Hi Friends, I have a costumer infected with a new variant of ransomware, I guess is al-namrood in a new version, i'm not sure because it doesn't use the same methodology, but I guess it is this ransomware because I ran the decryption tool from emisisoft (decrypt alnamrood) and the file was decrypted, but the decrypted file only shows garbage code, I know this happened because the ID used is not the right key to decrypt.
http://www.imagebam.com/image/a96704541035844
the ID used in the section options is BD9BD769 , which is the default when you open the tool....
after I checked the file txt decrypted, this file only shows garbage code.... , but I know because this is not the right key.
http://www.imagebam.com/image/87a670541035845
After this, I open the encrypted files with an hexadecimal editor and all the encrypted files show the same code at the end of the file...as you can see on the next image.....
http://www.imagebam.com/image/9fa846541035846
and the message to recover the files is something like this....
http://www.imagebam.com/image/4092d2541035847
I've tried to upload all the images here in the post, but they were deleted...or I don't know how to do it... : )
I changed the orginal name of the message and the last 6 digits from the original Id to send the mesage, only for security reasons... : )
I've tried to obtain a code from the registry keys and deleted files, but at this moment I didn't find another key or .dll file which can indicate me what is the ID right key to decrypt these files.... I checked the whole disk with a recovery program, but none of these encrypted files were deleted, they only were over written....
I hope someone here, can help me to know more about this Ransomware... I've tried with another decryptions tools but I haven't had successful. In fact, I have one original xml file and the same file but encrypted to make tests.
I've tried with another decryptions tools but I'm not have successful
I've uploaded 3 files, 2 encrypted with this ransomware and one original at this link...
https://1drv.ms/f/s!AoQCd6aS2Nkbd64naA5ITCE6kVs
if someone want help me to make tests, you can download these from here...
Regards...