Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vortex (.aes) Ransomware Help & Support - ODZSZYFRUJ-DANE.txt


  • Please log in to reply
59 replies to this topic

#46 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 PM

Posted 29 December 2017 - 08:06 AM

Please read Post #29.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#47 SNF123

SNF123

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 30 December 2017 - 11:45 AM

Hi.

 

I do not have a folder C:\ProgramData\Keyboard. Is there another location?



#48 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 PM

Posted 30 December 2017 - 02:37 PM

That is the only location I am aware of.

Keep in mind that Demonslay335 advised he cannot assist victims infected after May 2017 even if they have the log file.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#49 meghanb

meghanb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:09 PM

Posted 05 January 2018 - 03:48 PM

@deamonslay335 / @quietman7 have there been any breakthroughs with the newer versions of this Ransomware?  My computer was attacked on Christmas Eve, have removed and restored computer but will be losing a year and a half worth of work because the shadow copies were destroyed before the virus was located.  Is there a software program that I can download to try to unlocked files?

Thanks!


Edited by meghanb, 05 January 2018 - 04:06 PM.


#50 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 PM

Posted 05 January 2018 - 05:31 PM


Unfortunately, there is still no known method to decrypt files encrypted by newer variants of Vortex without paying the ransom...the cyber-criminals moved to using their own C2 servers months ago and Demonslay335's previous fix no longer works. If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#51 rgvcomputerguys

rgvcomputerguys

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 24 January 2018 - 08:31 PM

Any update on this ransomware ?



#52 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 PM

Posted 25 January 2018 - 07:49 AM

No updates that I am aware of.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#53 baonguyen84

baonguyen84

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 25 January 2018 - 10:33 PM

I also go this by this.. 

 

They left Instruction.txt on every directory with the below message in english. 

 

Hi, All your files are encrypted. I can only help you, my mail: - Your personal number (send it to me): dexp@cock.li



#54 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 PM

Posted 26 January 2018 - 06:20 AM

Instruction.txt is not a typical ransom note for Vortex. Did you submit (upload) any samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#55 Amigo-A

Amigo-A

  • Members
  • 532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:09 AM

Posted 26 January 2018 - 12:11 PM

Instruction.txt  in english. 

 

Hi, All your files are encrypted. I can only help you, my mail: - Your personal number (send it to me): dexp@cock.li

 

Probably, this RSA2048Pro > Pulpy, Rozlok 

Topic here


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#56 baonguyen84

baonguyen84

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 26 January 2018 - 12:21 PM

 

Instruction.txt  in english. 

 

Hi, All your files are encrypted. I can only help you, my mail: - Your personal number (send it to me): dexp@cock.li

 

Probably, this RSA2048Pro > Pulpy, Rozlok 

Topic here

 

Thanks buddy you hit the it right on the head. I'll move my post onto the one you linked. 



#57 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:09 PM

Posted 16 April 2018 - 12:20 PM

Good news for anyone infected by this ransomware, there is now a possibility that CERT Polska may be able to decrypt your files. They seem to have caught the criminals and seized the keys. :)

 

https://twitter.com/CERT_Polska/status/985875516191399937

 

If they give you a key using their online tool, you can also use it with my decrypter by entering it in Settings -> Set Password.

 

https://download.bleepingcomputer.com/demonslay335/VortexDecrypter.zip


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#58 tuslijspam

tuslijspam

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 17 May 2018 - 02:51 PM

Hello guys,

My %SystemDrive%\ProgramData\Keyboard\ is empty, however I have a raw disk image from 1 day after everything has been encrypted. The image also does not have any files in this folder, however I am hoping that maybe the log file has not yet been overwritten and that it can still be found using a tool such as Disk Investigator. Do you know what is the encoding of these files (ASCII, UTF-8, something else)? What HEX value should I search for to find "Hasło=" with the encoding used for these files?



#59 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:09 PM

Posted 17 May 2018 - 04:14 PM

@tuslijspam

 

Have you tried uploading an encrypted file to CERT.PL's website? They don't need the contents of the Keyboard directory to determine if they have your key. That was an old method I used to crack keys in previous versions of the malware.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#60 tuslijspam

tuslijspam

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 18 May 2018 - 01:14 AM

@Demonslay335

Yes, unfortunately no luck, they don't have the keys yet. The file were encrypted in Feb of 2017 and I'm not sure which version of ransomware was that.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users