Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

desuCrypt Ransomware Support Topic (DEUSCRYPT & Insane)


  • Please log in to reply
24 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:15 PM

Posted 22 January 2018 - 12:45 PM

This is the support topic for the desuCrypt ransomware. This ransomware currently has two variants, which append either the DEUSCRYPT or Insane extension to encrypted file names.

Depending on the variant, the ransom notes will be named How_decrypt_files.txt or note.txt.

deuscrypt-ransom-note.jpg

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:15 PM

Posted 23 January 2018 - 07:44 AM

Michael Gillespie (Demonslay335) has released a decryption tool for victims of this infection...see Decrypting the Insane & Deuscrypt variant.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 alwayssomewhere

alwayssomewhere

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 24 January 2018 - 12:08 PM

Hello guys,

 

thank you for your effort first. I really appreciate your fast work! You are doing really well so far!

 

I am trying to use the second version of this decrypter but I experience a problem. When I try to decrypt a file larger than 10 MB (for example 20 mb .gdb file), the decrypted file is about 10 MB

Second example: if I try to decrypt a .txt file which is about 15MB, the decrypted version is about 10 MB again. Is this done with purpose? It would be really great if you fix this glitch (if it is a glitch).

 

Thanks in advance!



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:15 PM

Posted 24 January 2018 - 12:13 PM

Oops, that may be a bug. Could you send me some sample encrypted large files via PM so I can confirm my patch will fix it? I'll need an encrypted file and it's original to derive the key as well (any size is fine).


Edited by Demonslay335, 24 January 2018 - 12:13 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 chellooo20

chellooo20

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 05 February 2018 - 02:57 PM

Hello,

 

tried your tool on some files encrypted by deuscrypt and had no luck finding the decryption key.

 

Any news on that front?



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:15 PM

Posted 05 February 2018 - 03:20 PM

@chellooo20

 

You'll need to send me the filepair you are using, and if possible, the malware executable that encrypted the files. You can use third-party sharing site and PM me a link.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 lmlmic1

lmlmic1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 14 February 2018 - 04:53 AM

Hi Demonslay 335,

 

It not work for me, I will PM you the filepair.


#8 Purelaise

Purelaise

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 15 February 2018 - 04:54 PM

Hi there, i have a few files that are 16-25mb in size but this cant seem to decrypt them despite having the key. Are you able to adjust the file size anywhere?

 

Many thanks for the awesome work  :bananas:



#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:15 PM

Posted 15 February 2018 - 05:05 PM

I've fixed some bugs with the decrypter today relating to larger files, please re-download and make sure you are running at least v1.2.0.5.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 Purelaise

Purelaise

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 15 February 2018 - 05:21 PM

I've fixed some bugs with the decrypter today relating to larger files, please re-download and make sure you are running at least v1.2.0.5.

 

People will sing your name in folk songs 300 years from now. Many thanks. That has saved me an almighty headache. 



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:15 PM

Posted 15 February 2018 - 05:26 PM

People will sing your name in folk songs 300 years from now...

They are already doing that now....Ransomware Hero to Receive FBI Award
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Purelaise

Purelaise

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 15 February 2018 - 05:32 PM

 

People will sing your name in folk songs 300 years from now...

They are already doing that now....Ransomware Hero to Receive FBI Award

That is amazing and well deserved. I will say however; cash rewards are temporary, folk songs are eternal!  :guitar:  



#13 ykc

ykc

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 15 February 2018 - 10:08 PM

Demonslay 335, you are amazing ! Thank you very much for the awesome work. Your effort in fighting crime makes you a hero.

 

By the way, the recent Tornado ransomware will alter a few characters of long filenames (> ~23 characters). Probably it's the criminal's program bug.



#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:15 PM

Posted 16 February 2018 - 09:45 AM

@ykc

 

mauronz also gets credit for doing all the analysis on this particular ransomware family. :)

 

And I didn't get any cash for my award, lol.

 

Thanks for the heads-up on long filenames. I had not tested that, and it can actually be a problem. This malware creates the IV based on the last 16 bytes of the filepath (before the extension is added). So if a file has a shorter name and is moved, the IV I generate will be wrong, making the first 16 bytes of the file wrong; the rest of the file would still be fine. This would also be a problem if it renames a file or something. I'll do some testing to see if it is making the IV before or after in the case of it messing with filenames (if after, then we're fine).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 lmlmic1

lmlmic1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 16 February 2018 - 11:11 AM

To mauronz and other contributors, thank you !!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users