Jump to content


Emsisoft Employee
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Demonslay335

  1. Likely STOP Djvu, which is not currently decryptable unless you were encrypted by an offline key (in which case ID Ransomware or the STOPDecrypter will tell you so). Please see the first page instructions and FAQ regarding this ransomware on BleepingComputer. https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-tro-djvu-rumba-openmetxt-support-topic/
  2. It's Matrix, afraid it is not decryptable. https://www.bleepingcomputer.com/news/security/matrix-ransomware-spreads-to-other-pcs-using-malicious-shortcuts/
  3. If you are unable to provide the decrypter with a valid encrypted/original file pair, then an alternative would be to supply an encrypted Office document. The user @thyrex on the BleepingComputer forums is able to manually derive a key in some cases that is compatible with the Emsisoft decrypter. There's also the possibility of multiple layers of encryption on the files, in which case only manual review will possibly work.
  4. Yes, it is. If you had typed the Bitcoin address or any one of those URLs into ID Ransomware, it would have already identified them even though you don't have the note. The Bitcoin address is unique per campaign, and there's tons of URLs of compromised websites they use, so you can't just go off of matching against the one screenshot in the Emsisoft blog.
  5. I'm afraid if you did not backup the .db file from the infected system (it has the filename of the Bitcoin address usually, and I think its in %TEMP%), then there will be no way to decrypt the data; even the criminals cannot decrypt without it. The ransomware stores the actual encrypted bytes in that file, and overwrites the first 2048 of the original file with utter garbage. When dealing with ransomware, reloading should be the last thing you do until you have had the ransomware properly identified. If in doubt and you absolutely need to wipe the system, it's usually a good idea to make an image of the system before-hand.
  6. I've released a decrypter for this ransomware today. You'll need an encrypted file and it's original, and the ransom note. Should only take a few minutes to get your key. If you have any trouble, feel free to share an encrypted file and your ransom note, and I can get the key for you.
  7. No-one has released a decrypter for the original ".btcware" extension without an email address, but we're still working on it. I still need the files from you that I requested.
  8. Afraid that would be GlobeImposter 2.0, and it is not decryptable. You will have to restore from backups. I believe this family also comes from RDP hacking, so you should make sure the lock that down (use VPN).
  9. I'm afraid the Amnesia2 identification is false-positive due to the email address. It does not match the hex pattern, and is thus not encrypted by Amnesia2 (or Amnesia1 or any other Globe variant). The ransom note pattern is actually GlobeImposter 2.0, you can tell by the ID being hex with spaces. It is not decryptable.
  10. The only chance of free decryption will be if they release the private RSA-1024 key to decrypt your AES key. The attacks we used to bruteforce the key or derive a keystream are no longer applicable since they changed the keygen to be secure, and switched back to using AES (plaintext attack no longer works).
  11. Yes, if you uploaded the encrypted file to ID Ransomware, it will tell you it is Cry36 based on the filemarker. Afraid it cannot be decrypted, you'll have to restore from backups.
  12. The .blocking variant of BTCWare is not decryptable. I'm afraid they moved onto a fully secure key generator with this version, and it will no longer be able to be broken. You can only restore from backups or pay the ransom. Secure your RDP - use strong passwords, block it from WAN, and use VPN. BTW, Amnesia has nothing to do with BTCWare. Two completely separate ransomware families.
  13. Odd... my only guess is a possible race condition causing a bug where it skips the correct password somehow. Was the laptop less cores than the infected system by chance? Oh well, glad it worked for you. You can always acquire the key on the laptop (it gets logged if you didn't keep it), and just load it into the decrypter on the infected system, save you from having to copy everything back and forth.
  14. Great! I was a little worried, for some reason I could not get a key for your case... but if it works for you, that's all that matters.
  15. @TCO Jason @Gusi If you haven't seen, Kaspersky and Avast have released decrypters for the .wallet variant of Dharma, since the keys were released this week. https://www.bleepingcomputer.com/news/security/wallet-ransomware-master-keys-released-on-bleepingcomputer-avast-releases-free-decryptor/
  16. @Theamoebson Do you still have some encrypted files, and their originals that we can take a look at? We might be able to help with this ransomware now. We do need a sample of the malware if you can find it.
  17. I was able to get a key using the files you provided. Simply drag the encrypted and original of that clay figure picture onto the decrypter. I was able to then open the resume document for Ed with no trouble.
  18. I've released an updated decrypter with support for a few variants of .theva and .onyon. Please see my release notes over on BleepingComputer for more details. https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4243422 If you have provided me files either here or in private, and I have not PM'd you a key, then I'm afraid the new decrypter might not support your case yet. We are still actively searching for new samples of the malware, and we'd need them in order to help.
  19. @bflmpesseveze I've sent you a PM with your key. Currently working on the other cases, might be able to get some more keys tonight hopefully. Once I have a few more verified to be working to be safe, I'll release an updated decrypter that everyone else can try on their own for those who cannot share files.
  20. This ransomware doesn't rename files past just adding an extension. Some variants have the same filesize before and after because they use RC4; the ones that use AES-192 will pad the encrypted file up to 15 bytes (to round off to 16 byte blocks). FYI I don't work for Emsisoft and have my own separate day job, so I can only work on ransomware cracking in my free time, which is pretty limited lately.
  21. Not currently. The in-dev does for the samples we have, but I have only been able to get a key for one out of 4 victims so far, so it may still be buggy. I plan on releasing it anyways soon to let you try since you cannot provide me files to test with, I have to work out some other bugs first though to ensure it has the best chance. I refer to .theva as v4.
  22. The current decrypter is available here: https://www.bleepingcomputer.com/forums/t/644140/btcware-ransomware-btcware-how-to-fix-hta-read-metxt-support-topic/?p=4231977 It currently supports v1, v2, and v3 of the malware in most cases. Still working on v4 (had success with one case), and a new v1.5 we recently discovered. They've been rapidly changing this one.
  23. @JAN22 Is that the decrypter the criminals gave you after payment? Looks to be for the .cryptobyte variant, which our decrypter already supports. Thanks for sharing though, very odd that their malware is in C++, but the decrypter looks to be Delphi...
  24. That'll work. Actually just realized you attached files in your first post, so I grabbed those. Wasn't able to get a key so far, but still working on it. Hoping to get some more dedicated time to work on it this weekend.
  • Create New...