Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.crypton Gryphon Help.txt)


  • Please log in to reply
546 replies to this topic

#376 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:43 PM

Posted 21 July 2017 - 02:45 PM

I replied the first time you asked. See my previous posting.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


m

#377 Anton_789

Anton_789

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 22 July 2017 - 12:56 AM

Hi, after Xorist ransomware last month(luckily we've fully recovered), now we were hit by Aleta  :smash: . The most important programs were backuped up. But 3 users lost 2 months of documents. 

I uploaded the original and decrypted file here: https://www.sendspace.com/file/6rfroi 

After I read about Aleta,  I don't believe much, that the recovery is possible. 

(Sorry for poor english)



#378 BenGray

BenGray

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 22 July 2017 - 01:29 AM

Hi, after Xorist ransomware last month(luckily we've fully recovered), now we were hit by Aleta  :smash: . The most important programs were backuped up. But 3 users lost 2 months of documents. 

I uploaded the original and decrypted file here: https://www.sendspace.com/file/6rfroi 

After I read about Aleta,  I don't believe much, that the recovery is possible. 

(Sorry for poor english)

Hi Anton, I just had to pay even then I have spent a week repairing files with extra bytes in them.

Aleta hit us through rdp check you don't have that enabled to the internet.



#379 Anton_789

Anton_789

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 22 July 2017 - 01:46 AM

And the key was sent? I think, that Aleta hit us trough RDP either. There were 3 new accounts (fpr example: Tlsc6l, PR6xkl). System(2008r2) was heavily damaged by Aleta, so I reinstalled the system on new disk. Our users work trough RPD, so I can't disable it. 


Edited by Anton_789, 22 July 2017 - 01:52 AM.


#380 BenGray

BenGray

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 22 July 2017 - 01:59 AM

And the key was sent? I think, that Aleta hit us trough RDP either. There were 3 new accounts (fpr example: Tlsc6l, PR6xkl). System(2008r2) was heavily damaged by Aleta, so I reinstall the system on new disk. Our users work trough RPD, so I can't disable it. 

Yes it was it was very expensive though at 2 Bitcoin, the weakness we had was an external software company had created an accounts user with the same password and gave it admin rights not impressed by them at all. You could block rdp to the internet if they are working externally and setup a vpn.

It got our main online backup as well and our offline has not proved much good as they have lost some of the tapes. There has been 4 written warnings to staff issued so far over behaviour traced the virus intake to a user and the others who have lost tapes. Sadly the person who gave the authorisation to create the accounts user no longer works for us. I run the IT from a different country which makes it even harder there is a lot of trust involved.

I recommend ESET server Antivirus that did a good cleanup job they disabled the other one. All the standard files have been openable have had a problem with Pegasus Opera files as the decrypt program left a few extra characters.



#381 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 22 July 2017 - 11:51 AM

There is no excuse for having RDP open to the world in 2017. It needs to be put behind VPN. If you don't have a firewall that supports VPN tunnels, then it isn't a good enough one to protect your business in the first place.

 

No antivirus in the word will do squat if someone literally has control of your system. Once they are in, they can just turn off anything like you would.

 

Unfortunately, the extra bytes are a bug of the malware's encryption routine, not specifically of their decrypter. It's the same padding bug as .master, and there's nothing that can be done in an automated way unless you know each format very well (most don't have specifications for the end of files really). Usually most programs won't care, but some proprietary software might have issues.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#382 klavdijapivk

klavdijapivk

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 24 July 2017 - 12:46 AM

 

Hello,

 

If it possible to check decrypt this file

 

https://www.sendspace.com/file/sigkix

 

Thank you, Klavdija

 

Have you tried the latest version of BTCWareDecrypter? I need your ransom note in order to try decrypting your file.

 

If the decrypter does not work for you, I will need several files of the same original extension to try looking for patterns as I debug.

 

 

ID is:

qWhVp1gII6f/m7x8Q3VY8d0Bl0sN+DavTcgtBvZexf1SHuBYhu7bWyPlXYRWYVIKUA6JpuAD+DEaXVD5CGv58MPHGna7zXxsjhEG+9UyFBkrC9ZsWrnMPPtaHOENZkKnlT3+1itNSJiTHG057YgfV0aUSGHyXjYHXscdTXUcL/Y=

 

Wallet for payment
1NfJkwS2sv4uzFmb7VFgQLyjc1pSF9Gaxw

 

download link

https://www.sendspace.com/file/a5gqe0

 

thank you :guitar:



#383 gibreak

gibreak

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 24 July 2017 - 06:58 AM

Hello 

my computer got hit with aleta 

i tried to run your program did not work as could not do the key 

I uploaded zip file and it has 3 files 

one good file , one encrypted and the note

can you help me solve this problem please 

thank you 



#384 gibreak

gibreak

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 24 July 2017 - 07:00 AM

your program version 1.1.0.5 could not find 1.1.0.1



#385 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 24 July 2017 - 08:39 AM

 

 

Hello,

 

If it possible to check decrypt this file

 

https://www.sendspace.com/file/sigkix

 

Thank you, Klavdija

 

Have you tried the latest version of BTCWareDecrypter? I need your ransom note in order to try decrypting your file.

