Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GandCrab Ransomware Help & Support Topic (.GDCB, .CRAB & CRAB-DECRYPT.txt)


  • Please log in to reply
207 replies to this topic

#16 Amigo-A

Amigo-A

  • Members
  • 452 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:37 PM

Posted 07 February 2018 - 08:07 AM

Just found something interesting at "%appdata%/Microsoft/Crypto". There are two maps; RSA and Keys with both one dll file in the subfolder, could these possibly be my decryption keys?

 

 

This is necessary that Grinler and Demonslay335 look on this files. 


Edited by Amigo-A, 07 February 2018 - 08:07 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


BC AdBot (Login to Remove)

 


#17 jvw199

jvw199

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rotterdam, The Netherlands
  • Local time:01:37 PM

Posted 07 February 2018 - 08:17 AM

 

Just found something interesting at "%appdata%/Microsoft/Crypto". There are two maps; RSA and Keys with both one dll file in the subfolder, could these possibly be my decryption keys?

 

 

This is necessary that Grinler and Demonslay335 look on this files. 

 

Sure, how and where can I provide them with the files? Also, something else necessary (like the id)?



#18 Amigo-A

Amigo-A

  • Members
  • 452 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:37 PM

Posted 07 February 2018 - 09:49 AM

according to post #6 by quietman7

more details from him.


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#19 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:37 AM

Posted 07 February 2018 - 10:56 AM

Yes...samples of encrypted files, ransom notes, any related files or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#20 im_paul

im_paul

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 10 February 2018 - 12:41 PM

Hello! 
I want to share my history. I got caught by these guys through spam  :spamsign: , they encrypted my work PC (I'm an insurance agent) with ALL important files and even encrypted my backups, I reread a lot of information about GandCrab and tried different ways to decrypt my files, but nothing helped me, so I decided to buy a decryptor from them. After I paid $ 2000 (for some reason, the price of my PC was higher than described in web), they gave me a decryptor software, that very quickly decrypted my files and not one of the files was not damaged. 
 
Therefore, I advise everyone who has important files damaged not to wait for free methods, but to use their program.


#21 jvw199

jvw199

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rotterdam, The Netherlands
  • Local time:01:37 PM

Posted 10 February 2018 - 12:47 PM

Hello! 
I want to share my history. I got caught by these guys through spam  :spamsign: , they encrypted my work PC (I'm an insurance agent) with ALL important files and even encrypted my backups, I reread a lot of information about GandCrab and tried different ways to decrypt my files, but nothing helped me, so I decided to buy a decryptor from them. After I paid $ 2000 (for some reason, the price of my PC was higher than described in web), they gave me a decryptor software, that very quickly decrypted my files and not one of the files was not damaged. 
 
Therefore, I advise everyone who has important files damaged not to wait for free methods, but to use their program.


Can you please share this decrypter with Demonslay335? (See post #19) I'm a university student, so don't have the money for it but I really like my files back.

#22 im_paul

im_paul

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 10 February 2018 - 01:08 PM

 

Hello! 
I want to share my history. I got caught by these guys through spam  :spamsign: , they encrypted my work PC (I'm an insurance agent) with ALL important files and even encrypted my backups, I reread a lot of information about GandCrab and tried different ways to decrypt my files, but nothing helped me, so I decided to buy a decryptor from them. After I paid $ 2000 (for some reason, the price of my PC was higher than described in web), they gave me a decryptor software, that very quickly decrypted my files and not one of the files was not damaged. 
 
Therefore, I advise everyone who has important files damaged not to wait for free methods, but to use their program.


Can you please share this decrypter with Demonslay335? (See post #19) I'm a university student, so don't have the money for it but I really like my files back.

 

Yes, no problem, but I think it is not help for you, because in decryptor my key. Download here : https://www.sendspace.com/file/zhri5w



#23 jvw199

jvw199

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rotterdam, The Netherlands
  • Local time:01:37 PM

Posted 10 February 2018 - 01:17 PM


Hello! 
I want to share my history. I got caught by these guys through spam  :spamsign: , they encrypted my work PC (I'm an insurance agent) with ALL important files and even encrypted my backups, I reread a lot of information about GandCrab and tried different ways to decrypt my files, but nothing helped me, so I decided to buy a decryptor from them. After I paid $ 2000 (for some reason, the price of my PC was higher than described in web), they gave me a decryptor software, that very quickly decrypted my files and not one of the files was not damaged. 
 
Therefore, I advise everyone who has important files damaged not to wait for free methods, but to use their program.

Can you please share this decrypter with Demonslay335? (See post #19) I'm a university student, so don't have the money for it but I really like my files back.
Yes, no problem, but I think it is not help for you, because in decryptor my key. Download here : https://www.sendspace.com/file/zhri5w
Nice and thank you very much!👍 I really think this will help hugely, since the decryption can now be reverse-engineered (also to make sure no virus is present) and the only thing left to do is find a way to retrieve the key from the system. Btw, did you scan the decrypter with a virus scanner? Since it would suck if it gave you the ransom again.

Edited by jvw199, 10 February 2018 - 01:19 PM.


