Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.crypton Gryphon Help.txt)


  • Please log in to reply
488 replies to this topic

#481 mobileking

mobileking

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 04 October 2017 - 09:17 AM

[goldwave@india.com]-id-xxxxxxxx.nuclear] Successfully decrypted more than 20Mb encryption file, 
1. first select a about 15Mb encryption file, is used as an intermediary, 
2. the large files need to decrypt (such as 90Mb) copy first 10Mb (A00000) to the intermediary file, use with the decryption key (I used btcw.exe) to decrypt the intermediary file, 
3. Copy the decrypted intermediary file 10Mb(A00000) to the original large encryption file same position, and delete the base64 encrypted key at the end of the file, 
4. change the correct file name will be completed.
 
my test large file is Access .mdb, its work fine for me !!!


BC AdBot (Login to Remove)

 


m

#482 jan0708

jan0708

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 09 October 2017 - 02:28 AM

Hi,

I was infected with virus + my files have been encrypted :

Filename.[payday@cryptmaster.info]-id-1CE0.payday

 

In file:

!! RETURN FILES !!.txt

is this message:

all your files have been encrypted want return files?  write on email: payday@cryptmaster.info
but this email adress dont exist :-/

 

Can anyone please help me and my files decrypt?

 

I'm ready to pay something

Thanks


Edited by jan0708, 09 October 2017 - 02:30 AM.


#483 payday_lock

payday_lock

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 09 October 2017 - 12:02 PM

Hi,

I was infected with virus + my files have been encrypted :

Filename.[payday@cryptmaster.info]-id-1CE0.payday

 

In file:

!! RETURN FILES !!.txt

is this message:

all your files have been encrypted want return files?  write on email: payday@cryptmaster.info
but this email adress dont exist :-/

 

Can anyone please help me and my files decrypt?

 

I'm ready to pay something

Thanks

Mail payday@cryptmaster.info was blocked. To contact us, write to payday@cock.lu



#484 silverart

silverart

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 13 October 2017 - 05:30 AM

Hi, Help me please!

I have variant of gryphon ransomware on our server.

 

============================== GRYPHON RANSOMWARE ==============================
 
Your documents, photos, databases and other important files have been encrypted
cryptographically strong, without the original key recovery is impossible!
To decrypt your files you need to buy the special software - "GRYPHON DECRYPTER"
Using another tools could corrupt your files, in case of using third party 
software we dont give guarantees that full recovery is possible so use it on 
your own risk.
 
If you want to restore files, write us to the e-mail: bagmet@india.com
In subject line write "encryption" and attach your ID in body of your message
also attach to email 3 crypted files. (files have to be less than 2 MB)
 
It is in your interest to respond as soon as possible to ensure the restoration
of your files, because we wont keep your decryption keys at our server more than
one week in interest of our security.
 
Only in case you do not receive a response from the first email address
withit 48 hours, please use this alternative email adress: markevich@gmx.com
 
Your personal identification number:
 
SZOz2ervG2K5XrVT73iQ7U4X4DhgUQkQBP0I24IOevANhpSEU11/DhmKitz93saN0Ogv6epkkFPwKIhI
5jIAaxGXqfVWTbYa7FD3twEK6fdLXw1olsgfcEjLp2MSTAvIVNQ3ECmIYdfFGZwcmvrCERXCHwerD24BlY0crZUV740=
 
============================== GRYPHON RANSOMWARE ==============================
 
 
Here is a key i gained from criminals: 4028F077CA58194028F0760739C94028F04028F0774414204028F07608A7104028F0688B7DB
But i can't decrypt my files with this key.
 
I have encrypted and original file pairs here: https://www.sendspace.com/file/qico2w
Encrypted files is .gryphon. Please Help me if it possible...

Edited by silverart, 13 October 2017 - 06:21 AM.


#485 al1963

al1963

  • Members
  • 824 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 13 October 2017 - 06:11 AM

@silverart,

 

add several encrypted files with the .gryphon extension to the archive, load the archive on http://sendspace.com
and give us a link to the archive in your message.



#486 silverart

silverart

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 13 October 2017 - 06:21 AM

https://www.sendspace.com/file/qico2w



#487 al1963

al1963

  • Members
  • 824 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 13 October 2017 - 06:32 AM

I checked the decryption in btcwaredecrypter

https://www.bleepingcomputer.com/download/btcwaredecrypter/

 

[+] Loaded key: 4028F077CA58194028F0760739C94028F04028F0774414204028F07608A7104028F0688B7DB
Selected directory: G:\DATA\shifr\encode_files\BTCware\griphon\10\Kalimba

Starting decryption...
[+] File: G:\DATA\shifr\encode_files\BTCware\griphon\10\Kalimba\Kalimba.mp3 decrypted!
[+] File: G:\DATA\shifr\encode_files\BTCware\griphon\10\Kalimba\Koala.jpg decrypted!

Decrypted 2 files!

 

 

-----------

however,

the decoding seems to be incorrect,

write Demonslay335, maybe he will find a solution for you.


Edited by al1963, 13 October 2017 - 06:50 AM.


#488 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,209 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:34 PM

Posted 13 October 2017 - 08:40 AM

For that version, the decrypter has no way to tell if the decryption was actually successful. I tried a few different things and none yield proper files. I can only guess either the criminals gave the wrong key, or the files were hit by the bug that destroys data. More commonly that bug will overwrite the file with 0s, but sometimes it may overwrite garbage instead.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#489 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,728 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:34 PM

Posted 14 October 2017 - 05:36 PM

...I was infected with virus + my files have been encrypted :
Filename.[payday@cryptmaster.info]-id-1CE0.payday
 
In file:
!! RETURN FILES !!.txt
is this message:
all your files have been encrypted want return files?  write on email: payday@cryptmaster.info
but this email adress dont exist :-/
 
Can anyone please help me and my files decrypt?...

Any files that are encrypted with the Payday Ransomware BTCWare variant will have the [<email>]-id-[id].payday extension appended to the end of the encrypted data filename and leave files (ransom notes) named !! RETURN FILES !!.txt. With this version, when a file is encrypted, the ransomware will modify the filename and then append the .payday extension to encrypted file's name (i.e. test.jpg.[Checkzip@india.com]-id-CE4.payday) as explained here. This variant is not decryptable. If possible, your best option is to restore from backups or wait for a possible solution at a later time.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users