lots of README files in various formats including BMP, HTML and TXT. They all say the following:

 

------------------

NOT YOUR LANGUAGE? USE https://translate.google.com
 
What happened to your files ?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
 
How did this happen ?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
 
What do I do ?
So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way
If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_
 
 
Your personal ID: 9E87300A:489A53D7:1A854ABC:E390B9E2     
 
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
 
 
If for some reasons the addresses are not availablweropie, follow these steps:
 
1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 - Video instruction:
3 - After a successful installation, run the browser
4 - Type in the address bar: http://ccjlwb22w6c22p2k.onion
5 - Follow the instructions on the site
---------------------------
 
There are a range of PDFs and Office format (Excel) files in the main we are keen to recover.
 
Any ideas on how / if they can be?
 
best
Andrew


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,589 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:39 AM

Posted 11 February 2017 - 01:00 PM

You'll need to upload a ransom note and encrypted file to ID Ransomware in order to confirm what ransomware it was. From the wording in the note, I am suspecting it was CrypMic, which is not decryptable; ID Ransomware will be able to detect a certain hex pattern to confirm if it is indeed CrypMic.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 walmslan

walmslan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 11 February 2017 - 02:07 PM

Thanks for the speedy response.

 

 

Here is  a link to the ransom note https://1drv.ms/t/s!AljArQ787HSXm-RaiL29IPDIyo5fZA - it's a text file. And link to an example PDF file https://1drv.ms/f/s!AljArQ787HSXm-Rco1gwrgCR_XqgCg that is undreadable.

 

PS. I'd updload directly into this post, but was unable to seen an option.

 

Best

Andrew



#4 blankiq

blankiq

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 11 February 2017 - 03:08 PM

Looks to be:

CryptXXX 3.0

 

The good news is that if it is CryptXXX then it is decryptable with Rannoh Decryptor. How did he get infected? CyptXXX was distributed using exploit kits. Usually they have .crypt attatched :/

 

http://media.kaspersky.com/utilities/VirusUtilities/RU/rannohdecryptor.exe

 

I'll try to decrypt the file provided.

 

Bye



#5 blankiq

blankiq

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 11 February 2017 - 03:10 PM

c/


Edited by blankiq, 11 February 2017 - 03:14 PM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,589 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:39 AM

Posted 11 February 2017 - 06:38 PM

It's CrypMic, the hex pattern matches. CryptXXX 3.0 always used an extension.

 

ID Ransomware would have given you this result if you had followed my instructions to upload an encrypted file. It will also give you a link to the support topic with more information.

 

http://www.bleepingcomputer.com/forums/t/621865/crypmic-cryptxxx-imposter-support-and-help-topic/

 

nxkpgTs.png


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,057 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:39 AM

Posted 11 February 2017 - 06:43 PM

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.When or if a solution is found, that information will be provided in the above support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users