 

If the decrypter does not work for you, I will need several files of the same original extension to try looking for patterns as I debug.

 

 

ID is:

qWhVp1gII6f/m7x8Q3VY8d0Bl0sN+DavTcgtBvZexf1SHuBYhu7bWyPlXYRWYVIKUA6JpuAD+DEaXVD5CGv58MPHGna7zXxsjhEG+9UyFBkrC9ZsWrnMPPtaHOENZkKnlT3+1itNSJiTHG057YgfV0aUSGHyXjYHXscdTXUcL/Y=

 

Wallet for payment
1NfJkwS2sv4uzFmb7VFgQLyjc1pSF9Gaxw

 

download link

https://www.sendspace.com/file/a5gqe0

 

thank you :guitar:

 

 

Your file decrypted fine for me. Simply go to Settings -> Load Key, and paste that ID you just gave me.

 

 

Hello 

my computer got hit with aleta 

i tried to run your program did not work as could not do the key 

I uploaded zip file and it has 3 files 

one good file , one encrypted and the note

can you help me solve this problem please 

thank you 

 

Please read the topic, we have posted this multiple times. There is no way to recover the key for .aleta without paying the criminals. The keygen they use is secure and the encryption cannot be broken. You can only recover the key using their private RSA key.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#386 klavdijapivk

klavdijapivk

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 25 July 2017 - 07:14 AM

 

 

 

Hello,

 

If it possible to check decrypt this file

 

https://www.sendspace.com/file/sigkix

 

Thank you, Klavdija

 

Have you tried the latest version of BTCWareDecrypter? I need your ransom note in order to try decrypting your file.

 

If the decrypter does not work for you, I will need several files of the same original extension to try looking for patterns as I debug.

 

 

ID is:

qWhVp1gII6f/m7x8Q3VY8d0Bl0sN+DavTcgtBvZexf1SHuBYhu7bWyPlXYRWYVIKUA6JpuAD+DEaXVD5CGv58MPHGna7zXxsjhEG+9UyFBkrC9ZsWrnMPPtaHOENZkKnlT3+1itNSJiTHG057YgfV0aUSGHyXjYHXscdTXUcL/Y=

 

Wallet for payment
1NfJkwS2sv4uzFmb7VFgQLyjc1pSF9Gaxw

 

download link

https://www.sendspace.com/file/a5gqe0

 

thank you :guitar:

 

 

Your file decrypted fine for me. Simply go to Settings -> Load Key, and paste that ID you just gave me.

 

 

 

 

Thank you! You are save my life :bananas:



#387 jarrod1937

jarrod1937

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 26 July 2017 - 09:37 AM

We had RDP temporarily open for a third party developer doing some work. Obviously we'll be looking into some new methods for working remotely.

We were attacked by the Aleta variation. I was able to restore an entire drive from a nightly backup that is isolated from the computer, however it has encrypted the files on the computer and the local backups.

I tried using the decryptor but it failed saying my files must have used another RSA key.

 

Key given:

UkJE+CIL5gveXzkR7TJvQRdhgAnCFv03EJJ/+C68On9ZgMfrUVNhoCazL2OnQrExbBFkZfUH5sMyj33aim5dwMHGqqfznSNu9dRcrtUwHln10Aji5/kr/NjBLDAqGzRiIYsIXS+GFWbN5J1zYFwJj6dufnsnshOoLwap4DYKojc=

 

Also, attached is an encrypted file and an unencrypted one restored from a backup:

https://www.sendspace.com/filegroup/vZzKKjBxU3vV8%2FsqmZDPlw



#388 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 26 July 2017 - 10:30 AM

We had RDP temporarily open for a third party developer doing some work. Obviously we'll be looking into some new methods for working remotely.

We were attacked by the Aleta variation. I was able to restore an entire drive from a nightly backup that is isolated from the computer, however it has encrypted the files on the computer and the local backups.

I tried using the decryptor but it failed saying my files must have used another RSA key.

