Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.crypton Gryphon Help.txt)


  • Please log in to reply
546 replies to this topic

#31 cykelkalle

cykelkalle

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 10 May 2017 - 08:06 AM

Right now trying a different file with same extension, last file runned for approx 3 hours


Yes it is :) it will go back to 0% and then it will end :)

 

Ah thank you :)



BC AdBot (Login to Remove)

 


m

#32 cykelkalle

cykelkalle

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 10 May 2017 - 08:34 AM

Guys, this saved a ton of work for me. 

 

Great tool. Thank you so much.



#33 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 AM

Posted 10 May 2017 - 09:30 AM

Currently working on fixing that bug. It should hit 0% and stop, but it rolls over to negative due to an optimization I added (and didn't factor for with the multi-threading). Will be fixed in the next release, which will support v3 (.cryptowin) and v4 (.theva) of the malware.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#34 sotojavi

sotojavi

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 13 May 2017 - 06:30 PM

Hi, just to check, I'm having trouble with .btcware ramsomware, and the Decrypter is not finding the key, tried 2 pairs of files in different computers. Is your comment about .cryptowin related, that it does not support already that version? Thank you!!



#35 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:05 AM

Posted 13 May 2017 - 06:35 PM

The current decrypter only supports the extensions .[<email>].cryptobyte and .[<email>].btcware.

Demonslay335 is working on a fix for the .cryptowin and .theva variants....please be patient.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#36 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 AM

Posted 13 May 2017 - 06:42 PM

@sotojavi

 

If you can share an encrypted file and it's original, I can test it with the new decrypter. I may be close to getting this to work with the newest variants, just had an idea today.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#37 sotojavi

sotojavi

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 13 May 2017 - 06:43 PM

Sorry, I think I was not clear. The extensions that have on the files are "filename.doc.btcware" when the original file was "filename.doc", so I wondered If the decryptor was usefull for these or it´s another version that I need.  Thanks.


Edited by sotojavi, 13 May 2017 - 06:50 PM.


#38 sotojavi

sotojavi

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 13 May 2017 - 06:44 PM

Shure I have my computer infected, almost all my files were encrypted.


Edited by sotojavi, 13 May 2017 - 07:52 PM.


#39 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 AM

Posted 13 May 2017 - 06:49 PM

Ah. I haven't been able to get ahold of a working sample that uses just ".btcware" as the extension. Any chance you have the malware?

 

If you could share the files anyways, we can test them. We've made some optimizations to the bruteforcer recently that might help.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#40 sotojavi

sotojavi

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 13 May 2017 - 06:52 PM

Already uploaded files


Edited by sotojavi, 13 May 2017 - 07:46 PM.


#41 AAvis

AAvis

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 14 May 2017 - 07:13 AM

I have the same problem as sotojavi. I uploaded a file. I found a directory on the machine that got infected that has the 'decryptor' they tell you to use once you pay the ransom. That machine has been taken off the network and not 'fixed' yet. Once it was rebooted it stopped encrypting any new files. I found what seems to be several 'keys' but i'm not sure. I can upload them if you think that might help.

 

I'm not sure if I can find a file pair...



#42 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 AM

Posted 14 May 2017 - 10:25 AM

I have the same problem as sotojavi. I uploaded a file. I found a directory on the machine that got infected that has the 'decryptor' they tell you to use once you pay the ransom. That machine has been taken off the network and not 'fixed' yet. Once it was rebooted it stopped encrypting any new files. I found what seems to be several 'keys' but i'm not sure. I can upload them if you think that might help.

 

I'm not sure if I can find a file pair...

 

We need an encrypted file and its original. Also, we're going to need the malware itself for the .btcware extension. The malware typically copies itself to %APPDATA% with a random name. You can also upload that potential decrypter, we can see if the encryption routine itself is the same or not to v1.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#43 sotojavi

sotojavi

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 14 May 2017 - 12:47 PM

I've uploaded both files, original and encrypted. The appdata folder is history. I had two drives, one with windows, the other with data. The one I kept is the data one, I think no malware software remains on it.

#44 AAvis

AAvis

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 15 May 2017 - 08:55 AM

I uploaded biznet.exe and biznet.exe.btcware along with the .hta file and the .inf file that display on the desktop. In the %appdata% folder I have just the 3 normal folders, local, locallow and roaming. Couldn't find anything in them that looked 'odd'. Any other suggestions? I did find a folder called binar that contained a zip folder with tor.exe in it along with encrypted dll files and some non-encrypted files.



#45 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 AM

Posted 16 May 2017 - 08:53 AM

There is another variant using the extension ".onyon" - we will be able to decrypt this variant soon as well.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users