PS98

Member
  • Content Count

    6
  • Joined

  • Last visited

Community Reputation

0 Neutral

About PS98

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. We decided to pay the ransom and received the decryption program which worked for us. In case this is of value to anyone as far as creating a tool for general use, I've attached the decryption file here. I renamed the file from .EXE to .TXT and made a ZIP file out of it. I presume it has both my and the private key built into it. I didn't have to supply any parameters and it says in the ransom note that it won't work on anyone else's machine since each machine encrypted has a different key. It just walks the entire C: drive, decrypting .crypt files as it goes. I don't recommend anyone else use this particular program if they were similarly attacked as it may make any possible future recovery impossible. decryptor.zip
  2. I placed the good file into the same folder as the encrypted one on the affected computer as well as the decryptor but received the same "The decrypter could not determine a valid key..." message. A complete scan for virus/malware came up clean. This is dreadful!
  3. I ran the decryptor on another computer using a file pair I copied from the affected computer. Does that make a diffrerence? i can repeat the procedure on the original computer if necessary. It presume this happened via a Remote Desktop connection using the CARLLA profile (the real user and profile is CARLA.) They must have created this profile by some means (the real user has a strong password) and then logged into it remotely. I looked around in the bad profile and couldn't find any suspicious files. Where would I look for the malware file? Thanks.
  4. Bummer. "The decrypter could not determine a valid key..." Screenshot is attached.
  5. Here you go (attached.) FRST.txt Addition.txt
  6. So it looks like they got me. ID Ransomware gave 4 possibles but none of the decryptors worked. Maybe it's a new variant. Encryption was performed yesterday. I've attached a good/bad file and the ransom note. I hope you can help. Thanks. SETUP.HTM.crypt HOW_OPEN_FILES.html SETUP.HTM