Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Request for Help .master encrypted files

  • This topic is locked This topic is locked
3 replies to this topic

#1 mstraczynski


  • Members
  • 1 posts
  • Local time:12:37 PM

Posted 28 June 2017 - 10:47 AM

Request for Help
4th of june our clinic has been encrypted by .master extension.
these files contain medical records of our patients including oncology.
We were trying to decrypt those files several times,but unsuccesful till now.
We would like to kindly ask for help us with this issue, that files contain necessary medical records for futher treatment hopeless patients.
Our IT volunteer gave up.
I enclose encrypted and orginal file.
Thank you!

Edited by quietman7, 28 June 2017 - 02:56 PM.

BC AdBot (Login to Remove)


#2 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,581 posts
  • Gender:Male
  • Location:USA
  • Local time:04:37 AM

Posted 28 June 2017 - 11:01 AM

There's already a support topic, and I've already explained why the .master strain of BTCWare cannot be decrypted for free. Your only options are to restore from backups (which under HIPPA compliance you should have had proper backups and not had RDP open to the world), or pay the ransom (not recommended).






After further analysis, I'm afraid .[<email>].master is 100% NOT decryptable, even under certain circumstances of the server not being rebooted that I was attempting. I failed to realize they had changed the random number generator they used in this "branch" to a secure one, I thought it was only later versions (.[<email>].blocking and .[<email>].encrypted). I have separated these variants out on ID Ransomware for more clarification. The only chance of decryption for free will be if the RSA-1024 private key is leaked/seized (then I would be able to decrypt everyone's files for this variant).


The decrypter will only attempt deriving a keystream if it thinks you were hit by the rare, old RC4 variant, which would have been a long long time ago. If you were hit anytime recently, then you were most definitely hit by the AES-256 variant with the secure key generator, and I cannot decrypt your files. If the decrypter offers to derive keystream anyways, and it corrupts files that it thinks it decrypts, then you were hit by the AES variant, and I once again, cannot decrypt your files. The current decrypter will check if the files you feed it are the exact same filesize, and if the entire file was encrypted past 10MB. Any further PMs about this information will be ignored; I have repeated it over and over, and am getting flooded by messages still.


Lock down your RDP.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#3 Moritz30


  • Members
  • 69 posts
  • Gender:Male
  • Local time:12:37 PM

Posted 28 June 2017 - 11:03 AM


[...] or pay the ransom (not recommended). [...]



I think paying the ransom might be a good idea in this case if there are no backups (even though I wouldn't recommend it usually either).

Edited by Moritz30, 28 June 2017 - 11:03 AM.

White Hat, Security Researcher, Modder, CEO at and founder of @DragonTeamMC, @OmniDragonBot and CryptID. Real name is Matthias Merkel.

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,954 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 AM

Posted 28 June 2017 - 02:55 PM

Yes...most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

Some ransomware victims have reported they paid the ransom and were successful in decrypting their data. Some victims reported they paid the ransom but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the key and decryption software they received did not work or resulted in errors. Still others have reported paying the ransom only to discover the criminals wanted more money or threatened to expose data unless additional payment was made. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all. In some cases victims may actually be dealing with scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid.

Anyway, rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion noted by Demonslay335...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users