Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


bruticus0 last won the day on May 30 2017

bruticus0 had the most liked content!

Community Reputation

3 Neutral

About bruticus0

  • Rank
    Active Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I'm really not sure how to know if it's still going. If you go to the thread I mentioned though, you can look for the tcp/firewall settings that were changed on some users. You can also see the register for the bitcoin miner it installed. Emsisoft had a free Emergency Kit here . It has a command line utility that can be run from DOS. You can usually get into DOS from Recovery Mode menus before startup. F8 works most times...but systems are different when it comes to that stuff. I used Easus Data recovery to get some files off my C, then just reformatted mine. Not really good en
  2. If your backup was made after you were infected...then ya, i guess it would include the ransomware. And I guess it depends on how the ransomware got in the first place. If your file pairs have 36 bytes difference in size, then you prolly have Cry36 or similar. Least that's what us victims are calling it. We're here. But ransomware ID says ours is Cry9, even though it isn't. Doesn't mention 128. Either way, I haven't heard that decryptor working for anyone that has our variation types. So I there's nothing to do for it at the moment. If you can get your files back from a ba
  3. You gotta do what you gotta do. One thing I forgot to mention is ransomware is a crime. You can file a complaint in US at the IC3 here . For Europe here .
  4. @nicksoti You have the same thing we all have looks like. You'll notice there's probably 36 bytes difference between your file pairs. That's the same version of Cry most of us have. There's no decryptor for it yet. If there are any major updates, it'll get posted here. But be calm. You can't fix anything or do any good paniced. So unfortunately, it's just as bad as you thought it was. There is no fix to get your files back besides paying the terrorists or perhaps a forensic data recovery company. While Emsisoft is taking a look at this variation, it doesn't mean they will actua
  5. Nvmind. Cybereason makes some hidden folders on all your drives. ^.^ Really wish I'd known that an hour or so ago. Anyway, all OK.
  6. You're gonna have to give us more to work with than that. The amnesia decrytor seems to work for everyone that's tried it. So let's start from square one. What's your encrypted file extension? Did you go to the RansomID website here and make sure what kind of ransomware you have. Upload a file pair. A "File Pair" is an unencrypted file, and the same file after it has been encrypted. If your Microsoft Excel is encrypted, download the same version of Excel from the internet and use that.
  7. Didn't you already have a method for recovering image files? Or was that for fully encoded jpeg? Meant to PM you about that actually if it's viable. If you still have the method, mind sending the instructions to me in PM? I'd appreciate it. And it's good we just have partially encrypted them. I"d be more worried about any possible solution if they were.
  8. This isn't Dharma. Dharma uses [[email protected]].onion. You've got same thing we all have here . Read up and wait for any updates
  9. I think mclaughb is the only one mentioned having the actual attack file. Unless ganymede has any ideas, just have to PM mclaughb and see if he's still around. Sorry ;P
  10. Normal users can't download your files, so I can't try it myself. But if Sarah got it work, there should be a way for you to get it to work to. You're prolly really excited I know, but be patient. They're really busy so it may take her a while to get back to you. In the meantime, I would just use the picture file you provided and try again. I guess make sure you're using the decryptor here . The "detailed usage guide" says the files need to be at least 4kB of so. You shouldn't have to do anything special with your system config. Though, if you wanted to, you could run Windows Pocke
  11. I can't d/l links since I'm just a user. So I don't know your file's extensions. The updated decryptor is for these files extensions: .01, .02, [email protected]_2017, .amnesia, .CRYPTOBOSS, .[[email protected]].SON, .[[email protected]].LOCKED The detailed usage of the Amnesia Decryptor is here . The thread for Amnesia at bleepingcomputer is here, where it looks like most everyone has gotten their files back. Looks like those with the .02 extension might have to be renamed to .amnesia to get it to work. But that was before the decryptor update. You need to use an original f
  12. I'm not sue about either of your problems. For the ransom notes, there is still something there calling up the ransom notes, so I would think your system still has something there from the attack. Demonslayer has made a Ransom Note Cleaner program you can find here . But even if the cleaner works, there will still be something running trying to call up the ransom note....it just won't be there. As for the other, the attack installed a bitcoin miner on a lot of our systems also. It's possible it could have installed other things. If it's a service, you could try tracking down it
  13. I'm nowhere near qualified enough to know if that has the significance I think it does, but I'm sure master keys are always a good thing. Thanks for posting with whatever information you have, we appreciate it Ah, ok. Seems that in the past, when Dharma group were done using a variant of their ransomware, there would be a "leak" of master keys. The master keys released this time around were for the .wallet extensions that people have been having trouble with. The new Dharma variant is {[email protected]}.onion type. I don't know what relation, if any, the new Dharma v
  14. I'm not sure the System Restore would help you or not. System Restore doesn't affect your personal files, which are the important ones encrypted. The ransomware here doesn't affect windows or Program Files folders usually. What would help before you try a System Restore, might be to right click your files and go to 'Previous Versions". See if anything is there that could "rollback" the encryption. You can usually undo a System Restore. And if you're using any recovery tools like EaseUS or Necuva, you could try them before and after a System Restore and see if they're giving you anyth
  • Create New...