Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.crypton Gryphon Help.txt)


  • Please log in to reply
584 replies to this topic

#466 mobileking

mobileking

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 03 October 2017 - 01:47 AM

My friend PC Windows 7 Server on 25 Sep 2017 attacked by [67/341] Searching for CryLocker notes... 37 found!
He paid half ransom and got the key program "btcw.exe", I try to use that to decrypt the encrypted files, I try several time but NOT success, files name format like that  "ABC.xlsx.[goldwave@india.com]-id-xxxxxxxx.nuclear" 
I found some hints when recover the big files (17648Kb):
1. the btcw.exe will crashed when decrypt process running 
2. the original encrypted file will modified to another NEW encrypted file with same name and size but difference checksum "ABC.xlsx.[goldwave@india.com]-id-xxxxxxxx.nuclear"
3. Run btcw.exe once again also crashed when decrypt process running but this second Run with New "ABC.xlsx.[goldwave@india.com]-id-xxxxxxxx.nuclear" SUCCESS decrypt to NORMAL file "ABC.xlsx".
4. Test also success when change the encrypted files name or path or copy to another PC.
 
I'm new comer, please help me how to upload above files and key for your new BTCWareDecrypter tools development.


BC AdBot (Login to Remove)

 


#467 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:58 PM

Posted 03 October 2017 - 05:34 AM

You can zip and submit it here with a link to this topic along with a few encrypted files and anything else the malware writers provide.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#468 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:58 PM

Posted 03 October 2017 - 06:43 AM

@mobileking

Have you tried their key with my BTCWareDecrypter? It already can decrypt .nuclear if you have the key.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#469 mobileking

mobileking

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 03 October 2017 - 08:05 AM

@mobileking

Have you tried their key with my BTCWareDecrypter? It already can decrypt .nuclear if you have the key.

The key is correct, but only decrypt the file not large than about 20Mb, I try the btcw.exe when decrypt the big encrypted files only have zero bit size result, I think the big file only encrypted  the beginning of the file and and only add some checksum at the end.



#470 mobileking

mobileking

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 03 October 2017 - 08:12 AM

@mobileking

Have you tried their key with my BTCWareDecrypter? It already can decrypt .nuclear if you have the key.

By the way, when BTCWareDecrypter decrytpt xlsx file have some error on size >  about 3Mb on my case, use the btcw.exe try double decrytpt is all fine.



#471 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:58 PM

Posted 03 October 2017 - 08:42 AM

The base64 at the end of the file is not a checksum, it's the encrypted key.

 

The large MDB .nuclear file you sent isn't encrypted (atempwinlead.mdb). There may be a bug with my decrypter when it thinks a file is encrypted, but it isn't; I can look into fixing that. Their malware is so buggy, perhaps it failed to encrypt the file in the first place. .nuclear encrypts only up to 0xA00000 bytes; it only encrypts less if the file is smaller.

 

When you say you "use the btcw.exe try double decrytpt is all fine", do you mean you run their decrypter twice and it works? Do you think there are two layers of encryption on the files?

 

BTW RansomNoteCleaner is not for identifying what ransomware you have. The files it found were a false-positive. It's simply for post-cleanup when you know what ransomware hit the system. There's much more that goes on behind the scenes on ID Ransomware to produce as accurate of a result as possible, and I can't really translate that into a desktop program (it would be double the work).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#472 mobileking

mobileking

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 03 October 2017 - 09:13 AM

double decrypt when key crash and not delete the encrypt file,step mention at my post #466

...

When you say you "use the btcw.exe try double decrytpt is all fine", do you mean you run their decrypter twice and it works? Do you think there are two layers of encryption on the files?

 

BTW RansomNoteCleaner is not for identifying what ransomware you have. The files it found were a false-positive. It's simply for post-cleanup when you know what ransomware hit the system. There's much more that goes on behind the scenes on ID Ransomware to produce as accurate of a result as possible, and I can't really translate that into a desktop program (it would be double the work).



#473 mobileking

mobileking

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 03 October 2017 - 09:27 AM

BTCWareDecrypter decrytpt Can release size limited at than fake encryptedbig size files?I have some .mdb big file size about 30mb to 600mb!

The base64 at the end of the file is not a checksum, it's the encrypted key.

 

The large MDB .nuclear file you sent isn't encrypted (atempwinlead.mdb). There may be a bug with my decrypter when it thinks a file is encrypted, but it isn't; I can look into fixing that. Their malware is so buggy, perhaps it failed to encrypt the file in the first place. .nuclear encrypts only up to 0xA00000 bytes; it only encrypts less if the file is smaller.

...



#474 Amigo-A

Amigo-A

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:58 AM

Posted 03 October 2017 - 01:31 PM

mobileking

Michael Gillespie discovered that the developers of this variant messed up on the encryption of files greater than 10MB in file size and will not be able to decrypt them. It was also discovered that this same behavior was seen with other files of random sizes. Therefore, it is advised that you do not pay the ransom as there is a good chance many of your files not be able to be decrypted.

 

from article

https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#475 mgiammarco

mgiammarco

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 03 October 2017 - 03:29 PM

A customer of mine got the goldwave@india.com.nuclear variant. I have the server on not rebooted. What can I do?



#476 khk10

khk10

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 03 October 2017 - 11:55 PM

https://labs.bitdefender.com/2017/09/btcware-decryption-tool-now-available-for-free/

 

 

Has anyone tried this?

 

If so any luck?



#477 mobileking

mobileking

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 04 October 2017 - 04:50 AM

Very sorry, my assumption is wrong, verify that any file only 10Mb is encrypted, no second encryption, btcw.exe key program have bug.

 

I made a hypothesis, Btcware encryption and decryption on every 10Mb to do once, up to do twice, only small than 20Mb file is completely encrypted, if the original file over 20Mb, only the first 10Mb file encryption, when btcw.exe key program run decrypted each time 10Mb, up to two decryption, when more than 20Mb, btcw.exe give up decryption, the ABC.. file that yesterday upload I done a double decryption test to proof, cut the first half of the 10Mb, compare two different next half encrypted file, checksum and comparison is exactly the same.


Edited by mobileking, 04 October 2017 - 08:18 AM.


#478 al1963

al1963

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 04 October 2017 - 05:58 AM

To build our tool, we used leaked private keys that can decrypt almost all versions of the malware (v1, v2 and v3 ), as well as the .master extension in version 4 of the malware.

 

e7070368ec2d.jpg

 

I checked on theva, onyon, cryptowin, master, all the test files were decrypted.


Edited by al1963, 04 October 2017 - 06:01 AM.


#479 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:58 PM

Posted 04 October 2017 - 06:01 AM

https://labs.bitdefender.com/2017/09/btcware-decryption-tool-now-available-for-free/
 
 
Has anyone tried this?
 
If so any luck?

The tool only works on older variants of BTCWare... .btcware, .cryptobyte, .onyon, .xfile, .cryptowin. .theva, .master

It does not work on AES-256 versions which uses a different RSA-1024 key and is not decryptable unless you have the private AES key from the criminals.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#480 Amigo-A

Amigo-A

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:58 AM

Posted 04 October 2017 - 09:15 AM

The table has an error.
 
The extension .blocking is an old version, which was back in June.
Her ransom note was called !#_RESTORE_FILES_#!.inf

Edited by Amigo-A, 04 October 2017 - 09:33 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users