Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.crypton Gryphon Help.txt)


  • Please log in to reply
584 replies to this topic

#511 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:55 AM

Posted 25 November 2017 - 11:13 AM

@kos05

It is impossible to bruteforce or recover the keys for the .payday variant without paying the criminals as stated before. If you do receive a key after paying, you can use it with my (safer and more user-friendly) decrypter.

@kutlus

PM me a few encrypted files and your ransom note, and I'll see if I can help next week.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#512 ngolanh

ngolanh

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 25 November 2017 - 09:05 PM

Dear Demonslay335

 

https://www.mediafire.com/file/767hbr8spm5p8bc/Encryption%20Files.rar

 

I'm Mr Lanh, I live in Vietnam, I also got infected with .Payday in early October, I also contacted them by email, they initially demanded 2BTC, after several exchanges they said Min 1200 $, but actually I do not believe they will send back the decoder so I decided not to pay for them.
I send you infected files and note files, you can see can help me 
If you have any information please send me help by email: sharemail.vb@gmail.com
thank you very much !

Edited by ngolanh, 26 November 2017 - 10:55 AM.


#513 kutlus

kutlus

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 25 November 2017 - 11:32 PM

 

Is there any solution for .nuclear decryption. black.world@tuta.io...

Demonslay335 has advised the .nuclear (and .gryphon) variants have a serious bug that irreversibly destroys some files. If an encrypted file has nothing but 0x00 bytes at the beginning, then the file is lost forever and even the criminals cannot recover it...see Post #449.

 

 

I got more than 10000 files to be checked what do you suggest...

 

If an encrypted file has nothing but 0x00 bytes at the beginning, then the file is lost forever

 

What is the rate can any one say if it is more or less than %50 ?

 

I may find original and encryptrd files for comparison or brute does it have any value to try to check.. 
I know everyone has their own idea but sould i forget them

or wait lets say 3-4 months more for a hopefull recovery solution for .nucles files..

 

 

Thx



#514 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:03:55 PM

Posted 26 November 2017 - 04:49 AM

@kutlus,

 

can you please share 3-4 doc, xls, pdf encrypted files, the !! RETURN FILES !!.txt file and any suspicious or trojan files.

Kind regards, Emmanuel



#515 kutlus

kutlus

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 26 November 2017 - 11:09 AM

i will send examples in 2 3 days since a company was trying to solve this issue whom was not succeded...

#516 kos05

kos05

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 27 November 2017 - 11:27 PM

@kos05

It is impossible to bruteforce or recover the keys for the .payday variant without paying the criminals as stated before. If you do receive a key after paying, you can use it with my (safer and more user-friendly) decrypter.

@kutlus

PM me a few encrypted files and your ransom note, and I'll see if I can help next week.

Hello!
How do you forward files?



#517 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:03:55 PM

Posted 28 November 2017 - 05:23 AM

Hello,

you can use https://wetransfer.com/ for example. There are lot of other websites  and soft like dropbox, google drive, etc...

Emmanuel



#518 kos05

kos05

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 28 November 2017 - 09:13 PM

Hello,

you can use https://wetransfer.com/ for example. There are lot of other websites  and soft like dropbox, google drive, etc...

Emmanuel

I have the body of the "payday" virus, and more additional files that booted with it. Can this help decipher?



#519 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:03:55 PM

Posted 29 November 2017 - 04:27 AM

Hello,

Not sure but we have to check it to be sure. Can you zip this and share the files here.

Kind regards, Emmanuel



#520 kos05

kos05

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 29 November 2017 - 04:30 AM

Hello,

Not sure but we have to check it to be sure. Can you zip this and share the files here.

Kind regards, Emmanuel

Hello!

 

Now I'll try to add the files to the archive and send it to you.

Now I'll try to add the files to the archive and send it to you.



#521 kos05

kos05

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 29 November 2017 - 04:37 AM

 

Hello,

Not sure but we have to check it to be sure. Can you zip this and share the files here.

Kind regards, Emmanuel

Hello!

 

Now I'll try to add the files to the archive and send it to you.

Now I'll try to add the files to the archive and send it to you.

 

 

The archive with virus files is available at: https://drive.google.com/file/d/1UVkcaLD9cTeXo6_72Yt2wZnISWEi5cDO/view?usp=sharing Password: 1111

We really hope for your help.

The archive with virus files is available at: Password: 1111



#522 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:03:55 PM

Posted 29 November 2017 - 04:45 AM

Hello kos05,

Can you also share 3 encrypted files (.doc, zip, pdf) not too small and the !#_RESTORE_FILES_#!.inf (ransom note file).

Kind regards, Emmanuel


Edited by Emmanuel_ADC-Soft, 29 November 2017 - 04:54 AM.


#523 kos05

kos05

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 29 November 2017 - 04:53 AM

Hello kos05,

Can you also share Can 3 encrypted files (.doc, zip, pdf) not too small and the !#_RESTORE_FILES_#!.inf (ransom note file).

Kind regards, Emmanuel

https://drive.google.com/open?id=1XPHkLZL1y0VVcpmqcG6zormXI1DP7-gY



#524 kos05

kos05

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 29 November 2017 - 05:09 AM

If there is a need, then I can provide 2 files (one encrypted, and one original)

https://drive.google.com/open?id=1qJK0x60Ti5wEc5X4nDK58Cm-gS8tkgTH



#525 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:03:55 PM

Posted 29 November 2017 - 05:26 AM

Ok kos05, I'll come back to you as soon as possible.

Emmanuel






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users