Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.crypton Gryphon Help.txt)


  • Please log in to reply
584 replies to this topic

#571 Maxwell_Asin

Maxwell_Asin

  • Members
  • 24 posts
  • OFFLINE
  •  

Posted 24 January 2018 - 12:53 PM

Sorry if I asking again..

I'm not Sure This is Dharma or BTC.

 

-2018-10.jpg



BC AdBot (Login to Remove)

 


#572 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:04 PM

Posted 24 January 2018 - 01:35 PM

It's BTCWare, ID Ransomware would tell you so. Not decryptable since it's the PayDay variant, unless you happened to dump the RAM while the malware was running.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#573 Maxwell_Asin

Maxwell_Asin

  • Members
  • 24 posts
  • OFFLINE
  •  

Posted 25 January 2018 - 09:07 AM

I have check with ID Ransomware before, but it give two resuts: BTCWare and Dharma.
Thanks anyway.. This variant also encrypt exe file.



#574 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,885 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:04 PM

Posted 25 January 2018 - 11:58 AM

If you did not upload a ransom note as well, ID Ransomware would hit on the extension.

.id-<8 random hexadecimal characters>.[<email>].wallet (i.e. .id-480EB957.[legionfromheaven@india.com].wallet) = Dharma (CrySiS)
.[<email>]-id-[4 random hexadecimal characters>.wallet (i.e. .[amagnus@india.com]-id-37DC.wallet) = BTCWare AES-256
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#575 gmotyw

gmotyw

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 05 February 2018 - 05:51 AM

Good morning,
Have you met with such an extension and encoded files?
 
 
 
 
file name hack:
20170905_093736.jpg.id-A466430D.[decodingfiles@airmail.cc].java
 
 
edit://
I found the key in the files
 
BAAAABU/4kzfEAEAyp0/6+fqt1VUQkiuv0UGvx/iypAaGSvsNS3yTvawsBiimblwcDs3e06sqIH6iXz0VCc+CthTPRMTgggX1iGyhEgZ8J6RfM1aEhp9b1XvEpyGX30QVh8lW7vKS6kdAGtACQJV/s5RokmbLFyvZi1f3W4MBucFekzBeEa1q4NIw30y+gAAFjShkOVKZ9kHJS6x2VwyAIp7l1A65lhpRojGVLtXZBu9JNElkz+S6sfN4jDplfLbLvieBJznwcztJD9Uz7Q+8d4B41UF6vTOWPUJfYJE+aej/0r17LHWSJLzkJzt6969lc5OqmcOFP01qWcBgK8go2ZmTUJWcVReiylma1U+OMArgAAAeviTLZ38i8YnHNIGiN19pxh2A3bsa+LDxSgE6kqnbBrba8XAFFU8zjIr3o18lKUZl2VRIorM8Mk6UWnagH7TSi8MlIJtYjV2suVoFqU7WZF5h/Jv7HFp2yi+N7jVzLHf2870qPbuyZT2VMQ91m3Ab//NWKYLUUBTgaqk8xYFlw6fogAARi58scDye5Dm5ID/TXPXgrzVZ6UsJTKkedXHCwt7h2Y+UGNglvClz0l/pzTv2QTfv9VCNbniqpuiR4zZvF/3fEYbCMWvqQ5qrmDdhgjqhutO3bYdHnV5slo5a9aJZZgHKwoWCc54C3B23zgKnYXJd8h5tgydZKmidJA7ooWwE9E=
 
can it be extended?
 
I mean, the hacker sent me a program that found the keys, but decryption costs 0.3 BTC
 
gz
 
Michal Amg

Edited by gmotyw, 05 February 2018 - 07:15 AM.


#576 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,885 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:04 PM

Posted 05 February 2018 - 08:02 AM

Any files that are encrypted with the .java extension appended to the end of the encrypted data filename are Dharma (CrySiS) Ransomware, not Btcware, Unfortunately, there is no known method to decrypt files without paying the ransom.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#577 gmotyw

gmotyw

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 05 February 2018 - 08:07 AM

I understand, and there is no way to decipher anything from this code?

 

gz

Michal Amg



#578 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:04 PM

Posted 05 February 2018 - 12:58 PM

I understand, and there is no way to decipher anything from this code?

 

gz

Michal Amg

 

It's the encrypted key, can't do anything with it without the private RSA key to decrypt it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#579 tuches

tuches

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 06 February 2018 - 05:09 PM

hi 

I also got infected with ransomware, is it this variant ?

 

https://drive.google.com/open?id=136z8Dnau6C_V96r8f6lExzzLK5TMznrL

 

Thanks

 

 



#580 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:04 PM

Posted 06 February 2018 - 05:32 PM

hi 

I also got infected with ransomware, is it this variant ?

