Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

YYTO Ransomware Help & Support (help_to_decrypt.txt & read_to_txt_file.yyt)


  • Please log in to reply
37 replies to this topic

#16 vandavieboy

vandavieboy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 12 June 2017 - 09:05 AM

OK.

 

Thanks for the reply.



BC AdBot (Login to Remove)

 


m

#17 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:27 AM

Posted 12 June 2017 - 02:30 PM

When or if a decryption solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#18 decrypt belgium

decrypt belgium

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 13 June 2017 - 09:54 AM

One of our customers was infected during the weekend, same ransom txt as above - code:

eea206a3f9bc662143b7d7ab595a2e44d1017c14fd81792736d16050d9687e
5f807ab7d51695b03d3bb0de2916423efec4f64feac78dad7e0227be67a1
bd635e388756fa51d34b00909a1d8e8b157ece5a129a08dafb5aa167fcd3
7b6f3040ee4c4cf8bd4fc6db12f4ce5b111a32686679c0c212967595bf53
c9105eccbd5d79

 

We have an original good file and the infected version - if these could help you out let us know where to put it.



#19 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:27 AM

Posted 13 June 2017 - 01:04 PM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#20 decrypt belgium

decrypt belgium

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 14 June 2017 - 06:59 AM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic.

 

done now 14-06-2017



#21 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:27 AM

Posted 14 June 2017 - 07:40 AM

After our experts have examined submitted files, they typically will only reply in a support topic if they can assist or need further information. If not, then the submitted files were not helpful.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#22 GUNGEAR

GUNGEAR

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:27 AM

Posted 04 July 2017 - 03:52 AM

One of our computer was infected last week with a same ransom. Encrypted files extension was .read_to_txt_file.juuj

 

help.txt:
 

If you don't have a email in TOR network:
 
1) Download and install the browser for the TOR network: https://www.torproject.org/download/download-easy.html
2) Launch browser and go to the link (create email in TOR network): torbox3uiot6wchz.onion
3) Write on email: isabell@torbox3uiot6wchz.onion
4) Wait for a response.
 
 
 
DON'T WRITE FROM NOT TOR EMAIL. MESSAGES WILL NOT BE RECEIVED AND YOU WILL NOT RECEIVE AN UNLOCK KEY.

...

 

I send text and encrypt files for this topic.



#23 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:27 AM

Posted 04 July 2017 - 06:44 AM

If this is a new variant, our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if the encrypted files can even be decrypted. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#24 vandavieboy

vandavieboy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 19 July 2017 - 10:54 AM

Hi.

 

would you happen to have any update on this or a solution if possible ?

 

Thanks.



#25 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:27 AM

Posted 19 July 2017 - 12:23 PM

I'm afraid this ransomware is not decryptable. The samples I analyzed, it securely generates a 16-byte key per file (for AES I believe it was), and encrypt those keys with RSA-1024.

 

I have not seen a sample of .juuj, but it would most likely be the same.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#26 vandavieboy

vandavieboy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 20 July 2017 - 02:31 AM

Hi thanks for the reply.

 

Just to clarify, there is no solution to decrypt my files from YYTO Ransomware Help & Support (help_to_decrypt.txt & read_to_txt_file.yyt) ?

 

Thanks.



#27 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:27 AM

Posted 20 July 2017 - 05:38 AM

...Just to clarify, there is no solution to decrypt my files from YYTO Ransomware...

That is correct...there is no known way to decrypt files encrypted by YYTO without paying the ransom. If possible, your best option is to restore from backups.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#28 ICrusaderI

ICrusaderI

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 25 September 2017 - 05:28 PM

Hi there, i have the following Big problem :

 

my friend got this ransowmare i believe a variant of YYto , the help file displays at startup to mail to albertkerr94@mail.com,  the files encrypted are m5m5 extensions. The server victim is Windows 2003.

 

I need help to decript the files...

 

i used wireshark with batch at the startup, isolated the server as much as i could  and i started to record the traffic here , the file in the link in PCAP extension, please someone expert read it

 

https://www.justbeamit.com/v7ja5



#29 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:27 AM

Posted 25 September 2017 - 05:33 PM

As I said in your other topic, if you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#30 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:27 AM

Posted 25 September 2017 - 05:37 PM

Hi there, i have the following Big problem :

 

my friend got this ransowmare i believe a variant of YYto , the help file displays at startup to mail to albertkerr94@mail.com,  the files encrypted are m5m5 extensions. The server victim is Windows 2003.

 

I need help to decript the files...

 

i used wireshark with batch at the startup, isolated the server as much as i could  and i started to record the traffic here , the file in the link in PCAP extension, please someone expert read it

 

https://www.justbeamit.com/v7ja5

 

The PCAP would only be useful if you caught the network traffic of the malware as it sent it's key to the server. It's been awhile since I analyzed this one, so I don't honestly recall if it ever has any network activity. I do know it generates a secure key per run.

 

The link you posted is no longer valid as well.

 

We do have a sample of the malware using that extension, confirmed it is the same ransomware family.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users