Waiting (CryTox) Ransomware ([random 9 char].waiting, .wait) Support Topic

I wanted to know if in this case the hackers actually download the data that is encrypted?

I was reading up about the Cryptox attacks & this looked similar. The cryptox attacks said that they only do 1 of the two: 1. Encrypt Data 2. Download the data. Do you think this would be similar and as they have encrypted the data they wouldn't have downloaded it?

When dealing with ransomware, there is no way to know for sure if the cyber-criminals actually steal any of the data, sensitive information or passwords for further criminal activity. In most cases, rather than the content of your data, the criminals are more interested in obtaining a ransom payment for financial gain. These criminals are in business to make money and make it fast, then move on to the next victim. Although some criminals may threaten to release (publish/leak) information if victims do not pay, uploading someone's data for such nefarious purposes is time consuming and could possibly leave a trail for law enforcement authorities to follow. 
 
Nevertheless, there has been an increasing number of malware developers who are stealing files before encrypting them. If the criminals determine the stolen data is sensitive or very valuable, they demand a higher ransom payment and/or threaten to release (publish/leak) the data if a victim does not pay. According to the BlackBerry Research and Intelligence Team, there has been a distinct shift from widespread, indiscriminate distribution to highly targeted campaigns against large corporate, business and governmental agency networks which have enabled the criminals to demand higher ransom payments and threats to publish stolen data.

Another alarming trend involves the exfiltration of data prior to, or during, the ransomware encryption process, enabling attackers to blackmail victims with the threat of sensitive data leakage should they fail to pay in a timely manner...researchers learned that within this group, all of the targeted users who opted not to pay out subsequently had their data released by the threat actors in some way...

Some criminals incorporate a technique whereby the ransomware gets executed days after initial infiltration which allows them to delay encryption and use the extra time to harvest victims' data. Thereafter, the criminals use the stolen data as additional leverage to make victims pay the ransom under the threat of leaking the stolen information. With these increasing threats to leak and publish stolen data, malware developers are demanding a second ransom not to publish stolen files and actually creating sites to leak stolen data.

• List of ransomware with data leak sites

Even if victims pay the ransom demands, some attackers are following through on extortion threats after the ransom has been paid.

Is somebody have decrypt tool for Ransomware *.WAIT?

@ muugii8us

Does your ransom note look like the one posted in this topic?

What is the actual name of the ransom note? 

Do your encrypted files have a [random 9 char ID] ending in a number followed by the .wait extension?

<filename>.png.vqottlor1.wait

@ test_account12, muugii8us

I have merged your postings and related comments into the primary support topic for victims of this ransomware.

Last week, we were infected by the same type of ransomware. The files are encrypted and end with a 9-character ID followed by the ".wait" extension. For example, abc.png becomes "abc.png raoifjgna.wait" Additionally, it leaves a message called "help.hta" here is the content of that message:
 

<html><head><meta charset='UTF-8'><title>RECOVERY TOOL</title><HTA:APPLICATION
ICON='msiexec.exe'
SINGLEINSTANCE='yes'
SysMenu='no'>
<script>window.moveTo(50,50);window.resizeTo(screen.width-100,screen.height-100);</script><style type='text/css'>body{background:#000}.b{font:120%;font-weight:bold;color:#fff}.a{background:#f00;border-left:10px}.q{text-align:center;font:200%;font-weight:bold;margin-bottom:20px;color:#fff}</style></head><body><div class='q'>FILES ARE ENCRYPTED</div><div class='b'>All your files were encrypted and important data was copied to our storage</br>If you want to recover files, contact the operator in the TOX application, enter YOUR ID <font color=Lime> raoifjgna</font></br>Add the ID <font color=Blue>BYA3K8ML1Z2W7V9XR5P0Q8NS4T6JD3L7MF1A9G2H0E4U7XK3V1C9T2N5P8W7R0Y4B6M8L1J3D7Q2</font> of your personal operator as a friend so that you can start chatting.</br>If the Operator did not respond within 24 hours or encountered any problem then send an email to our support <font color=Blue>givememony@aol.com</font></br>In the header of the letter, indicate your ID and attach 2-3 infected files to generate a private key and compile the decryptor</br>Files should not have important information and should not exceed the size of more than 5 MB</br>After receiving the ransom, we will send a recovery tool with detailed instructions within an hour and delete your files from our storages</div></br><div class='a'><div class='q'>Attention</div><ul><div class='b'><li>Do not rename encrypted files.</li><li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li><li>If you refuse to pay the ransom, Important Data that contains personal confidential information or trade secrets will be sold to third parties interested in them.</br>In any case, we will receive a payment, and your company will face problems in law enforcement and judicial areas.</li></div></ul></div><script language='VBScript'>
On Error Resume Next
set S=CreateObject("Wscript.shell")
utox=S.ExpandEnvironmentStrings("%windir%\utox.exe")
If not CreateObject("Scripting.FileSystemObject").FileExists(utox) Then
MsgBox "Find and download UTOX.EXE file on the Internet and start..."
End If
S.Run utox & " -p",1
</script></body></html>

There is nothing new to report that I am aware of.

Hi. I have a problem with my data (it is encrypted to .wait file type).  Can you help me on this?????? Thanks!!!

The criminal's master private key is needed for decryption. Without the criminal's master private key, decryption is impossible.

The criminal's master private key is needed for decryption. Without the criminal's master private key, decryption is impossible

how do I get that key??

 

The criminal's master private key is needed for decryption. Without the criminal's master private key, decryption is impossible

how do I get that key??

 

how do I get that key??

You can't without paying the ransom and obtaining the private encryption keys from those who created the ransomware unless they are leaked or seized & released by authorities.
 
Paying the ransom, negotiating with the ransomware developers or using a data recovery service is not advisable as I explain in this topic (Post #17) which includes victim experiences. Also read my comments here (Post #2) for more victim experiences and information as what we know about those who claim they can decrypt data (including scammers, the criminals and data recovery services

Archive files into a zip archive and only then attach to the message. 

 

What is the purpose of the above quoted post by Amigo-A?

What is the purpose of the above quoted post by Amigo-A?

The purpose?  Because my data is in danger. I own it but can't use it because it is encrypted.