Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.crypton Gryphon Help.txt)


  • Please log in to reply
488 replies to this topic

#16 diireno

diireno

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 03 May 2017 - 05:59 PM

 

tnSFy1t.png

Stop bruteforce

RSA private key:
 

 
decrypt your id with this private key
format decrypted ID:
MEDIA-AESPASSWORD-DATE

 

 

 

I am sorry I do not understand.



BC AdBot (Login to Remove)

 


m

#17 mauronz

mauronz

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 04 May 2017 - 02:57 AM

 

tnSFy1t.png

Stop bruteforce

RSA private key:
 

 
decrypt your id with this private key
format decrypted ID:
MEDIA-AESPASSWORD-DATE

 

 

I'll try it later. Where did you get that private key?



#18 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:50 PM

Posted 04 May 2017 - 08:55 AM

@diireno

 

Did you try running the decrypter as Administrator? I bet it is lacking permissions for those directories.

 

@checker123

 

Indeed, how did you get the RSA-1024 private key? Are you associated with the malware development? Thanks for it anyway, will incorporate it soon, verified its legitimacy with a few of the variants.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#19 darkmoon

darkmoon

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 04 May 2017 - 08:34 PM

Hello, all files on our servers are encrypted with .cryptowin exntesion.

Decrypter say:

 

[+] Loaded 1 private RSA keys

[+] Found key file, attempting to decrypt...

Unable to decrypt AES key, encrypted by another RSA key

Im try use BruteForcer but >Key not found

 

Please help

 

Note:

 

All your files have been encrypted due to a security problem with your PC.

If you want to restore them, write us to the e-mail: sql772@aol.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
 
FREE DECRYPTION AS GUARANTEE
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 10Mb
 
How to obtain Bitcoins
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller
by payment method and price
 
Attention!
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 3 days - your key has been deleted and you cant decrypt your files
 
Your ID: 
 
Ua/cOPUoTL/5yw05gXIHTptqB+XSHPJEJpADikBN4G1WQGQgOvdMFH3vZsAaUE7Z2dhJf+ECI0KFZBpMwL96mY8JK+zwUkj+46+u21C0xlhgJGBRmBlSOdaqFcy9zD1TLr5S5aXTEyweS42PHRmkbr5HBUYI4P7Fu9awmgg9PRQ=
 


#20 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:50 PM

Posted 04 May 2017 - 09:02 PM

@darkmoon

 

Sorry, the RSA key isn't actually fully implemented yet. You'll need to use the bruteforcer on an encrypted file and its original. If you have trouble with it, feel free to PM them file pair to me.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#21 blacknas

blacknas

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 05 May 2017 - 02:27 AM

@Ransomware Hunter

 

Hello! 

I'm new to this. We were hit by this ransomware but every file pair I try gives me the message "Please select the ecrypted file and it's original. THey must be the exact same size"
I tried runing as an administrator and I'm also pretty certain that the files are the right pair. 

Any suggestions will be ore than welcome!

Thanks in advance!



#22 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,728 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 PM

Posted 05 May 2017 - 05:52 AM

Can you share the file pair(s) you are using for our crypto malware experts to take a look at?...submit here.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#23 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:50 PM

Posted 05 May 2017 - 09:48 AM

@blacknas

 

I take it you were hit by the .cryptowin variant. Please make sure you are using BTCWareDecrypter v1.0.1.0+, I removed that restriction since the newest variant uses AES-192, and thus pads the file. You can simply redownload the same link. If you still cannot get it to run, zip up the file pair(s) you are using and submit to the link quietman7 supplied and I can take a look.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#24 blacknas

blacknas

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 09 May 2017 - 04:51 AM

@quietman7 and @Demonslay335

I just submited the pair you requested.

 

The decrypter wasn't able to find  key with bruteforce.

I hope the pair will help!

For more pairs of diffrent kind of files, feel free to contact me.

 

Cheers!


Edited by blacknas, 09 May 2017 - 04:57 AM.


#25 bflmpesseveze

bflmpesseveze

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 09 May 2017 - 09:07 AM

Hello, I was linked here from Id-ransmoware site but I have my doubts. Our customer has been infected maybe by BTCware but the difference is that his files are named filename.jpg.[sql772@aol.com].theva. Also there is #_README_#.inf instead of #_HOW_TO_FIX_!.hta READ ME.txt. Your decrypter didn't find the key with brute force. Can I PM you encrypted and decrypted files?

 .

Greets Martin V



#26 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,728 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 PM

Posted 09 May 2017 - 01:59 PM


Did you submit both encrypted files and ransom notes together? Doing that provides a more positive match and helps to avoid false detections.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#27 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:50 PM

Posted 09 May 2017 - 02:41 PM

We have a sample of .theva now, it is indeed BTCWare. It is currently being analyzed, I've verified my updated decrypter doesn't handle it as of now.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#28 bflmpesseveze

bflmpesseveze

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 10 May 2017 - 01:02 AM

Ok then, I will wait:)



#29 cykelkalle

cykelkalle

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 10 May 2017 - 07:20 AM

is this normal?

 

IG85TYH.png



#30 bflmpesseveze

bflmpesseveze

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 10 May 2017 - 08:05 AM

Yes it is :) it will go back to 0% and then it will end :)






2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users