 

https://drive.google.com/open?id=136z8Dnau6C_V96r8f6lExzzLK5TMznrL

 

Thanks

 

 

 

It's BTCWare, yes. Can only decrypt with the criminal's RSA key, or if you dumped RAM while the process was still running.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#581 NiteSite

NiteSite

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 17 February 2018 - 08:41 PM

I created a separate post because I did not think it fit this topic and this is the link to it:

 

https://www.bleepingcomputer.com/forums/t/670141/btcware-payday-using-a-wallet-extension/#entry4440553

 

As you can see I checked the file and it is BTCware with a .wallet extension. The text file only has a message and email to send a request to. I thought the text file was supposed to have a key to send as well? 

 

I do have files that are encrypted and that are originals (unencrypted) if that can help at all (as in a backup of the original file before it was encrypted)

 

Now I also shut the PC down I think in the middle of the unit encrypting files, but I did not know how to (or that I should) dump from memory to get the key from plain text. By shut down, I do mean that I pulled the plug on the unit.

 

Checking some network shares not everything was 100% encrypted. So it seems like it was still running. Is there anything I can do? If I powered up the machine would I still find the file? Should I remove the HDD and mount it to see if the files are available?

 

Thank you in advance for any help at all! I also apologize for mis-posting before.



#582 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:04 PM

Posted 18 February 2018 - 12:26 PM

@NiteSite

 

Sometimes the encrypted key is not in the ransom note. It is appended to the end of every encrypted file anyways.

 

It's too late to dump RAM like I was mentioning in the reply to your topic. It's something you would have had to have conscious mind to do while the malware was still running. Once the malware has been killed (or the PC), then the key is lost forever without the criminal's private RSA keys.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#583 tommyhelfiger

tommyhelfiger

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 02 April 2018 - 05:12 AM

Help me please with decryption. (Here file for example: http://dropmefiles.com/xpRRa) Our files crypted by mail@gryphon.bz. They told to us they can make free decryption. And sent this:

-----BEGIN RSA PRIVATE KEY---—
MIICXAIBAAKBgQC1qaLe8QfzudyUek9wZxrJIZQid8qRtoccEGlB7+kI2/xOlTrb
yFzzgoopA3r7St/O1oGKsbAL0i3Tj9EgeMJlLyGhhV8gKLFCBDjB9rbohsml56T9
abnbyV14skiOUEawaK36Ap3SiyN16RVbOSAOj0MKektIMpWbqZt1GR/MiQIDAQAB
AoGAAk8aq9zCbh2hqR143wPgekf7+wgswfdg9kFbJSRogN1S8qjA68Q7MjkpimXp
7UHBYH6nfNzPUQcl3/eG//Oo/NzEfFHW3btRGhbHpNiTDzUsPQI3n3GQGeleb2ij
W6AbeECm3n+Ay5EPFnqrgI2l6gSC+fuWajALyP5gVVBVLUUCQQDiLDpEJG8Zb4U1
xwptnU6ES5sIR3Moy6GNm733JKigVk+WwcfSVESXNqeQCDXr6p71z+fK9S7+VyWf
6VRixDxbAkEAzZ62Iw30Tp3PSDnmLngERai0X/CLbQSEJ13q9UvEqSYMk3+qPMwl
M1b5cpCcfyihj+yu9UilM6NANO2JTgY/6wJASno/8aKBx0F2/z99Cp2LdnsjITXO
ETgFCgmoI5M5yBrD+KP1NiizsYu43/AkOXy4Pb/p12anw+9Un3UJacCvEwJBAILJ
zySg/aL78hsI6QbpxB3i30ifIrBnTQAVVxxL432L/Dfd3pTpbUgorGZY4ZJob8uy
St8uJBaiYnbIGKwOgZ0CQCY7B9N9lBws4Lc+6cMdAOIIqfbF46lPawqTlw59QApw
PmXZ5qhppKahGqJJnZG5rpsmhRhkwJnjzgmUz3HJxwY=
—---END RSA PRIVATE KEY---—

 

What we need to do with this keys?



#584 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:04 PM

Posted 02 April 2018 - 12:42 PM

@tommyhelfinger

 

I've replied to your PM. I have to decrypt your AES key using that RSA key, then you'll be able to decrypt all of your files.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#585 sotojavi

sotojavi

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 08 April 2018 - 08:21 PM

Hi, any news for .btcware encryption, plain no email? It’s being about a year since the infection, and no solution found, the tools I’ve found are useless for this type. Is it very different from the others variants already decrypted? Thnak you.




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users