Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


bruticus0 last won the day on May 30 2017

bruticus0 had the most liked content!


3 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I'm really not sure how to know if it's still going. If you go to the thread I mentioned though, you can look for the tcp/firewall settings that were changed on some users. You can also see the register for the bitcoin miner it installed. Emsisoft had a free Emergency Kit here . It has a command line utility that can be run from DOS. You can usually get into DOS from Recovery Mode menus before startup. F8 works most times...but systems are different when it comes to that stuff. I used Easus Data recovery to get some files off my C, then just reformatted mine. Not really good enough to go around plugging up holes after they made swiss cheese out of it.
  2. If your backup was made after you were infected...then ya, i guess it would include the ransomware. And I guess it depends on how the ransomware got in the first place. If your file pairs have 36 bytes difference in size, then you prolly have Cry36 or similar. Least that's what us victims are calling it. We're here. But ransomware ID says ours is Cry9, even though it isn't. Doesn't mention 128. Either way, I haven't heard that decryptor working for anyone that has our variation types. So I there's nothing to do for it at the moment. If you can get your files back from a backup, I think you should. If you can't restore from a backup image, wipe the drive and do a new OS install. Cause there's a lotta holes that they open up in tcp/firewall settings. Not to mention the bitcoin miner they install.
  3. You gotta do what you gotta do. One thing I forgot to mention is ransomware is a crime. You can file a complaint in US at the IC3 here . For Europe here .
  4. @nicksoti You have the same thing we all have looks like. You'll notice there's probably 36 bytes difference between your file pairs. That's the same version of Cry most of us have. There's no decryptor for it yet. If there are any major updates, it'll get posted here. But be calm. You can't fix anything or do any good paniced. So unfortunately, it's just as bad as you thought it was. There is no fix to get your files back besides paying the terrorists or perhaps a forensic data recovery company. While Emsisoft is taking a look at this variation, it doesn't mean they will actually be able to come up with a decryptor. There's no timelines or guarantees here. First thing is first though. Disconnect the attached drives and try to get your C drive working again. Emsisoft makes a portable malware scanner here . It has a command line utility, so you can run it in DOS mode from the Windows Recovery options if you have to. Try running it and getting anything it finds quarantined. It helps to have the malware quarantined, that way it can be uploaded to help with decryption tool. Although I think Emsisoft has the malware, it won't hurt to have another copy of it. This version of malware usually installs a bitcoin miner on your machine too. If you look on page 2 here , you'll see mention where the registry values for the miner are. Now, this thing usually deletes all your Shadow Copies and Restore Points. You can try Restore Point to get back your program folders, but it won't do any good for your personal files on C. There's something called Shadow Explorer that might find some files. Also, if you right click files and go to "Previous Versions" tab, you may be able to find something. This thing works by copying a file, encrypting it, then deleting the original. So it's nasty that way. Now, while we can't get all your files back, there are some files we can do some stuff with. .ISO files, .zip files, they can both be renamed and "hopefully" be accessed and used. Also, thankfully, matwachich has made a wonderful little tool that you might have a great need of. You can follow and download his JPEG recovery tool from the link he posted above on this page. It's a bit of hassle since it restores many files and you have to pick out the right one, but it's well worth it if there's no other way to recover the picture. You'll also see other posts about the malware making holes in the firewall, tcp settings and so on. On my machine, I restored my C drive, recovered some files from it using EaseUS Data Recovery, and did a fresh install of Windows OS to get my C drive back functioning again. You can use tools like EaseUS Data Recovery, which might find lost files on different hard drives. There's a quick scan and deep scan. Be sure to wait until deep scan is finished. There is also a Recuvium program I think it's called that does similar. So, get your C drive working. If you can, archive all encrypted files away from your computer. Just pack them up neatly and keep them somewhere. It may be a long time, if ever, we can get a working decryptor for our files. So it's best to get them archived and out of the way so you can go back to semi-normal operation. Then check back here for any updates. It's about all you can do. Now, if you start over again with a fresh install, you need to do it right this time. Get a paid anti-malware. Emsisoft's is on sale and easy to use btw. And they're the only ones trying to make decrypters. Other ones you see only do it when the keys are public. Bitdefender has an anti ransomware with it., but aggravatingly, it likes to lock down most any file it deems bad. Which is most of my PS3 programs. There's a couple of free anti ransomware programs you can get. One is Cybereason. They donated the anti ransomware part of their large business anti malware programs for the common folk to use. I think it was pretty nice of'em. The other is Malwarebytes Anti Malware. Next, you'll want some backup. As you know now, you need an offline backup. Using either the cloud or an offline disk. Macrium is backup program that's kinda expensive, but has some cloud options and also has a scheduler. Even if you're using the free version, it's still really useful. With the free version, you can make two things. You can make a compressed backup image of your whole drive. AND, more importantly, you can make a rescue USB/Disk that has Windows Portable Edition on it with Macrium preloaded. So if your hard drive fully fails, you can load up the USB with Windows PE and Macrium, point it to the backup image wherever it may be and it will restore it for you. So you can save the backup image to any cloud or filesharing service and download it to usb whenever you need it. You'll also want to install all important updates from microsoft to keep protected from OS vulnerabilities. Also, some have reported these guys also got in via Remote Desktop. If you don't use Remote Desktop, it's best just to disable it and Remote Assistance. No reason to leave a vulnerability open. OK finally done with my rant. Good Luck.
