Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.crypton Gryphon Help.txt)


  • Please log in to reply
584 replies to this topic

#556 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 PM

Posted 28 December 2017 - 08:21 AM

...all of my files look like that
 
 Hulu.url.id-02102C04.[gettkey@qq.com].java

You are dealing with Dharma Ransomware, not Btcware Ransomware.

Any files that are encrypted with Dharma (CrySiS) Ransomware will have an id-<8 random hexadecimal characters>.[<email>] followed by the .dharma, .wallet, .zzzzz, .onion, .cesar, .arena, .cobra or .java extension appended to the end of the encrypted data filename (i.e. .id-A04EBFC2.[bitcoin143@india.com].dharma, .id-480EB957.[legionfromheaven@india.com].wallet, .id-5FF23AFB.[Asmodeum_daemonium@aol.com].onion, .id-EB214036.[amagnus@india.com].zzzzz, .id-01234567.[gladius_rectus@aol.com].cesar, id-BCBEF350.[chivas@aolonline.top].arena, .id-BCBEF350.[cranbery@colorendgrace.com].cobra, .id-406B4F5A.[black.mirror@qq.com].java).

Unfortunately, there is no known method to decrypt files encrypted by the .java variant of Dharma (CrySiS) without paying the ransom. If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#557 joelbendix

joelbendix

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 29 December 2017 - 10:09 AM

Hello everybody,

 

My server have been infected by F88.Wallet vírus.

 

According to ID_Ransomware this virus is 

 

identified by

  • sample_extension: .[<email>]-id-<id>.wallet
  • ransomnote_email: decrypt@btcbtcbtc.top

 

On the files they left an email adress decrypt@btcbtcbtc.top

 

I know I shouldn´t, but I have payed the ransom, they sent me .exe program but it doesn´t work.

 

So my advise to you all is DO NOT PAY THEM they will not give you a solution.

 

I will appreciatte someone could help me finding a solution.

 

Regards,

 

Joel



#558 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 PM

Posted 29 December 2017 - 11:25 AM

The .wallet variant is based on the latest AES-256 version of the BTCWare Ransomware family which uses a different RSA-1024 key and is not decryptable unless you get the private AES key from the criminals. There is no way to bruteforce the key for this variant.

If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#559 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:18 PM

Posted 29 December 2017 - 11:54 AM

@joelbendix

 

Try the key they gave you with my BTCWareDecrypter.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#560 vanessa_conrad

vanessa_conrad

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 10 January 2018 - 02:38 PM

Hi everyone!
Few days ago most files and data bases in our company network have been encrypted by letafi@qq.com or backupmail@cock.li
They asking 0.4 btc
Did some one paid them before?
maybe some one can help us?
 



#561 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 PM

Posted 10 January 2018 - 04:05 PM


Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is never a guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

Some ransomware victims have reported they paid the ransom and were successful in decrypting their data. Some victims have reported paying the ransom only to discover the criminals wanted more money...demanding additional payments with threats the data would be destroyed or exposed. Still others have reported they paid but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the decryption software and/or key they received did not work, resulted in errors and in some cases caused damage to the files. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all. In some cases victims may actually be dealing with scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid.

Keep all this in mind if you are considering paying the ransom since there is never a guarantee decryption will be successful or that the decrypter provided by the cyber-criminals will work as they claim...and using a faulty or incorrect decryptor may damage or corrupt the files even further. The criminals may even send you something containing more malware...so why should you trust anything provided by those who infected you in the first place.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#562 vanessa_conrad

vanessa_conrad

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 11 January 2018 - 12:14 PM

we payed and receive keys. 
decryption tool is working.
Hope police will catch them                                                                                                                      



#563 jeraxx

jeraxx

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 15 January 2018 - 04:59 AM

Hi all,

 

I've been infected by BTCWare Payday Ransomare.

 

Ransom note:

 

! How Decrypt Files.txt

Hello! 
All your files have been encrypted 
Want resore your files? Write on e-mail - shadowzone@cock.li or shadowzone@india.com
 
 
Encrypted file:
 
test.txt.[shadowzone@cock.li or shadowzone@india.com]-id-17980.wallet
 
I've tried a lot of decryption tools, no success...
 
Please help!!!!
If someone needs files to try, please ask me.
 
BR
Juanjo


#564 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 PM

Posted 15 January 2018 - 08:06 AM

Newer variants of BTCWare (.blocking, .encrypted, .aleta, .crypton/.gryphon, .nuclear, .wyvern, .payday, .shadow and .wallet are AES-256 versions of the malware which uses a different RSA-1024 key and are not decryptable unless you pay the ransom and get the private AES key from the criminals. There is no way to bruteforce the key for any of these versions. Read Demonslay335's comments in Post #293 and Post #432.

If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#565 crazyjk

crazyjk

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 18 January 2018 - 08:37 AM

Hey guys one of my client has been encrypted currently in talks with getting Data back but no current backups so we will need to pay.

 

Any idea why he would want payment and me to wait 10hours to receive decryption?

 

I am infected with the payday BTCware and all files have a .wallet



#566 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 PM

Posted 18 January 2018 - 08:58 AM

Maybe he has no intention of decrypting the data.

Some ransomware victims have reported they paid the ransom and were successful in decrypting their data. Some victims have reported paying the ransom only to discover the criminals wanted more money...demanding additional payments with threats the data would be destroyed or exposed. Still others have reported they paid but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the decryption software and/or key they received did not work, resulted in errors and in some cases caused damage to the files. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all. In some cases victims may actually be dealing with scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid.

Keep all this in mind if you are considering paying the ransom since there is never a guarantee decryption will be successful or that the decrypter provided by the cyber-criminals will work as they claim...and using a faulty or incorrect decryptor may damage or corrupt the files even further. The criminals may even send you something containing more malware...so why should you trust anything provided by those who infected you in the first place.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#567 crazyjk

crazyjk

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 18 January 2018 - 10:08 AM

I was aware of that but took the risk.. I had also sent him 2 files which I have not received back decrypted. He now says he will refund the money (bitcoin).

#568 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 PM

Posted 18 January 2018 - 11:01 AM

Refunding the money would be a first as far as I am aware of. Good luck.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#569 abakothanasis

abakothanasis

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 23 January 2018 - 11:06 PM

After my surpise that even with two licensed software products (Eset Security & Malwarebytes) installed, I was still unable to be protected from Globeimposter 2, I am now looking to find out if there could be any other software solution which could have possible done a better job in identifying the threat beforehand. 

Please do suggest if you can -  even through PM. 

PS. ESET's only response to my problem: please make an in-depth scan and then restore your files from backup

     MALWAREBYTES response was a bit better, they tried to identify the problem-ransomware and suggest if there could be a decryptor (however their software didn't identify the ransomware even after I was hit and destroyed) 

 

thank you anyway for all your help in this forum



#570 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 PM

Posted 24 January 2018 - 06:21 AM

The best defensive strategy to protect yourself from malware infection is a comprehensive approach to include prevention and routinely backing up your data. Security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you...the first and last line of defense.

No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice safe computing and stay informed. It has been proven time and again that the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software.

For more suggestions to protect yourself from malware, see my comments (Post #2) in this topic...it includes a list of prevention tools.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users