Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Assistance with identifying and decrypting ransomeware


  • Please log in to reply
8 replies to this topic

#1 gavimobile

gavimobile

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 29 March 2017 - 04:31 AM

Hi All,

 

I have a case of ransomware which i could really use your assistance in helping me identify and decrypt the ransomeware.  After going to the ID Ransomware, i received the following results.

 

Edit: looks like mod took out an important link which shows the ID Ransomware results. here it is again, hope it wont get removed
 

https://www.sendspace.com/file/hmjucm

 

I've downloaded the xorist decrypt tool however i receive errors when dragging the encrypted and original version of a specific file over the xorist decrypt tool exe. the error message says "the decrypter could not determine a valid key for your system..." i've tested with the following files.

included is 2 sets of pairs which i used to try to test the decryption and the READ THIS .txt file from the encryptor.

https://www.sendspace.com/filegroup/qXl9qnPKCWi3braeRWLwk2UFVJF1fm7CLQHhTmo84GU

EDIT: since the decryptors wont work, and since it looks like DXXD but has .lock files instead, then i am unsure if i successfully identified the correct ransomware and this could possibly be the cause why i am unable to decrypt.

 

please ask for any other details i may have not included. thanks in advance

 

Mod edit

Link Deactivated

NickAu


Edited by gavimobile, 29 March 2017 - 05:41 AM.
Mod edit


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:45 AM

Posted 29 March 2017 - 05:46 AM

Emsisoft Decrypter for Xorist

To use the decrypter you will require an encrypted file of at least 4096 bytes in size as well as its unencrypted version. To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.


How to use the Emsisoft Decrypter for Xorist
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:45 AM

Posted 29 March 2017 - 05:54 AM

You edited your post while I was replying so disregard the above.

Both AES and Brazillian Ransomware adds a .lock extension.

Can you share the files you used? They can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 gavimobile

gavimobile
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 29 March 2017 - 06:14 AM

You edited your post while I was replying so disregard the above.

Both AES and Brazillian Ransomware adds a .lock extension.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

 

thanks for your response. i cannot upload more than 1 file at a time so i did 2 different uploads.
1. the readme file
2. a sample (larger than 1MB) of a file which was encrypted



#5 gavimobile

gavimobile
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 29 March 2017 - 09:57 AM

have i provided enough information to receive assistance from the form? what else can i provide to get answers? can we confirm which ransomware i have from the information provided?



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:45 AM

Posted 29 March 2017 - 05:00 PM

Please be patient until one of our crypto malware experts has a chance to review the information you provided. BleepingComputer is inundated with support requests and assistance may take some time. Staff members & Security Colleagues are all volunteers who assist members as time permits. No one is paid for their work or assistance to members of our community. New and more devious file encrypting ransomware is released almost daily. It takes time for our volunteers to investigate, analyze and test decryption techniques before we can try to help members like yourself. Doing that means that our experts sacrifice speed of response for a quality response.

After our experts have examined submitted files, they typically will only reply in a support topic if they can assist or need further information. If not, then the submitted files were not helpful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 gavimobile

gavimobile
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 29 March 2017 - 05:27 PM

Please be patient until one of our crypto malware experts has a chance to review the information you provided. BleepingComputer is inundated with support requests and assistance may take some time. Staff members & Security Colleagues are all volunteers who assist members as time permits. No one is paid for their work or assistance to members of our community. New and more devious file encrypting ransomware is released almost daily. It takes time for our volunteers to investigate, analyze and test decryption techniques before we can try to help members like yourself. Doing that means that our experts sacrifice speed of response for a quality response.

After our experts have examined submitted files, they typically will only reply in a support topic if they can assist or need further information. If not, then the submitted files were not helpful.


I completely understand, however maybe someone could please possibly answer just 1 question:

1. He is threatening that he put a timer on the decryption code. Can he actually do something like this Or is this a bluff?

Edited by gavimobile, 29 March 2017 - 05:34 PM.


#8 gavimobile

gavimobile
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 29 March 2017 - 11:37 PM

Please be patient until one of our crypto malware experts has a chance to review the information you provided. BleepingComputer is inundated with support requests and assistance may take some time. Staff members & Security Colleagues are all volunteers who assist members as time permits. No one is paid for their work or assistance to members of our community. New and more devious file encrypting ransomware is released almost daily. It takes time for our volunteers to investigate, analyze and test decryption techniques before we can try to help members like yourself. Doing that means that our experts sacrifice speed of response for a quality response.

After our experts have examined submitted files, they typically will only reply in a support topic if they can assist or need further information. If not, then the submitted files were not helpful.

i saw in my email that you responded but i dont see your post. did you remove it?



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:45 AM

Posted 30 March 2017 - 05:42 AM

My previous reply was the last one I made.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users