Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    German authorities identify REvil and GangCrab ransomware bosses

Featured Deal: Protect up to 9 devices from ads and tracking for just $16 in this AdGuard deal

Latest Buyer's Guide:     Best VPNs in 2025

Generic User Avatar

Waiting (CryTox) Ransomware ([random 9 char].waiting, .wait) Support Topic

Started by hoanganhtruong77 , Jul 09 2021 04:27 AM

  • Please log in to reply
47 replies to this topic

#1 hoanganhtruong77

hoanganhtruong77

  • Avatar image
  • Members
  • 35 posts
  • OFFLINE
    •  
  • Local time:08:33 AM

Posted 09 July 2021 - 04:27 AM

Any files that are encrypted with Waiting (CryTox) Ransomware will have a [random 9 char] followed by the .waiting, .wait extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) named ReadMe.hta, ReadMe.html as explained here by Amigo-A (Andrew Ivanov). These are some examples.
<filename>.bmp XOTQZLWL5.waiting
<filename>.jpg QQYKLMTP5.waiting
<filename>.jpg NVLTNZOO3.waiting
<filename>.png vqottlor1.wait
<filename>.png raoifjgna.wait
 
 

 

Sorry to bother you guys! currently I am having a virus that encrypts all data with the extension *.waiting. I have archived some old files elsewhere. Don't know I have two identical files (one infected file and the other uninfected) I don't know Do you need it? and help me get back new data I haven't had time to back up recently. Please give me the link so I can upload those 2 files if you need. Thank you very much!


BC AdBot (Login to Remove)

 

#2 Amigo-A

Amigo-A

    Security specialist and Ransomware expert. Volunteer Helper


  • Avatar image
  • Members
  • 3,203 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:06:33 AM

Posted 09 July 2021 - 05:29 AM

Attach a ransomware note and at least one encrypted file to the message.
 
Archive it into a zip archive.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#3 hoanganhtruong77

hoanganhtruong77
  • Topic Starter

  • Avatar image
  • Members
  • 35 posts
  • OFFLINE
    •  
  • Local time:08:33 AM

Posted 09 July 2021 - 05:37 AM

I have uploaded encrypted files, but the system won't let me upload. Please show me. Thank you!
 
"Error You aren't permitted to upload this kind of file"

Edited by quietman7, 11 July 2021 - 05:22 PM.

#4 Amigo-A

Amigo-A

    Security specialist and Ransomware expert. Volunteer Helper


  • Avatar image
  • Members
  • 3,203 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:06:33 AM

Posted 09 July 2021 - 06:31 AM

Archive files into a zip archive and only then attach to the message. 

 

attach2.png


Edited by Amigo-A, 09 July 2021 - 06:38 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#5 hoanganhtruong77

hoanganhtruong77
  • Topic Starter

  • Avatar image
  • Members
  • 35 posts
  • OFFLINE
    •  
  • Local time:08:33 AM

Posted 09 July 2021 - 11:00 PM

I have zipped and uploaded the file is infected with a virus. The system gives an error "Error You aren't permitted to upload this kind of file". can't upload so you ah.


#6 Amigo-A

Amigo-A

    Security specialist and Ransomware expert. Volunteer Helper


  • Avatar image
  • Members
  • 3,203 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:06:33 AM

Posted 10 July 2021 - 12:14 AM

through the site

https://dropmefiles.com/


Edited by Amigo-A, 10 July 2021 - 12:15 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#7 hoanganhtruong77

hoanganhtruong77
  • Topic Starter

  • Avatar image
  • Members
  • 35 posts
  • OFFLINE
    •  
  • Local time:08:33 AM

Posted 10 July 2021 - 02:37 AM

through the site

https://dropmefiles.com/

Verry tks!

 

I send 2 originals and two encrypted copies to the following link: https://dropmefiles.com/GByak

Thank you very much!


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Avatar image
  • Security Colleague
  • 4,770 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:USA
  • Local time:07:33 PM

Posted 10 July 2021 - 11:56 AM

Waiting is not decryptable, the crypto is secure...


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#9 Amigo-A

Amigo-A

    Security specialist and Ransomware expert. Volunteer Helper


  • Avatar image
  • Members
  • 3,203 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:06:33 AM

Posted 10 July 2021 - 02:02 PM

hoanganhtruong77
 
You did not upload the ransom note or screenshot with the message.
 
Looking at the encrypted files that you uploaded,  can see that this is the result of the 'Waiting Ransomware' attack, which we have known from last year.
Demonslay335 has already informed you that 'Waiting' can't be decrypted because the encryption is secure and cannot be cracked.

Edited by Amigo-A, 10 July 2021 - 02:03 PM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#10 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 65,768 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:33 PM

Posted 11 July 2021 - 05:26 PM

Topic title changed to reflect naming convention and direct other victims to this support topic.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITEUnified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 marc_vie

marc_vie

  • Avatar image
  • Members
  • 7 posts
  • OFFLINE
    •  
  • Local time:07:03 AM

Posted 24 November 2022 - 04:25 AM

Hello, I have many important .docx files that have been encrypted by the .waiting ransomware and would like to have them decrypted.  I would appreciate any help in this regard.  Thanks.


#12 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 65,768 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:33 PM

Posted 24 November 2022 - 07:46 AM

Did you find any ransom notes? If so, what is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents in your next reply?

 
Any files that are encrypted with Waiting Ransomware will have the .waiting extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) named !0XXX_DECRYPTION_README.TXT, ReadMe.hta as explained here by Amigo-A (Andrew Ivanov). 
 

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITEUnified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 marc_vie

marc_vie

  • Avatar image
  • Members
  • 7 posts
  • OFFLINE
    •  
  • Local time:07:03 AM

Posted 24 November 2022 - 08:50 AM

Yes, below is a (typed) copy of the message.  (I could find no option here to attach a screenshot).

 

YOUR FILES ARE ENCRYPTED
 
Your PC security is at risk
All your files were encrypted and important data was copied to our storage
If you do not need your files, then the private key will be deleted within 5 days
If you want to restore files and return important data, start UTOX application, contact the operator and enter YOUR ID NUKQOZWP2
ID of your personal operator 3CCTCCEF369 D6A7A4F6CAD11D1207DE671909962944A7D034282F1F7B54F9D3522E570232A0B
If the Operator did not respond within 24 hours or encountered any problem then send an email to our support johnson_john_26@aol.com
In the header of the letter, indicate your ID and attach 2-3 infected files for the decryption tool
Files should not have important information and should not exceed the size of more than 5 MB
As our guarantees, we will return your files restored
Attention!
• Do not rename encrypted files.
• Do not try to decrypt your data using third party software, it may cause permanent data loss.
• Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

#14 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 65,768 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:33 PM

Posted 24 November 2022 - 09:01 AM

Unfortunately, there is no known method that I am aware of to decrypt files encrypted by Waiting Ransomware without paying the ransom (not advisable) and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the criminal's master private key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way (i.e. RSA, AES, Salsa20, ChaCha20, ECDH, ECC) that cannot be brute-forced.
 

If feasible, your best option is to restore from backups, try file recovery software to recover (not decrypt) some of your original files or backup/save your encrypted data as is and wait for a possible solution at a later time. 

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITEUnified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 65,768 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:33 PM

Posted 24 November 2022 - 09:03 AM

I have merged your topic into the primary support topic for victims of this ransomware.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITEUnified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

Back to Ransomware Help & Tech Support


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


  1. BleepingComputer Forums
  2. Security
  3. Ransomware Help & Tech Support
  4. Privacy Policy
  5. Rules ·