Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.btcware #_HOW_TO_FIX_!.hta READ ME.txt)


  • Please log in to reply
264 replies to this topic

#256 juan110480

juan110480

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 16 June 2017 - 11:43 PM

Hi all, my server was infected by .MASTER ransonware, I was trying to decrypt my server but the files that I was able to recover it can be opened or it can't be read by the default program (excel, word, pdf, etc), Any idea that could help me?

 

Regards.



BC AdBot (Login to Remove)

 


#257 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 AM

Posted 17 June 2017 - 06:19 AM

If the decrypter indicates it could not derive a key or keystream, then it is the AES version of the malware which cannot be decrypted unless you are dealing with the .master variant and did not reboot the server since infection...read Demonslay335's explanation in Post #223.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#258 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:57 AM

Posted 17 June 2017 - 12:52 PM

@all

 

After further analysis, I'm afraid .[<email>].master is 100% NOT decryptable, even under certain circumstances of the server not being rebooted that I was attempting. I failed to realize they had changed the random number generator they used in this "branch" to a secure one, I thought it was only later versions (.[<email>].blocking and .[<email>].encrypted). I have separated these variants out on ID Ransomware for more clarification. The only chance of decryption for free will be if the RSA-1024 private key is leaked/seized (then I would be able to decrypt everyone's files for this variant).

 

The decrypter will only attempt deriving a keystream if it thinks you were hit by the rare, old RC4 variant, which would have been a long long time ago. If you were hit anytime recently, then you were most definitely hit by the AES-256 variant with the secure key generator, and I cannot decrypt your files. If the decrypter offers to derive keystream anyways, and it corrupts files that it thinks it decrypts, then you were hit by the AES variant, and I once again, cannot decrypt your files. The current decrypter will check if the files you feed it are the exact same filesize, and if the entire file was encrypted past 10MB. Any further PMs about this information will be ignored; I have repeated it over and over, and am getting flooded by messages still.

 

Lock down your RDP.

 

 

In other news, we are still working on a solution for those with the super old .btcware variant (with no email address in the extension). We've had luck with test cases, just not actual victim files yet, so there's still hope.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#259 sotojavi

sotojavi

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 18 June 2017 - 05:14 PM

@Demonslay335

 

I´m one of the super old .btcware variant victims, I´m uploading a couple of pairs of files, one small and one big, so you can test the decrypter. Best of luck.

 

Thank you.



#260 rubens456

rubens456

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 19 June 2017 - 12:17 PM

Hello guys, I got this [stopstorage@qq.com].master ransom on my server, I believe it happened during RDP configurations, it was a like 1 hour allowed to connect with no password. Or maybe they bruteforced a password of some RDP user, I saved my database in a rar file, how could I try to decrypt some files in the decryptor you guys talked about?



#261 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 AM

Posted 19 June 2017 - 01:31 PM

See Post #258 by Demonslay335.....[<email>].master is 100% NOT decryptable.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#262 richard456

richard456

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 19 June 2017 - 05:47 PM

hi there, my computer was infected btcware ransomware variant. All my files are encrypted in .[unlocking.guarantee@aol.com].encrypted.  And my computer has not rebooted or shutdown since the infection. Is that decryptable?

encrypted and original file right here:

https://www.sendspace.com/file/zi373c


Edited by richard456, 19 June 2017 - 05:48 PM.


#263 richard456

richard456

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 19 June 2017 - 06:40 PM

hi there, my computer was infected btcware ransomware variant. All my files are encrypted in .[unlocking.guarantee@aol.com].encrypted.  And my computer has not rebooted or shutdown since the infection. Is that decryptable?

encrypted and original file right here:

https://www.sendspace.com/file/zi373c

later i located a exe file which maybe the ransomware. (i put it into a usb and test on another server, the files in the usb are all encrypted while i double clicked and run the .exe file). Not sure if that can help to decrypt my files if i provide the .exe file.  



#264 jorge8921

jorge8921

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 22 June 2017 - 09:07 AM

I was victim of btcware .unloking.encrypted, however this one did not manage to encrypt all the data of my server, the folders of name "temp" were not affected. In documents I found a file that is possibly the cause of the encryption

 

See Post #258 by Demonslay335.....[<email>].master is 100% NOT decryptable.



#265 rachwalski

rachwalski

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 23 June 2017 - 09:35 AM

I was infected too with .master

 

Here is the pair of files if anybody can help me:

https://www.sendspace.com/file/zp7hfs

 

or smaller: https://www.sendspace.com/file/o8z0n7

 

 

Andy

 

[WHAT HAPPENED]
Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail: decrsupports@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.


[FREE DECRYPTION AS GUARANTEE]
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb
For test decryption send on our email !#_RESTORE_FILES_#!.inf
and 3 encrypted files from ONE FOLDER


[HOW TO OBTAIN BITCOINS]
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller
by payment method and price
https://localbitcoins.com/buy_bitcoins


[ATTENTION]
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files


Your ID: 


GB2T9+QNbC82UNwDqX5zaw0ejjra6IgcDPeOnWbW4ViTa+K/ZTx/u7DCTPmkOhs9RABwcimbVkEkEnikxxRRc/azwG5wTyzWPmr+JKKiGzqyq3XBXY7vlR72JaTaJj+UIcS50itbRMEg5OG9tLp79/Se6RcLwaBGdlxyuFnvJsU=

Edited by rachwalski, 23 June 2017 - 10:46 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users