Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransom note with the name - HOW TO DECRYPT FILES.txt


  • This topic is locked This topic is locked
10 replies to this topic

#1 prasaddlv

prasaddlv

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 06 June 2017 - 03:28 AM

Our system is infected with some ransomeware and most files are encrypted.

 

It shows the ransom note with the name "HOW TO DECRYPT FILES.txt" with the following content:

 

All your important files were encrypted on this computer.
You can verify this by click on see files an try open them.

Encrtyption was produced using unique KEY generated for this computer.

To decrypted files, you need to otbtain private key.
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet;
The server will destroy the key within 24 hours after encryption completed.
Payment have to be made in maxim 24 hours
To retrieve the private key, you need to pay 3 BITCOINS

Bitcoins have to be sent to this address: 1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK

After you've sent the payment send us an email to : fast_decrypt_and_protect@tutanota.com with subject : ERROR-ID-63100778(3BITCOINS)
If you are  not familiar with bitcoin you can buy it from here :

SITE : www.localbitcoin.com

After we confirm the payment , we send the private key so you can decrypt your system.

 

 

Please suggest if the files on our machine can be decrypted.

 



BC AdBot (Login to Remove)

 


#2 AndreiH

AndreiH

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 06 June 2017 - 04:00 AM

Hi,

 

Exactly the same thing happen to my sever this morning. Identical message, same email, address and error id.

I start from here: https://www.nomoreransom.org/crypto-sheriff.php

but no luck yet.

 

Any help greatly appreciated.



#3 royp

royp

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 06 June 2017 - 04:58 AM

Yup, we've been infected too.

 

The I've managed to kill the server in the middle of the thing running and as a result have got some totally encrypted files, usual ransom note and still some files prior to encryption.

 

If anyone knows what type this is, I'm hoping that with an original and a encrypted file there might be a tool that can decrypt. 

 

I certainly don't want to chuck them any bitcoins as I always have my doubts of any fix arriving back from them.



#4 trnavy

trnavy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 06 June 2017 - 05:19 AM

Same here.

 

I am trying the https://success.trendmicro.com/solution/1114221-downloading-and-using-the-trend-micro-ransomware-file-decryptor

 

If this works I will let you know.



#5 roigres

roigres

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 06 June 2017 - 05:45 AM

Hello Everyone, 

 

Same here with 2 Win 2008 servers, without any user interaction.

 

Looking here they say it's like Xorist Ransom:

 

https://id-ransomware.malwarehunterteam.com/identify.php?case=0c11aa70ffce7f0d46dc809388966d88f8d7bd90

 

So i downloaded the Xorist decryptor from here: https://www.bleepingcomputer.com/news/security/emsisoft-releases-decryptors-for-the-xorist-and-777-ransomware/

 

 QbHhgRz.png

 

And using a original file and an encrypted file we obtain the decryption Key and all the files are being decrypted rigth now.

 

Hope to help.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:25 AM

Posted 06 June 2017 - 05:47 AM

HOW TO DECRYPT FILES.txt is the name of the ransom note for Xorist Ransomware.

The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, the malware file itself, any obvious extensions appended to the encrypted files, samples of the encrypted files and information related to any email addresses used by the cyber-criminals to request payment.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 royp

royp

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 06 June 2017 - 05:49 AM

 

Right, hopefully some good news to some people, for me it is Xorist ransomware.

 

Mine are currently decrypting, but the Trend Ramsomware detector (above) seems to work, but it did need 1 original file as well as 1 encrypted file. 



#8 oguzhan34

oguzhan34

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 06 June 2017 - 07:05 AM

i have same problem our server infected with that encrypted. İ don't have backups. Please someone help me



#9 royp

royp

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 06 June 2017 - 07:30 AM

i have same problem our server infected with that encrypted. İ don't have backups. Please someone help me

Are all your files encrypted? If you managed to get to the server before it finished and power it down you should be able to find some directories which have both encrypted and normal files. 

 

All you need is one un-encrypted file for the Trend Micro decryptor to work. Failing that has someone got a file on their PC which is also the same as an encrypted one on the server?



#10 AndreiH

AndreiH

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 06 June 2017 - 07:45 AM

XoristDecryptor from Kaspersky didn't work for me. After 2 hours wait for Emsisoft Xorist decryptor to brute force the key I'm now in the process of restoring my files to their original state. Thank you all, info found here was very helpful!



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:25 AM

Posted 06 June 2017 - 08:06 AM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users