Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


decrypting files with .[volcano666@cock.li].volcano

  • Please log in to reply
4 replies to this topic

#1 lucky2704


  • Members
  • 1 posts
  • Local time:02:30 AM

Posted 03 April 2018 - 03:21 AM

Dear everyone!
Please help me to fix this ransomware and give me a tool decrypt ransomware files

BC AdBot (Login to Remove)


#2 Amigo-A


  • Members
  • 609 posts
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:30 AM

Posted 03 April 2018 - 04:12 AM

Presumably, this refers to the encryptor InsaneCrypt Ransomware.
Extension: .volcano
Composite extension: .[volcano666@tutanota.de].volcano
Email-1: volcano666@tutanota.de
Email-2: volcano666@cock.li
Ransom-note: key.txt
Contents of note:
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: volcano666@tutanota.de.You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.In case of no answer in 48 hours write us to theese e-mails: volcano666@cock.li
[redacted 512 hex]



But we do not have confirmation in the form of exe files this version of encoder.
Try find them until you reinstalled of the system.
These are possible paths of their location in Windows. 
AppData is a hidden directory. You must first enable display of hidden files.
Only DO NOT CLICK THESE FILES to see what is it !!! 
The collected files must be submitted to specialists.
Use a special form for sending malware on the BleepingComputer.
%APPDATA% - Application Data files
➤ Windows Vista/7/8:
Disk:\Users\User_Name\AppData\Local\ =>
Disk:\Users\User_Name\AppData\Roaming\ =>
➤ Windows NT/2000/XP: 
Disk:\Documents and Settings\User_Name\Application Data\ =>
Disk:\Documents and Settings\User_Name\Local Settings\Application Data\ =>
%TEMP% - Temporary files
%WinDir%\Temp\ =>
Disk:\Windows\Temp\ =>
Disk:\Users\User_Name\AppData\Local\Temp\ =>
Disk:\Users\User_Name\AppData\LocalLow\Temp\ =>
%WinDir% - Windows files
Disk:\Windows\ =>
Disk:\Windows\system32\ =>
Program files
Disk:\Program Files\ =>
Disk:\Program Files (x86)\ =>
Disk:\ProgramData\ =>
Disk:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ =>
Users files
Disk:\Users\User_Name\Desktop\ =>
Disk:\Users\User_Name\Documents\  =>
Disk:\Users\User_Name\Documents\Downloads\ =>
Disk:\Users\User_Name\Downloads\ =>
Recycler files
Temporary Internet Files of Internet Explorer: 
➤ Windows Vista/7/8:
Disk:\Users\User_Name\Local\Microsoft\Windows\Temporary Internet Files\
Disk:\Users\User_Name\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
Disk:\Users\User_Name\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\<random_name>\ (a-z, 0-9)
➤ Windows NT/2000/XP: 
Disk:\Documents and Settings\User_Name\Local Settings\Temporary Internet Files\ 
Temporary Internet Files of Google Chrome и Chromium:
➤ Windows 8, 7 или Vista
Google Chrome: 
Disk:\Users\User_Name\AppData\Local\Google\Chrome\User Data\Default\
Disk:\Users\User_Name\AppData\Local\Chromium\User Data\Default\
➤ Windows XP:
Google Chrome: 
Disk:\Documents and Settings\User_Name\Local Settings\Application Data\Google\Chrome\User Data\Default\
Disk:\Documents and Settings\User_Name\Local Settings\Application Data\Chromium\User Data\Default\
Temporary Internet Files of Opera:
➤ Windows 8, 7:
Disk:\Users\User_Name\AppData\Local\Opera Software\Opera Stable\
Disk:\Users\User_Name\Roaming\Opera Software\Opera Stable\
Temporary Internet Files of Firefox:
➤ Windows 8, 7:
Temporary Internet Files of Microsoft Edge

Edited by Amigo-A, 04 April 2018 - 02:18 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,907 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:30 PM

Posted 03 April 2018 - 07:38 AM

Related to Hunt: extension ".[volcano666@tutanota.de].volcano", note "key.txt"

Uploading both encrypted files and ransom notes together at ID Ransomware provides a more positive match and helps to avoid false detections. Any contact email addresses or hyperlinks provided by the criminals may also be helpful with identification.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Amigo-A


  • Members
  • 609 posts
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:30 AM

Posted 03 April 2018 - 11:30 AM

Yes, there is still my tweet-comment with the data, like here in the post, and the picture with  color markers. This was added on 12 March. 
These markers indicate the relationship of errors in the text, which are transferred from the template, in which the text does not change, but changes emails.



Edited by Amigo-A, 03 April 2018 - 11:32 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 

#5 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,579 posts
  • Gender:Male
  • Location:USA
  • Local time:01:30 PM

Posted 03 April 2018 - 03:13 PM

We will need the malware executable in order to confirm it is 100% InsaneCrypt, but in the meantime, please PM me an encrypted file and its original and I can do some testing.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users