Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

YYTO Ransomware Help & Support (help_to_decrypt.txt & read_to_txt_file.yyt)


  • Please log in to reply
37 replies to this topic

#1 hucha

hucha

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 29 May 2017 - 04:56 AM

Help guys my files are encrypted by this RW .YYTO extension,
There was no ransomware screen,just a note

'help_to_decrypt.txt'

 

If you don't have a email in TOR network:
 
1) Download and install the browser for the TOR network: https://www.torproject.org/download/download-easy.html
2) Launch browser and go to the link (create email in TOR network): torbox3uiot6wchz.onion
3) Write on email: cutterswish@torbox3uiot6wchz.onion
4) Wait for a response.
 
DON'T WRITE FROM NOT TOR EMAIL. MESSAGES WILL NOT BE RECEIVED AND YOU WILL NOT RECEIVE AN UNLOCK KEY.
Your personal key:
8f51a85f140b1d73599a101fd42cef81eba73dcaef2032eefef1c9d57246bd
a8a7a9c31b4be379da6a353eb5e916211f8f0ad5fe714d70a279db386305
ca3be984639ca1297cf999867adabeb9cfeb1f994cf0da573ddf38ac9f7c
11641bc6abc347243c98807f1d57eb9fdcfae2e06a5aa253275890a49ba1
891ef14be5595f
 
'
I have no idea what kind of RW is this.It is not recognizable by https://id-ransomware.malwarehunterteam.com
Plss help,I am a student I have no moneyy..


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:16 PM

Posted 29 May 2017 - 05:05 AM

If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:16 PM

Posted 29 May 2017 - 01:12 PM

I don't believe the note looks familiar, could be something new. I don't remember any other families using Tor email exclusively like the note says.

 

I have created a rule on ID Ransomware to point victims here.

 

We will need the malware itself to analyze. Do you know how you got infected? If you find the malware, please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:16 PM

Posted 29 May 2017 - 06:19 PM

We've secured a sample of the malware thanks to xXToffeeXx, will be working on analyzing it soon.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 hucha

hucha
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 30 May 2017 - 12:59 AM

Ok,Guys,

hoping for some good news.

Tnx in advance !



#6 vandavieboy

vandavieboy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 30 May 2017 - 01:51 AM

Great guys. Fingers crossed for some good news. Thanks again.



#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,269 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:16 PM

Posted 30 May 2017 - 09:42 AM

For those infected, any idea how this got on your system? Any strange emails received or installed any software recently?

If do not want to disclose publicly, feel free to PM me.

#8 vandavieboy

vandavieboy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 30 May 2017 - 10:04 AM

no new software installed however we have had a few strange emails received asking for money to be paid (No account details offered though), the emails were sent from what looks like legitimate contacts and even showed the profile pics however when expanding the address it shows as a completely different email address.  Hope this kind of helps.



#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,269 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:16 PM

Posted 30 May 2017 - 10:07 AM

Any attachments in these emails?

#10 vandavieboy

vandavieboy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 30 May 2017 - 10:09 AM

None attachments at all.



#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,269 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:16 PM

Posted 30 May 2017 - 10:20 AM

Ok thx

#12 vandavieboy

vandavieboy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 30 May 2017 - 10:25 AM

no probs, as I say, Really hope it helps, Fingers crossed.



#13 aivanov

aivanov

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 06 June 2017 - 04:24 AM

Hi,

 

I also got hit two days ago. Windows Server 2003 R2 also. It was a Sunday, so no user interaction. I do find failed remote login attempts, and I found the user that was hit - it is possible that the password was very weak so this is how the RM was run.

 

I can't find any trace of it running any more, though. Nothing in startup, no strange exe running, nothing.

 

I created a new txt file a couple of hours ago and it's still okay.

 

I'm sorry I cannot be of any more help, I don't find any trace of the exe 



#14 vandavieboy

vandavieboy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 12 June 2017 - 05:00 AM

Hi.

 

Any update on a possible solution to decrypt the files?

 

 

Thanks.



#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:16 PM

Posted 12 June 2017 - 09:04 AM

We're still analyzing this one.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users