#24 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:37 AM

Posted 10 February 2018 - 01:23 PM

Typically with ransomware, each victim's decrypter (decoder) provided by the malware developer is unique to them with their own private RSA decryption key, password or personal ID which cannot be used with someone else's encrypted files. Sharing a decrypter, decryption key, password or personal ID provided by the cyber-criminals with another victim who paid the ransom will not work since the keys are different for each individual case. Further, there is no guarantee that the decrypter provided by the cyber-criminals will work properly and in some cases using a faulty or incorrect decrypter may cause additional damage or corruption of files.

However, if a victim receives a working decrypter, they can zip and submit it here with a link to this topic along with a few encrypted files and anything else the malware writers provide.

Even though the decrypter will not work for other victims, our crypto malware experts may be able to get some information to exploit by analyzing it further.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#25 im_paul

im_paul

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 10 February 2018 - 02:38 PM

Typically with ransomware, each victim's decrypter (decoder) provided by the malware developer is unique to them with their own private RSA decryption key, password or personal ID which cannot be used with someone else's encrypted files. Sharing a decrypter, decryption key, password or personal ID provided by the cyber-criminals with another victim who paid the ransom will not work since the keys are different for each individual case. Further, there is no guarantee that the decrypter provided by the cyber-criminals will work properly and in some cases using a faulty or incorrect decrypter may cause additional damage or corruption of files.

However, if a victim receives a working decrypter, they can zip and submit it here with a link to this topic along with a few encrypted files and anything else the malware writers provide.

Even though the decrypter will not work for other victims, our crypto malware experts may be able to get some information to exploit by analyzing it further.

Sorry, but I don't have encrypted files, because decryptor decrypted my all encrypted files.

jvw199, please don't worry it is clean file. I was check it.



#26 randomuser85

randomuser85

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 11 February 2018 - 05:28 PM

Hi Guys, Stumbled upon this thread while searching for more info on said virus. My machine is in the process of having the files encrypted - I have shut down the computer for now so I can image my drives (I can see quite alot of my data has not yet been encrypted). I was reading about the possibility of sniffing the encryption key using wireshark on some ransomware and was wondering if this is likely possible with this variant or is it likely too late as the process is already part through? Also is there anything else I could do at this stage either to recover the files or at least gather some information to post here to assist your research into the virus? As for how I got it I am not at all sure - I accessed the computer this morning and when I returned I noticed it running awfully slow then noticed the text document showing up in the directories. I have installed Filezilla server (not client which I have read has a malware version floating around) and it definitely came from the filezilla site. From the time changes on the files I would say the infection started encrypting files around 4-5 hours after the pc was last accessed (its a home server and stays on 24/7)

 

Thanks in advance



#27 johanbosman

johanbosman

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 13 February 2018 - 08:46 AM

My client also got infected and decided that he will risk the $800 for his files, we did get the decryptor with the unique code and the decryption is working. I uploaded some files with the decryptor that I just copied from the desktop hope this can help someone to crack these mofo's. not sure how to link the upload here ? any help on the matter will be good. 



#28 jvw199

jvw199

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rotterdam, The Netherlands
  • Local time:01:37 PM

Posted 13 February 2018 - 08:55 AM

My client also got infected and decided that he will risk the $800 for his files, we did get the decryptor with the unique code and the decryption is working. I uploaded some files with the decryptor that I just copied from the desktop hope this can help someone to crack these mofo's. not sure how to link the upload here ? any help on the matter will be good.


I suggest putting the original and encrypted file(s), the decryptor and key in one zip file and upload it to the link below (I really think this is very usefull, since you still have everything):

Typically with ransomware, each victim's decrypter (decoder) provided by the malware developer is unique to them with their own private RSA decryption key, password or personal ID which cannot be used with someone else's encrypted files. Sharing a decrypter, decryption key, password or personal ID provided by the cyber-criminals with another victim who paid the ransom will not work since the keys are different for each individual case. Further, there is no guarantee that the decrypter provided by the cyber-criminals will work properly and in some cases using a faulty or incorrect decrypter may cause additional damage or corruption of files.However, if a victim receives a working decrypter, they can zip and submit it here with a link to this topic along with a few encrypted files and anything else the malware writers provide.Even though the decrypter will not work for other victims, our crypto malware experts may be able to get some information to exploit by analyzing it further.



#29 edi_bru1

edi_bru1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 14 February 2018 - 08:49 AM

Hello guys, sorry for my English. Our server was attacked by this ransomware, and encrypted all important files, when I try free decryption tools (third-party soft) I broken my files, but when I pay 5000$ for decryptor on Gandcrab page they helped me fix my broken files. 
 
About price: I ask why they give me high price, they answered because we are not home PC, we are big company and have big server.


#30 jvw199

jvw199

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rotterdam, The Netherlands
  • Local time:01:37 PM

Posted 14 February 2018 - 09:07 AM

 

 

Hello guys, sorry for my English. Our server was attacked by this ransomware, and encrypted all important files, when I try free decryption tools (third-party soft) I broken my files, but when I pay 5000$ for decryptor on Gandcrab page they helped me fix my broken files. 
 
About price: I ask why they give me high price, they answered because we are not home PC, we are big company and have big server.
 
 

Can you maybe provide: some encrypted and decrypted file(s) (which are not confidential to your company), the decryptor and key in a zip file to the link given by post #24?

 

This way someone can check it out and probably create a decryptor for all


Edited by jvw199, 14 February 2018 - 09:07 AM.





6 user(s) are reading this topic

0 members, 6 guests, 0 anonymous users