 

Key given:

UkJE+CIL5gveXzkR7TJvQRdhgAnCFv03EJJ/+C68On9ZgMfrUVNhoCazL2OnQrExbBFkZfUH5sMyj33aim5dwMHGqqfznSNu9dRcrtUwHln10Aji5/kr/NjBLDAqGzRiIYsIXS+GFWbN5J1zYFwJj6dufnsnshOoLwap4DYKojc=

 

Also, attached is an encrypted file and an unencrypted one restored from a backup:

https://www.sendspace.com/filegroup/vZzKKjBxU3vV8%2FsqmZDPlw

 

I will say this only one more time*. Aleta is not decryptable with the RSA keys given to me. It is a new RSA key, and the AES key is generated securely, thus the decrypter cannot help you..

 

However, if the server has not been rebooted and the malware is still running, then you may PM me. If the malware has terminated and is no longer encrypting things, then there is 0% chance of me being able to help you.

 

*Sorry if I sound agitated, but I literally receive messages about this every day and I am overwhelmed as it is.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#389 jarrod1937

jarrod1937

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 26 July 2017 - 11:04 AM

 

We had RDP temporarily open for a third party developer doing some work. Obviously we'll be looking into some new methods for working remotely.

We were attacked by the Aleta variation. I was able to restore an entire drive from a nightly backup that is isolated from the computer, however it has encrypted the files on the computer and the local backups.

I tried using the decryptor but it failed saying my files must have used another RSA key.

 

Key given:

UkJE+CIL5gveXzkR7TJvQRdhgAnCFv03EJJ/+C68On9ZgMfrUVNhoCazL2OnQrExbBFkZfUH5sMyj33aim5dwMHGqqfznSNu9dRcrtUwHln10Aji5/kr/NjBLDAqGzRiIYsIXS+GFWbN5J1zYFwJj6dufnsnshOoLwap4DYKojc=

 

Also, attached is an encrypted file and an unencrypted one restored from a backup:

https://www.sendspace.com/filegroup/vZzKKjBxU3vV8%2FsqmZDPlw

 

I will say this only one more time*. Aleta is not decryptable with the RSA keys given to me. It is a new RSA key, and the AES key is generated securely, thus the decrypter cannot help you..

 

However, if the server has not been rebooted and the malware is still running, then you may PM me. If the malware has terminated and is no longer encrypting things, then there is 0% chance of me being able to help you.

 

*Sorry if I sound agitated, but I literally receive messages about this every day and I am overwhelmed as it is.

 

Ah, I did stop the process running in the background. I knew maybe I shouldn't as the keys may still be in memory, but I also wanted to limit further damage. So the process has been stopped, but the computer hasn't been rebooted yet.
As for your agitation, I fully understand, so no worries. I'm a developer myself, so I can understand the amount of overwhelming response you're probably getting.

The server doesn't house anything mission critical, but will delay the project a bit. Even though I hate to do it, I sent out an email to see instructions for paying. I just need one file decrypted, the local backup.



#390 jarrod1937

jarrod1937

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 26 July 2017 - 02:24 PM

After looking around I was able to restore the main project's drive as it was an iSCSI drive backed up by a separate server. At this point I'll bite the bullet and just re-install the base installation and go from there... No bitcoins to the ransomware guys ;-)

For those interested, here is the email I received back from them, their attitude is enough to make you change your mind:

 

Hello. If you want test file send me file without important information. 

For this file i can send only screenshot --- removed ---
We can decrypt your data, here is price:
- 2 Bitcoins in 60 hours without any stupid questions and test 
decryption.
- 4 Bitcoins if you need more than 84 hours to pay us, but less than 100 
hours.
- 6 Bitcoins if you need more than 100 hours to pay us. Pay us and send 
payment's screenshot in attachment.
In this way after you pay we will send you decryptor tool with 
instructions.
TIME = MONEY.
If you don't believe in our service and you want to see a proof, you can 
ask about test decryption.
About test decryption:You have to send us 1 crypted file.
Use dropfile . to and Win-Rar to send file for test decryptions.
File have to be less than 10 MB.
We will decrypt and send you your decrypted files back.
Answer us with your decision.
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause 
permanent data loss.
Time limit starts from this email.
Here is our bitcoin wallet:
197atYFfCxmQAW8UPqFUEo16wCsEZVfJdL
Can recommend easy bitcoin exchange service --- removed --- (HOW TO 
BUY BITCOINS: --- removed ---)
or --- removed ---
or --- removed ---
or --- removed ---
or you can google any service you want.





3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users