Jump to content


Emsisoft Employee
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Demonslay335

  1. Oops, I had a bug with renaming files based on the new extension. Sorry, can you try downloading again for v1.0.0.3?
  2. @Amigo-A All variants of ChernoLocker do not leave a ransom note. It is a Python compiled script that just displays a message box when done, and opens a URL in the browser. url = f.decrypt('gAAAAABd5uHecSzXalJbhS48cQlhKynkcDotLAv8c3TD0jBkUvDQb-Z5snS7XgONHXqiNd5Czd94vCQix280kyHSjNnAwzgl66vYj_-YyTtPnNxTN3YjP-tZdQtd1bqe1WyRwrD-2m0xvruurd37CbHVSf2cTy-yCDCTN-MadttLITlVisEFMcKstpwHOUi-KV6YZ-7MmWcz2aaB1WmgSDNs_SN2buoKTg==') # url = 'https://platinumdatasolutionsltd.co.ke/wp-content/uploads/2018/11/landing-screenshot-img-9-768.jpg' webbrowser.open_new_tab(url) win32ui.MessageBox("All Your Files have now been encrypted with the strongest encryption\nYou need to purchase the encryption key otherwise\nyou won't recover your files\nRead the Browser tab on ways to recover your files\nMake Sure you dont loose this Email as you it will be loosing it will be fatal \nWrite it in a notepad and keep it safe \nEmail: [email protected]", 'YOUR FILES HAVE BEEN ENCRYPTED') @Raúl Try re-downloading the decryptor for v1.0.0.2 now. I've added support for your variant.
  3. @georgevacilica There's no confirmation on whether Nemty 2.5 can be decrypted yet. They may very well have fixed their flaws and made it secure.
  4. In addition to having the latest .NET Framework per the instructions and FAQ, we have also released an update to the decryptor that may fix this as of v1.0.0.2.
  5. ID Ransomware is very accurate on determining between Maoloa vs .GlobeImposter 2.0 in most cases; they both have very unique ways of representing the victim's ID in the ransom note and in the encrypted file. In several cases, however, victims have been uploading an encrypted file from GlobeImposter 2.0 with a ransom note from Maoloa, or vice versa; this means they were hit by both. This can confuse the results, and there's not much I can do about that. Doesn't matter. Many ransomware (especially Maoloa and GlobeImposter 2.0) use dozens upon dozens of extensions; they are sold as a kit for criminals to distribute on their own, so they can specify whatever extension they want (among other things like the ransom note). If you give us the URL after submitting the files to ID Ransomware, it gives us a hash we can use to lookup your files on the backend and confirm.
  6. It's more that they are simply overwhelmed by victim requests; they admitted such when I offered to help since I had analyzed the ransomware and know how to break it mathematically. They told me they were working with NoMoreRansom for more resources. I did not invest any more time into it so as to not overlap work. @Didi, can you supply me with an encrypted file and it's original? I have a method of easily breaking the key for one file if given the original, but it takes quite awhile. The key is shared among all files, but the hard part (aka CPU/time intensive part) is actually breaking the IV for every other file - that's the part I haven't fully implemented. Due to Nemty's botched crypto, the IV per file matters much more than it usually would with AES. Nevermind, I just realized you have reached out to me with another handle before. I'll have to take another look at your case.
  7. When you pay, the criminal gives you a decryptor and your personal key. So yes, they don't require internet access because they give you a key you have to input into the program. We call them "online" and "offline" keys based on how they are used with the malware. The FAQ clearly states this, but I will re-summarize it for you... Online Key: The malware talked to their server at the time you were infected, and their server generated a key unique to you. Only the criminals have your key. Offline Key: The malware failed to talk to their server, and resorted to an "offline" key that is embedded in the binary. Everyone who has a file encrypted and has the corresponding ID (also embedded in the malware) will have the same key for those files. The NEW variants (aka yours) all use RSA encryption, so these keys are not breakable. Due to different circumstances, many times some files are encrypted with the Online key, and others with the Offline key; the malware constantly reaches out to it's command server, so if even one of those times fails, then that "run" of the malware encrypts with the Offline key. We sometimes are able to acquire the Offline keys after one victim has paid, and it can help others recover some files, but the Online keys remain unique and do not help anyone else. Our decryptor requires internet access because we store all the keys and keystreams we acquire on our server. This allows us to manage it without having to push a decryptor update every time we get a new key, and for ease of the user in not having to input anything additional to the program. Please READ THE FAQ, this is all explained in there. Only the criminals have the Online keys; they are impossible to break. If you really want to "name a price" and throw money at the problem, feel free to invest in the quantum computing industry; we're still decades away from even attempting to use quantum computers for breaking RSA-2048.
