Demonslay335

It's Matrix, afraid it is not decryptable. https://www.bleepingcomputer.com/news/security/matrix-ransomware-spreads-to-other-pcs-using-malicious-shortcuts/

If you are unable to provide the decrypter with a valid encrypted/original file pair, then an alternative would be to supply an encrypted Office document. The user @thyrex on the BleepingComputer forums is able to manually derive a key in some cases that is compatible with the Emsisoft decrypter. There's also the possibility of multiple layers of encryption on the files, in which case only manual review will possibly work.

Yes, it is. If you had typed the Bitcoin address or any one of those URLs into ID Ransomware, it would have already identified them even though you don't have the note. The Bitcoin address is unique per campaign, and there's tons of URLs of compromised websites they use, so you can't just go off of matching against the one screenshot in the Emsisoft blog.

If you still have that stub.exe still, we'd be interested in it.

I'm afraid if you did not backup the .db file from the infected system (it has the filename of the Bitcoin address usually, and I think its in %TEMP%), then there will be no way to decrypt the data; even the criminals cannot decrypt without it. The ransomware stores the actual encrypted bytes in that file, and overwrites the first 2048 of the original file with utter garbage. When dealing with ransomware, reloading should be the last thing you do until you have had the ransomware properly identified. If in doubt and you absolutely need to wipe the system, it's usually a good idea to make an image of the system before-hand.

I've released a decrypter for this ransomware today. You'll need an encrypted file and it's original, and the ransom note. Should only take a few minutes to get your key. If you have any trouble, feel free to share an encrypted file and your ransom note, and I can get the key for you.

No-one has released a decrypter for the original ".btcware" extension without an email address, but we're still working on it. I still need the files from you that I requested.

Afraid that would be GlobeImposter 2.0, and it is not decryptable. You will have to restore from backups. I believe this family also comes from RDP hacking, so you should make sure the lock that down (use VPN).

I'm afraid the Amnesia2 identification is false-positive due to the email address. It does not match the hex pattern, and is thus not encrypted by Amnesia2 (or Amnesia1 or any other Globe variant). The ransom note pattern is actually GlobeImposter 2.0, you can tell by the ID being hex with spaces. It is not decryptable.

The only chance of free decryption will be if they release the private RSA-1024 key to decrypt your AES key. The attacks we used to bruteforce the key or derive a keystream are no longer applicable since they changed the keygen to be secure, and switched back to using AES (plaintext attack no longer works).

Yes, if you uploaded the encrypted file to ID Ransomware, it will tell you it is Cry36 based on the filemarker. Afraid it cannot be decrypted, you'll have to restore from backups.

The .blocking variant of BTCWare is not decryptable. I'm afraid they moved onto a fully secure key generator with this version, and it will no longer be able to be broken. You can only restore from backups or pay the ransom. Secure your RDP - use strong passwords, block it from WAN, and use VPN. BTW, Amnesia has nothing to do with BTCWare. Two completely separate ransomware families.

Odd... my only guess is a possible race condition causing a bug where it skips the correct password somehow. Was the laptop less cores than the infected system by chance? Oh well, glad it worked for you. You can always acquire the key on the laptop (it gets logged if you didn't keep it), and just load it into the decrypter on the infected system, save you from having to copy everything back and forth.

Great! I was a little worried, for some reason I could not get a key for your case... but if it works for you, that's all that matters.

@TCO Jason @Gusi If you haven't seen, Kaspersky and Avast have released decrypters for the .wallet variant of Dharma, since the keys were released this week. https://www.bleepingcomputer.com/news/security/wallet-ransomware-master-keys-released-on-bleepingcomputer-avast-releases-free-decryptor/