  5. Nvmind. Cybereason makes some hidden folders on all your drives. ^.^ Really wish I'd known that an hour or so ago. Anyway, all OK.
  6. You're gonna have to give us more to work with than that. The amnesia decrytor seems to work for everyone that's tried it. So let's start from square one. What's your encrypted file extension? Did you go to the RansomID website here and make sure what kind of ransomware you have. Upload a file pair. A "File Pair" is an unencrypted file, and the same file after it has been encrypted. If your Microsoft Excel is encrypted, download the same version of Excel from the internet and use that.
  7. Didn't you already have a method for recovering image files? Or was that for fully encoded jpeg? Meant to PM you about that actually if it's viable. If you still have the method, mind sending the instructions to me in PM? I'd appreciate it. And it's good we just have partially encrypted them. I"d be more worried about any possible solution if they were.
  8. This isn't Dharma. Dharma uses [[email protected]].onion. You've got same thing we all have here . Read up and wait for any updates
  9. I think mclaughb is the only one mentioned having the actual attack file. Unless ganymede has any ideas, just have to PM mclaughb and see if he's still around. Sorry ;P
  10. Normal users can't download your files, so I can't try it myself. But if Sarah got it work, there should be a way for you to get it to work to. You're prolly really excited I know, but be patient. They're really busy so it may take her a while to get back to you. In the meantime, I would just use the picture file you provided and try again. I guess make sure you're using the decryptor here . The "detailed usage guide" says the files need to be at least 4kB of so. You shouldn't have to do anything special with your system config. Though, if you wanted to, you could run Windows Pocket Edition from a usb stick and run the decryptor from there. Only if you think your computer is blocking the decryptor for some reason. But first, I would right click the Nemucod Decryptor....go to properties and check the "Run as Administrator" box just in case your system is blocking it from running. There's also a discussion on this at bleepingcomputer here . From the info there, if your files are the same size, the decryptor should work. But if there is a big difference in file sizes, it might be a new "7zip" variant of Nemucod that is not currently decryptable. You might want to post there too and let them take a look at your files. Good Luck.
  11. I can't d/l links since I'm just a user. So I don't know your file's extensions. The updated decryptor is for these files extensions: .01, .02, [email protected]_2017, .amnesia, .CRYPTOBOSS, .[[email protected]].SON, .[[email protected]].LOCKED The detailed usage of the Amnesia Decryptor is here . The thread for Amnesia at bleepingcomputer is here, where it looks like most everyone has gotten their files back. Looks like those with the .02 extension might have to be renamed to .amnesia to get it to work. But that was before the decryptor update. You need to use an original file and it's encrypted counterpart to get the key for your system. If excel is encrypted, download the same version and use that as your file pair. Program Readmes, PNGs, and favorites rarely change even across versions. The original doesn't have to come from your own system, just has to be the very same file unencrypted.
  12. I'm not sue about either of your problems. For the ransom notes, there is still something there calling up the ransom notes, so I would think your system still has something there from the attack. Demonslayer has made a Ransom Note Cleaner program you can find here . But even if the cleaner works, there will still be something running trying to call up the ransom note....it just won't be there. As for the other, the attack installed a bitcoin miner on a lot of our systems also. It's possible it could have installed other things. If it's a service, you could try tracking down its location through task manager. Running the Emsisoft Emergency Kit, or doing scans with the regular Anti Malware might help. The Emergency Kit has a command line function to it. So you can reboot into "Recovery Mode", bring up the dOS prompt, and run it from usb if you have to. I formatted and started all over again on mine, just to be safe. Just backup any important encrypted files somewhere so you can access them later if you need to. If someone punches a bunch of holes in your brick wall, it's better to just start again and build a better, stronger wall.
  13. I'm nowhere near qualified enough to know if that has the significance I think it does, but I'm sure master keys are always a good thing. Thanks for posting with whatever information you have, we appreciate it Ah, ok. Seems that in the past, when Dharma group were done using a variant of their ransomware, there would be a "leak" of master keys. The master keys released this time around were for the .wallet extensions that people have been having trouble with. The new Dharma variant is {[email protected]}.onion type. I don't know what relation, if any, the new Dharma variant has with our Cry9 variant. But Avast and Kapersky have both released decryptors for the .wallet ransomwares now. So that's good news.
  14. I'm not sure the System Restore would help you or not. System Restore doesn't affect your personal files, which are the important ones encrypted. The ransomware here doesn't affect windows or Program Files folders usually. What would help before you try a System Restore, might be to right click your files and go to 'Previous Versions". See if anything is there that could "rollback" the encryption. You can usually undo a System Restore. And if you're using any recovery tools like EaseUS or Necuva, you could try them before and after a System Restore and see if they're giving you anything good. If that's not working for you, usually the best thing to do is backup your encrypted files somewhere away from your file structures. If there's ever a decryptor, you'll have them available to you. Get your OS back in working order. i did a fresh OS install on mine. Also, if you had a mapped drive disappear, look at the online version of the files and see if they are still intact there. I'd also change all your personal information/passwords just in case. Especially if you think they attacked through Remote Desktop or something.
  • Create New...