BTCWare Gryphon Ransomware (.crypton, .gryphon) Support Topic

Demonslay335 has released a decrypter for this ransomware, it can be found here:
 
https://download.bleepingcomputer.com/demonslay335/BTCWareDecrypter.zip
 
If the bruteforcer is unable to find a key with the files you have provided. it will ask if you'd like to decrypt files up to the filesize of the files you provided it. For example, if you provided an encrypted file and its original that were 20MB each, then the decrypter will be able to decrypt files 20MB and smaller. It will skip any files larger than the files you give it.
 
In the example below, I gave it a file pair where each file was 1,270,896 bytes.
 

 
Simply press Yes, then close the dialogue, and select a directory to decrypt. The larger file pair you provide it, the larger of files it will be able to decrypt; don't worry about the bruteforcer taking longer to try, it only grabs 16B from each file for trying to get a key.
 
If you already know the bruteforcer wasn't able to get a key before, you may go straight to this option by starting the bruteforcer, and then press "Cancel". This option will only be available for versions of the malware that this trick will work on (currently .[<email>].btcware, .[<email>].cryptobyte, and .onyon).
 
We're hoping to get a sample of the malware so we can support recovering the actual key but hope this helps people at least decrypt some of their more important files.
 

@all
 
I'm getting overwhelmed with requests of the same questions. Please read my posts, I won't be able to respond to each individual for a while here.
 
If the decrypter tells you it could not derive a key or keystream, then it is the AES version of the malware, and I cannot decrypt your files*.
 
.blocking is different, and is completely secure, no way to decrypt it at all. The only chance is if the RSA private keys are leaked for each variant (there's about 4 or 5 of them total that I'm aware of so far).
.master is also secure and there is currently no way to decrypt it. 
 
As for "...an inexplicable reason my PC was encrypted by BTC Ransomeware..."... they hack RDP. Simple as that. Use stronger passwords for every account that has RDP privileges, put it completely behind a firewall, and use VPN only. And have better backups while you're at it.

Post #223

Good news everyone, the .master variant is now decryptable.
 
https://www.bleepingcomputer.com/news/security/new-btcware-ransomware-decrypter-released-for-the-master-variant/
 
The private key that was provided to me will work for .onyon, .[<email>].onyon, .xfile, .[<email>].theva, and .[<email>].master variants. Simply load the ransom note into the decrypter, or paste the "Victim ID" into the prompt for "Settings" -> "Load Key", and it will decrypt the key for your files.
 
Also note the warning in the article about files under 10MB; there may be up to 16 bytes of garbage left at the end of the file due to a bug in the malware's padding scheme. Nothing can really be done other than manually removing those bytes with a hex editor such as HxD if you know the file format well - most common file types will ignore the extra bytes and open the files fine.
 
Note the decrypter will not work for the newer .[<email>].blocking, .[<email>].encrypted, or .[<email>].aleta variants. These use a different RSA-1024 key, and cannot be decrypted at this point for free.

Post #293
 

Aleta is not decryptable with the RSA keys given to me. It is a new RSA key, and the AES key is generated securely, thus the decrypter cannot help you..
 
However, if the server has not been rebooted and the malware is still running, then you may PM me. If the malware has terminated and is no longer encrypting things, then there is 0% chance of me being able to help you.

Post #398

 

 
 
Hello,
 
Well, I guess someone opened the wrong email, but not sure what happened.
 
Every file has been encrypted with extension .btcware. So far I've done this:
 
1. Uploaded a sample to https://id-ransomware.malwarehunterteam.com. Results here:
https://id-ransomware.malwarehunterteam.com/identify.php?case=37402b9692fb97f6ba6cc9f998db8a1d6570d333
 
2. Above result led me to this topic:
http://id-ransomware.blogspot.com.co/2017/01/gog-ransomware.html
 
3. At first (about a week ago), every file on desktop was encrypted. Currently, I've noticed that files are not being encrypted anymore (put a .txt file on desktop and is still there after some restarts).
 
4. I tried to find a topic here with no luck, so I'm starting this one. Any help is appreciated.
 
I have samples from encrypted files and note.
 
Thanks.

Edited by quietman7, 02 April 2021 - 06:53 AM.

Hello david0353!

I think to be able to restore your files. send me a private message for encrypted files.

Thank you guys, I already submitted a sample file and the two notes to https://www.bleepingcomputer.com/submit-malware.php?channel=168

david0353

Edited by Amigo-A, 11 April 2017 - 11:12 AM.

Thank you, David

https://www.bleepingcomputer.com/forums/t/631963/new-ransomware/ 

Identical ransom-note 100%, similar email-address. 

One of my clients is suffering a ransomware infection. I have uploaded a file and the note to the ID ransomware site. Will edit to add more information. I was able to recover what i believe is the virus. Let me know if an expert needs a copy for analysis.

The extension on all files is [no.xm@protonmail.ch].cryptobyte

The note reads as follows.
 

 

All your files have been encrypted
If you want to restore them, write us to the e-mail: no.xm@protonmail.ch
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

FREE DECRYPTION AS GUARANTEE
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 10Mb

Attention!
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss

Your ID:

OJtKiIc9ssVEIfoNoxjTYsQZCdTcZcfRK0/lb6xzO1SkqRj88CNHXT5uX1jtwL5fvq1xD1zPBYhU5aU0wOCUxLoAaLwcNcPzNFkjlQE47QSNeluEf9o8Vw4Oh/f1e30ozdHTCtTgpg7YPw0eOUv4c+BpYq2QdIrAYocVxkTl5zo=

 

Edited by diireno, 18 April 2017 - 05:17 PM.

Victims may contact me for help with this ransomware.

Thanks to huge help from mauronz, I've been able to create a decrypter for this ransomware.

https://download.bleepingcomputer.com/demonslay335/BTCWareDecrypter.zip

In order to derive your key, you will need an encrypted file and it's original. Go to Settings -> Find Key to load the files, and start the bruteforce. Once it finds a key, close the dialog and the key will be loaded, and ready for decrypting a selected directory.

Currently, the decrypter supports the extensions .[<email>].cryptobyte, .[<email>].cryptowin, .[<email>].theva, .onyon* and .[<email>].btcware. I am actively searching for other extensions of this malware to test against.

*Please see this post for more information about decrypting the .onyon variant: https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4244649

The credit for actually cracking this ransomware goes to mauronz, I just helped put it into a prettier package.

Edited by Demonslay335, 21 May 2017 - 10:59 PM.

There is a flaw in the decrypter. It isn't searching out the encrypted files if the top directory is empty. Its not browsing folders.

There are directories like Program Files that it will only scan the files in the top directory and not scan any of the inside folders. I am having to go through each folder one at a time to decrypt everything. I don't mind doing it, but it would be helpful if that was fixed.

Edited by diireno, 03 May 2017 - 05:35 PM.

Stop bruteforce

RSA private key: