Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.crypton Gryphon Help.txt)


  • Please log in to reply
488 replies to this topic

#421 sotojavi

sotojavi

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 06 August 2017 - 02:58 PM

Hi, I´m in the same situation as @AAvis, xxxxxxx.btcware encrypted files. Just to know and maybe help, what kind of files should we look for on the encrypted drives that could be "working sample of the malware" as @Demonslay335 says, because maybe we have the key on this and we don´t know. Thank you.



BC AdBot (Login to Remove)

 


m

#422 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 06 August 2017 - 05:22 PM

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#423 AAvis

AAvis

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 07 August 2017 - 07:54 AM

Version 0.5 btcware without any email address:

 

When I was originally researching this encryption I was directed to the nomoreransom.org site along with several others sites. This particular extension (.btcware) was very new and those site had very little information other than to say they 'thought' it was related to the Cryptxxx, Cryptxx or possibly Crypxx virus. A few sites showed the process for decrypting IF you paid the ransom. I did not pay so I cannot confirm the process but what they said was you would get a decryption code. Once you had that from a command prompt you would run 'biznet.exe -d (code here)'. So it seems that the encryption program would be the same as the decryption program but with another switch (maybe -e instead of -d?). Like Demonslay said in a previous post the only common factor between actual btcware encryption that you have been working on here and the version 0.5 could be the extension! It could very possibly be a completely different virus.

 

I still have the original computer that the ransomware was run on without any changes made to it. I already sent the biznet.exe to this site. I can re-upload it if that would help. I also found a folder on that machine that had the TOR browser in it and some other files that when opened with notepad seemed to have what looked like RSA keys. I also uploaded that entire folder here.

 

You folks here are doing a tremendous job! You certainly have helped a lot of people and I sure hope they are grateful. Just in case you haven't heard this enough, Thank You, Thank You, Thank You!

 

Alan



#424 nasteb93

nasteb93

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 08 August 2017 - 06:03 AM

I've got .aleta ransomware. Encryption is complete, but when I saw a remote connection to my PC i get IP address of criminal. Can it be helpful?



#425 Scryden

Scryden

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 11 August 2017 - 01:20 PM

Hello Demonslay335,

 

I've been following this topic for some time now. One of our clients got hit by the .aleta ransomware. Because their previous IT provider failed to put proper backups in place, they decided to pay the 2 BTC ransom.

After that they received the decryptor and a decryption key (a text string in a txt file). I executed the decryptor and they got all their files back.

If you want, I can send the decryptor + key, as well as an encrypted file and the original decrypted file to you if this helps you in your investigation? If you are interested, can I send it to a private address? I do not want to post their files publicly.

 

Thanks.



#426 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 AM

Posted 11 August 2017 - 01:38 PM

@Scryden,

 

You can send the decryptor and decryption key here.

You can also directly writte to Demonslay335 https://www.bleepingcomputer.com/forums/u/726225/demonslay335/

 

Regards,

Emmanuel



#427 Scryden

Scryden

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 11 August 2017 - 02:11 PM

@Scryden,

 

You can send the decryptor and decryption key here.

You can also directly writte to Demonslay335 https://www.bleepingcomputer.com/forums/u/726225/demonslay335/

 

Regards,

Emmanuel

Thank you Emmanual. 

I just uploaded a zip package with the decryptor + key and an encrypted file + the same decrypted file.

 

Please let me know if this is of any use or if you require more information. In my upload note I left my e-mail address in case you need to ask me more questions or you can reach out to me through a private message here.



#428 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 11 August 2017 - 03:17 PM

After our experts have examined submitted files, they typically will only reply in a support topic if they can assist or need further information. If not, then the submitted files were not helpful.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#429 spravce

spravce

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 11 August 2017 - 03:41 PM

Hello, I caught the Gryphon variant on my computer, I have files encrypted only in part on disk C, I'd like to decipher the files. I've been told that 3 bitcoins are required for decryption. Is there a way to decrypt it?

 

Thanks you



#430 RaymondA

RaymondA

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 11 August 2017 - 04:22 PM

Demonslay335

 

I sent you a message but i'm in need of help. Thanks for all you do in advanced and I look forward to talking to you! 



#431 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 AM

Posted 12 August 2017 - 08:23 AM

Hello,

 

I am still looking for a solution to decrypt BTCWare with extension .encrypted files for one of my clients.

 

I wrotte to the ransom note mail adress [unlocking.guarantee@aol.com] to get 3 decrypted samples and I got an answer requesting 0.4 bitcoins (1100$). (price based on personal ID and the value of encrypted information!!!!!) and 2 of 3 decrypted files were corrupted !!! Does it mean that even the cyber cryminal is not able to decrypt the files !!!

 

Is it possible to get any valuable informations with the corrupted files received ... for brutforcing with the BTCWareDecrypter of Demonslay335 for example ?

Thank you for any help; it seems that the .encrypted variant of Btcware is not covered by the BTCWareDecrypter even when you can get the privat AES key.

Kind regards,

Emmanuel

 



#432 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:13 PM

Posted 12 August 2017 - 11:37 AM

@Emmanuel_ADC-Soft

 

BTCWareDecrypter v1.1.0.7 supports .encrypted if you have the private AES key from the criminals. There is no way to bruteforce the key for any version after .onyon, that's about when they fixed the keygen to be implausible to guess all keys. Their decrypters tend to be a bit buggy sometimes (the malware itself is even). It's possible the client was hit by multiple variants as well; since there is no way to verify the key is correct (due to the padding bug), it will yield garbage bytes if the key is even one character off. Also, for .encrypted, any files under 10MB will have up to 16B of garbage at the end.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#433 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 AM

Posted 12 August 2017 - 01:28 PM

Thank you very much Demonslay335 for your support and the regular improvements of the decryptor.

The ransomwares are really disguting, strongly that one finds a way to stop all these cyber-criminals.



#434 sansvirus

sansvirus

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 14 August 2017 - 03:13 AM

Hello,
I have a client who has caught the version ".aleta"
I have a full backup via veeam of the pc.
So that my client can work, I redone his pc, is there a way to find some of the content?
cordially



#435 horuscurcino

horuscurcino

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 14 August 2017 - 09:49 AM

Caught by this today. Mail sent but no answers from the ransom until now.

 

Example:

FILENAME.url.id-01234567.[gladius_rectus@aol.com].cezar

 

Submited a file to ID Ransomware and it says 4 possible variants about:

 

Dharma (.onion)

sample_bytes: [0xC4020 - 0xC4060] 0x00000000020000000CFE7A410000000000000000000000002000000000000000
custom_rule: Original filename "HDTune.exe" after filemarker 

GlobeImposter 2.0

ransomnote_email: Gladius_rectus@aol.com 

Cryakl

ransomnote_email: gladius_rectus@aol.com 

BTCWare Gryphon

ransomnote_email: gladius_rectus@aol.com 

 But i cant find any information related to this CEZAR extension.






2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users