Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible new ransomware


  • Please log in to reply
15 replies to this topic

#1 knei

knei

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 10 May 2017 - 01:09 PM

Hello, first sorry for my English. I am affected by ransomware and I have my files with extension .decripted
 
The problem is that I do not have the exe.can I send only one affected file and the other original so that you tell me if you can decrypt it?
 
I've popped the tool but it tells me that it does not find the key, so I'm afraid it might be affected by the zip variant
 
Thank you


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:10 AM

Posted 10 May 2017 - 03:39 PM

...I am affected by ransomware and I have my files with extension .decripted


I am not familiar with the .decripted extension...is that the correct spelling?

Did you find any ransom notes and if so, what is the actual name of the note?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 knei

knei
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 10 May 2017 - 04:45 PM

 

...I am affected by ransomware and I have my files with extension .decripted


I am not familiar with the .decripted extension...is that the correct spelling?

Did you find any ransom notes and if so, what is the actual name of the note?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

 

 

I'm sorry, I did not put the extension well. The correct one is .crypted
 
I uploaded the files to Ransomware ID and identified it as Nemucod
 
Thank you very much for the help


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:10 AM

Posted 10 May 2017 - 04:49 PM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 knei

knei
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 12 May 2017 - 06:43 AM

You're welcome and good luck.

 

Is there no way then to decrypt the files?



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:10 AM

Posted 12 May 2017 - 06:46 AM

Fabian Wosar released a decryptor for Nemucod and newer variants of the infection but you need to us a pair of files with the same file size...see here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 knei

knei
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 12 May 2017 - 08:46 AM

Fabian Wosar released a decryptor for Nemucod and newer variants of the infection but you need to us a pair of files with the same file size...see here.

 

 

 

Thanks again for the help. These steps I have tried but although I have two files exactly the same, The files are from a program I use, so I know they would have to be the same
 
 
I get the following error the program:
 
The decrypter could not determine a valid kay for tour system.Please drag an drop an encrytes file as well as its unencrypted counterpart onto the decrypter to determine the correct key. Files need to be least 4096 bytes long
 
The files I have occupy 276 kbytes
 
I'm already desperate and I do not know what to do
 
What else can I try to do to recover my files?
 
Thank you very much

Edited by knei, 12 May 2017 - 08:48 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:10 AM

Posted 12 May 2017 - 08:52 AM


Can you share the file pair(s) you are using for our crypto malware experts to take a look at?...submit here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 knei

knei
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 12 May 2017 - 09:38 AM

Can you share the file pair(s) you are using for our crypto malware experts to take a look at?...submit here.

 

I already sent the two files in a rar file
 
The name of the rar is: Encrypted and original file.rar
 
Again thank you very much for the help !!!!!!!


#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:10 AM

Posted 12 May 2017 - 09:42 AM

 

Can you share the file pair(s) you are using for our crypto malware experts to take a look at?...submit here.

 

I already sent the two files in a rar file
 
The name of the rar is: Encrypted and original file.rar
 
Again thank you very much for the help !!!!!!!

 

 

It's not Nemucod. You're in the same boat as MisterBA, the files are not the same size and are padded. I do not know what ransomware it would be. Do you have a ransom note? That's the only way of identifying properly. We'll still need the malware itself to analyze.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 knei

knei
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 12 May 2017 - 10:50 AM

 

 

Can you share the file pair(s) you are using for our crypto malware experts to take a look at?...submit here.

 

I already sent the two files in a rar file
 
The name of the rar is: Encrypted and original file.rar
 
Again thank you very much for the help !!!!!!!

 

 

It's not Nemucod. You're in the same boat as MisterBA, the files are not the same size and are padded. I do not know what ransomware it would be. Do you have a ransom note? That's the only way of identifying properly. We'll still need the malware itself to analyze.

 

 

 

Delete all the files, so I will try to recover them and upload the rescue file.
 
I remember it was an html link.
 
Thank you very much


#12 knei

knei
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 14 May 2017 - 03:50 AM

Hello!!!! 

 

Finally I found the folder containing the information where I sent the ransomware to pay.

I hope it works for you. I have climbed it in the same direction as you told me before. The file is called How_Decrypt_My_Files.zip

 

Thanks, again!!!


Edited by knei, 14 May 2017 - 03:51 AM.


#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:10 AM

Posted 14 May 2017 - 10:43 AM

@knei

 

That definitely looks new. Haven't the time to dig further, but we'll definitely need the malware itself to analyze.

 

Could you start a new topic? It definitely isn't going to be Nemucod.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:10 AM

Posted 14 May 2017 - 06:19 PM

No need to start a new topic. I merged all related postings into this new topic to avoid confusion in the Nemucod one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 knei

knei
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 16 May 2017 - 04:56 PM

thanks for everything!!!!!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users