Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.crypton Gryphon Help.txt)


  • Please log in to reply
445 replies to this topic

#256 juan110480

juan110480

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 16 June 2017 - 11:43 PM

Hi all, my server was infected by .MASTER ransonware, I was trying to decrypt my server but the files that I was able to recover it can be opened or it can't be read by the default program (excel, word, pdf, etc), Any idea that could help me?

 

Regards.



BC AdBot (Login to Remove)

 


#257 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:06 AM

Posted 17 June 2017 - 06:19 AM

If the decrypter indicates it could not derive a key or keystream, then it is the AES version of the malware which cannot be decrypted unless you are dealing with the .master variant and did not reboot the server since infection...read Demonslay335's explanation in Post #223.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#258 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:06 AM

Posted 17 June 2017 - 12:52 PM

@all

 

After further analysis, I'm afraid .[<email>].master is 100% NOT decryptable, even under certain circumstances of the server not being rebooted that I was attempting. I failed to realize they had changed the random number generator they used in this "branch" to a secure one, I thought it was only later versions (.[<email>].blocking and .[<email>].encrypted). I have separated these variants out on ID Ransomware for more clarification. The only chance of decryption for free will be if the RSA-1024 private key is leaked/seized (then I would be able to decrypt everyone's files for this variant).

 

The decrypter will only attempt deriving a keystream if it thinks you were hit by the rare, old RC4 variant, which would have been a long long time ago. If you were hit anytime recently, then you were most definitely hit by the AES-256 variant with the secure key generator, and I cannot decrypt your files. If the decrypter offers to derive keystream anyways, and it corrupts files that it thinks it decrypts, then you were hit by the AES variant, and I once again, cannot decrypt your files. The current decrypter will check if the files you feed it are the exact same filesize, and if the entire file was encrypted past 10MB. Any further PMs about this information will be ignored; I have repeated it over and over, and am getting flooded by messages still.

 

Lock down your RDP.

 

 

In other news, we are still working on a solution for those with the super old .btcware variant (with no email address in the extension). We've had luck with test cases, just not actual victim files yet, so there's still hope.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#259 sotojavi

sotojavi

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 18 June 2017 - 05:14 PM

@Demonslay335

 

I´m one of the super old .btcware variant victims, I´m uploading a couple of pairs of files, one small and one big, so you can test the decrypter. Best of luck.

 

Thank you.



#260 rubens456

rubens456

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 19 June 2017 - 12:17 PM

Hello guys, I got this [stopstorage@qq.com].master ransom on my server, I believe it happened during RDP configurations, it was a like 1 hour allowed to connect with no password. Or maybe they bruteforced a password of some RDP user, I saved my database in a rar file, how could I try to decrypt some files in the decryptor you guys talked about?



#261 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:06 AM

Posted 19 June 2017 - 01:31 PM

See Post #258 by Demonslay335.....[<email>].master is 100% NOT decryptable.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#262 richard456

richard456

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 19 June 2017 - 05:47 PM

hi there, my computer was infected btcware ransomware variant. All my files are encrypted in .[unlocking.guarantee@aol.com].encrypted.  And my computer has not rebooted or shutdown since the infection. Is that decryptable?

encrypted and original file right here:

https://www.sendspace.com/file/zi373c


Edited by richard456, 19 June 2017 - 05:48 PM.


#263 richard456

richard456

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 19 June 2017 - 06:40 PM

hi there, my computer was infected btcware ransomware variant. All my files are encrypted in .[unlocking.guarantee@aol.com].encrypted.  And my computer has not rebooted or shutdown since the infection. Is that decryptable?

encrypted and original file right here:

https://www.sendspace.com/file/zi373c

later i located a exe file which maybe the ransomware. (i put it into a usb and test on another server, the files in the usb are all encrypted while i double clicked and run the .exe file). Not sure if that can help to decrypt my files if i provide the .exe file.  



#264 jorge8921

jorge8921

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 22 June 2017 - 09:07 AM

I was victim of btcware .unloking.encrypted, however this one did not manage to encrypt all the data of my server, the folders of name "temp" were not affected. In documents I found a file that is possibly the cause of the encryption

 

See Post #258 by Demonslay335.....[<email>].master is 100% NOT decryptable.



#265 rachwalski

rachwalski

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 23 June 2017 - 09:35 AM

I was infected too with .master

 

Here is the pair of files if anybody can help me:

https://www.sendspace.com/file/zp7hfs

 

or smaller: https://www.sendspace.com/file/o8z0n7

 

 

Andy

 

[WHAT HAPPENED]
Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail: decrsupports@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.