  8. If you have a valid file pair that is too large for the submission portal to accept, you will need to upload them to a third-party sharing site and provide them to us to add to the server manually.
  9. This company deceives its customers and pretends they have a magic method of decrypting everything, when they are clearly just paying the ransom. IT is one of many who do this with absolutely no transparency to the customer. https://www.itwire.com/security/aust-firm-promises-data-decryption-after-dharma-ransomware-attack.html https://www.itwire.com/security/aust-firm-offering-ransomware-recovery-at-second-domain-as-well.html And a bit of a more NSFW tirade I went on recently about them: https://twitter.com/demonslay335/status/1194662643904241671
  10. The groups behind Phobos actually compromise your system via RDP or other remote software you had open... no antivirus on the planet can protect you if someone had full control of the server.
  11. With it being New Djvu, your files will only be decryptable for free if they were encrypted by the offline key once we acquire it. If the decryptor reports your files have the ID ZioGB1sCYacbrJajtnJKEUKt6xYM3QPgwAPNAwt1, then they were encrypted by the offline key, and thus possibly decryptable in the future. Otherwise, it is an online key, and there is nothing we will be able to do to help since only the criminals have your online key(s).
  12. We have not acquired any new keys since the release of the decryptor. The criminals stopped using that server by time we got the keys, and have been infecting users from another server.
  13. The ".Snc" variant is not supported by the decrypter, but we are currently working on it. Can't guarantee it will be decryptable at this point, they made some changes as expected.
  14. @broniusr I've fixed that now. Please try re-downloading for v1.0.0.1.
  15. @broniusr The decryptor has been updated, please try downloading it again. If you run it from the same directory as before, it should pickup the key file from the previous session, and you won't have to re-bruteforce it. Thanks for reporting the bug.
  16. You were encrypted more recently than we have keys for, that's why you get that message. Nothing we can do at the present time.
  17. @broniusr You are correct, the malware encrypts up to 0x27100 bytes of the file, and I forgot to test bait files smaller than that limit. I'll post here once the decryptor has been updated to factor for that bug in the malware. Every version of this malware family has had at least one such bug relating to the crypto, so annoying...
  18. Not yet, but decryption of 3.0 is coming soon. The idiot who coded it has an annoying bug that corrupts many files that we have to overcome.
  19. Please upload this file to VirusTotal and provide a link here. C:\Users\dasba\AppData\Local\a8402009-cadb-4977-b8d8-209fe362c63a\2.exe
  20. Yep, as I suspected. The files are corrupted. What's going on is the MP3 format is likely a little bit tolerant of some data loss. GlobeImposter 2.0 does not encrypt the whole file, only like the first few MB I believe. If you were to simply remove the ".DOCM" extension from the file, you would get the exact same result. GetCrypt Ransomware uses a random 4-character uppercase extension, so that's the only reason the decrypter is fooled into "accepting" your file pair. Due to the way I am breaking that ransomware, the tool also cannot actually verify whether the decryption was successful, it just has to blindly throw the crypto at the file.
  21. Mind sharing some of these encrypted MP3s that are supposedly "decrypted"? I have an idea as to what is going on, and it's not actually decryption...
  22. If you can find a file "bginfo.png" on the system in the same folder as the executable, there might be a chance. Otherwise, so far it does not look like it can be decrypted without that file at the current time.
  23. We will really need the executable or commands used to encrypt the files in order to analyze it any more. By the way, the filepair you provided are not the same file before/after the encryption. The encrypted file's filename decodes to "rollup.png". It's just simple base64 encoding on the name.
  24. No, the malware would re-encrypt them...
  25. Do NOT do that. Your files will just get re-encrypted with the offline key, which STOPDecrypter already has. So it's just a complete waste of time and won't accomplish anything but possibly causing more damage to your system.
  • Create New...