I found the executable, would that be of value?
Jump to content
Posted 02 November 2017 - 10:24 AM
Not really, I already have dozens of samples.
The current variant is spread via RDP and malicious emails to my knowledge.
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 02 November 2017 - 10:34 AM
Had to have been an email then, as we have explicitly denied external rdp, unless one of the client's computers has a RAT. As always, you guys are the best.
Posted 04 November 2017 - 11:59 AM
Dear All !
Posted 04 November 2017 - 07:57 PM
Posted 04 November 2017 - 08:24 PM
I am in the same boat. I did try the decrypter created by bitdefender. Actually they have a 2 step process. The first process was to identify the version. When I ran that it was identified as btcware v1 and said it found the personal ID within the ransom note. When I ran the second part that is supposed to decrypt the file I got an 'initialization failed' message. When I looked at the log file it said it could not find the personal ID. I remember that Demonslay did mention that what we have is not really btcware v1. He called it version .5. I'm still holding on to the machine that got hacked into along with all server files that were encrypted in hopes of some day recovering them...
Hi @Demonslay, just to remember I´m one of the people hit by .BTCWARE, no email on extension. It seems that the attacks had been mutating to other versions and complexity encryptions, and I need to know if you´re still working on my version, or you consider it´s not possible to decrypt.
I´m not an IT expert, and wondered if there are 3rd party tools that can be used to try to decrypt, one you consider with a chance to succeded.
Thank you very much.
Posted 04 November 2017 - 08:35 PM
Posted 07 November 2017 - 07:32 AM
ransomware payday lock how unlock?
Edited by burek, 07 November 2017 - 07:33 AM.
Posted 07 November 2017 - 08:03 AM
According to Demonslay335...the .payday variant is not decryptable.
Posted 25 November 2017 - 05:37 AM
Today and on our server, through RDP, the virus has got. He encrypted all the files, including the programs and added to them the extension "[email@example.com] -id-3F18.payday"
Is there currently a program capable of decrypting files?
Posted 25 November 2017 - 06:15 AM
no program can decrypt the .payday variant for the moment but we are working on it.
Can you share some encrypted files (.doc, zip, pdf), the !#_RESTORE_FILES_#!.inf ransom note file and the trojan if you find it.
Thx, kind regards,
Posted 25 November 2017 - 08:25 AM
.payday is based on the latest AES-256 version of the BTCWare Ransomware family which uses a different RSA-1024 key and is not decryptable unless you have the private AES key from the criminals after paying the ransom. There is no way to bruteforce the key for this variant.
...Is there currently a program capable of decrypting files?
Posted 25 November 2017 - 08:57 AM
Posted 25 November 2017 - 09:05 AM
Posted 25 November 2017 - 09:26 AM
Demonslay335 has advised the .nuclear (and .gryphon) variants have a serious bug that irreversibly destroys some files. If an encrypted file has nothing but 0x00 bytes at the beginning, then the file is lost forever and even the criminals cannot recover it...see Post #449.
Is there any solution for .nuclear decryption. firstname.lastname@example.org...
0 members, 0 guests, 0 anonymous users