Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Where can I get the actual decrypt tool used by Cryptowall 3.0?


  • This topic is locked This topic is locked
7 replies to this topic

#1 GrdLock

GrdLock

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 03 August 2018 - 04:46 PM

A few years ago we were hit with, what I believe is Cryptowall 3.0, has a HELP_DECRYPT file, ran it through a scanner and said it was either CryptoWall 3.0 or Crypt0. Tried a Crypt0 decrypter and it didn't work.

 

Back then we paid the ransom, decrypted our files. Now three years later it's surfaced there was a whole folder that got missed and we didn't decrypt it. So the problem is that I still have the private and public keys provided to us when we paid the ransom, however I no longer have the actual .exe file that does the decryption. 

 

Is there either 1) A place I can download that exe file so I can run it with the key files I have to get these files decrpyted? or 2) Some utility/command/etc I can run that would decrypt the files manually using this private and public key?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:08 PM

Posted 03 August 2018 - 05:39 PM


Did you submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

Any files that are encrypted with Crypt0 Ransomware will have the _crypt0 extension appended to the end of the encrypted data filename and leave files (ransom notes) named HELP_DECRYPT.TXT, HELP_DECRYPT.TXTHELP_DECRYPT.TXT.

CryptoWall 3.0, like previous versions, does not append an obvious extension to the end of encrypted filenames. CryptoWall 3.0 will leave files (ransom notes) named HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, and HELP_DECRYPT.PNG.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 GrdLock

GrdLock
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 04 August 2018 - 08:39 AM

Yes I ran it through that site and that's the site that came back as Ctypt0 or CryptoWall 3.0. And since the files do not have an extension appended, I'm positive it's CryptoWall 3.0.

 

Surely there must be some website or person that has a copy of the decrypter .exe file that comes along with paying the ransom of this one. If I could get that I'd be able to decrypt these remaining files since I still have the key files we got when we paid the ransom.

 

Please note... I'm not looking for a decrypt tool provided by a company to decrypt the ransomware - I know that doesn't exist for CryptoWall 3.0. I'm looking for the actual .exe file that gets send to you from the creator of the ransomware after you pay the ransom, since I can use that with the key files I have to decrypt the data.


Edited by GrdLock, 04 August 2018 - 12:49 PM.


#4 GrdLock

GrdLock
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 04 August 2018 - 03:56 PM

decrypter-thmb.jpg

 

This is what the decrypter looks like, file name is "decrypt.exe". This is the one I need the copy of.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:08 PM

Posted 04 August 2018 - 09:02 PM

Typically with ransomware, each victim's decrypter (decoder) provided by the malware developer is unique to them with their own private randomly generated RSA decryption key, password or personal ID which cannot be used with someone else's encrypted files. Sharing a decrypter, decryption key, password or personal ID provided by the cyber-criminals with another victim who paid the ransom will not work since the keys are different for each individual case. Further, there is no guarantee that the decrypter provided by the cyber-criminals will work properly and in some cases using a faulty or incorrect decrypter may cause additional damage or corruption of files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 GrdLock

GrdLock
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 05 August 2018 - 09:17 AM

This is not the case with CryptoWall 3.0's decrypter. With CryptoWall 3.0 they provide a unique KEY file, along with a standardized decrypt.exe file. The EXE decrypts based on the key file. This is actually the case ewith a number of ransomware varieties.


Edited by GrdLock, 05 August 2018 - 09:19 AM.


#7 GrdLock

GrdLock
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 05 August 2018 - 10:25 AM

Update: Someone sent me the decrypt.exe file I needed, and worked like a charm, files are decrypted.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:08 PM

Posted 05 August 2018 - 03:22 PM

Glad to hear you were successful.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users