[FREE DECRYPTION AS GUARANTEE]
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb
For test decryption send on our email !#_RESTORE_FILES_#!.inf
and 3 encrypted files from ONE FOLDER


[HOW TO OBTAIN BITCOINS]
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller
by payment method and price
https://localbitcoins.com/buy_bitcoins


[ATTENTION]
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files


Your ID: 


GB2T9+QNbC82UNwDqX5zaw0ejjra6IgcDPeOnWbW4ViTa+K/ZTx/u7DCTPmkOhs9RABwcimbVkEkEnikxxRRc/azwG5wTyzWPmr+JKKiGzqyq3XBXY7vlR72JaTaJj+UIcS50itbRMEg5OG9tLp79/Se6RcLwaBGdlxyuFnvJsU=

Edited by rachwalski, 23 June 2017 - 10:46 AM.


#266 thisman105

thisman105

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 25 June 2017 - 08:31 AM

I have one of the .onyon variants and I have decrypted most of the .onyon using the brute force method files but there are lots of files that have been renamed and they're not .onyon files. They have names like "6g000000000U0lrs5x1SGb6f7kDFEsp5IEgo6sz9cmti-lqQVF3530.[mdpst@india.com].com" (.com extension).

 

What can I do about those files? There are thousands of them all over the drive.

 

Thanks

 

 

 

 

6M0000000036D2wR16-UCaenIddmWC4rng-EVMHUW3jRwW2CF0jpnM.[mdpst@india.com].com

a0000000000i8VaRznhysgvcQ3R43+s+Pnp+k8mi455i6ptRyo7+oC8ynDCQBZF13FtzUekaysM.[mdpst@india.com].com

bg000000003OLhB+GuhIZMN0bhLJgvqCYanNxbywF-RHLa6Ej5cymjguzhiaukgMwLcUtFFvLbM.[mdpst@india.com].com

bw0000000023HpwKCN3XM1W1f9dSoMB67k4cZG8L6D-nwFgNYpeFsvlMF2zJ+B4qRSv1YYznZXc.[mdpst@india.com].com

eM000000002vGEe9jFtNCf6k+D1hBIaLp1I9iBXYkZfJk5ESaxusMWOVBi6Sc4OAx8PErymvomc-ihvA7Hc9dHdyKZkahMUy.[mdpst@india.com].com

ew000000003PGRGETOlNN9GpJFAvnLEy2xIZtXS11FdJTZnrf2eGqynhA530OoLEZ4HbMxauJOcODBbpysYHgGLAegTvp5H0.[mdpst@india.com].com


Edited by thisman105, 25 June 2017 - 08:37 AM.


#267 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:06 AM

Posted 25 June 2017 - 09:45 AM

@thisman105

 

That's going to be some other ransomware. BTCWare does not rename the base of the filename; unless it's a new variant I haven't seen before. Are they actually encrypted too, or just renamed?

 

Have you uploaded one of those files to ID Ransomware for identification? It looks like it could be a variant of Globe/Amnesia, which IDR will pickup on by filemarker if so.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#268 Xwioch

Xwioch

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 26 June 2017 - 02:29 AM

Hi all,

first sorry for my english, I'm not really good with it and this is my first post on this forum.

 

I'm writing here asking for your help. I have read few post on this topic looking for a solution to my issue. 

 

I have a costumer that was infected few days ago from a cryptolocker that has .[westbleep@india.com].master extension.

I tried your BTCWare decrypter but it didn't work. So I have read that .master is not 100% decryptable. 

 

If you can may check if is possible decrypt my files would be nice. 

Here some files with the original and the encrypted version from ours backup --> https://www.sendspace.com/file/wdd3wj

(we got backups only for some files, not for the entire server for this reason I need to decrypt them)

 

While here I uploaded in a .zip archive the .exe files that encrypted everything on the server --> https://www.sendspace.com/file/q4ppcj

I don't know if it can help you but I saw that someone else uploaded it so I do. 

 

Thanks for the help, even if you can't find a solution, I appreciate anyway

Have a nice day



#269 marmai

marmai

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 27 June 2017 - 08:10 AM

Good day,
 
Our computer and the NAS were encrypted by BTC Ramsomware. ([Email] .master). I have already tried to decrypt the data with BTCWareDecrypter.
 
Can someone give me a tip which I could still try. Unfortunately, my external hard disk on which I made the backup encrypt.
 
 
Here is a link to some original and encrypted files.
 
 
And the Link to the file !#_RESTORE_FILES_#!.inf:
 
 
 
Thanks a lot for the help

Edited by marmai, 27 June 2017 - 08:12 AM.


#270 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:06 AM

Posted 27 June 2017 - 03:37 PM

As noted previously, see Post #258 by Demonslay335.....[<email>].master is 100% NOT decryptable.

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. Other possible options include using native Windows Previous Versions or programs like Shadow Explorer and ShadowCopyView if the malware did not delete all shadow copy snapshots. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work either...however, it never hurts to try.

If that is not a viable option and if there is no free decryption tool, the only other alternative to paying the ransom is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




9 user(s) are reading this topic

0 members, 9 guests, 0 anonymous users