Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by bruticus0

  1. I'm really not sure how to know if it's still going. If you go to the thread I mentioned though, you can look for the tcp/firewall settings that were changed on some users. You can also see the register for the bitcoin miner it installed. Emsisoft had a free Emergency Kit here . It has a command line utility that can be run from DOS. You can usually get into DOS from Recovery Mode menus before startup. F8 works most times...but systems are different when it comes to that stuff. I used Easus Data recovery to get some files off my C, then just reformatted mine. Not really good enough to go around plugging up holes after they made swiss cheese out of it.
  2. If your backup was made after you were infected...then ya, i guess it would include the ransomware. And I guess it depends on how the ransomware got in the first place. If your file pairs have 36 bytes difference in size, then you prolly have Cry36 or similar. Least that's what us victims are calling it. We're here. But ransomware ID says ours is Cry9, even though it isn't. Doesn't mention 128. Either way, I haven't heard that decryptor working for anyone that has our variation types. So I there's nothing to do for it at the moment. If you can get your files back from a backup, I think you should. If you can't restore from a backup image, wipe the drive and do a new OS install. Cause there's a lotta holes that they open up in tcp/firewall settings. Not to mention the bitcoin miner they install.
  3. You gotta do what you gotta do. One thing I forgot to mention is ransomware is a crime. You can file a complaint in US at the IC3 here . For Europe here .
  4. @nicksoti You have the same thing we all have looks like. You'll notice there's probably 36 bytes difference between your file pairs. That's the same version of Cry most of us have. There's no decryptor for it yet. If there are any major updates, it'll get posted here. But be calm. You can't fix anything or do any good paniced. So unfortunately, it's just as bad as you thought it was. There is no fix to get your files back besides paying the terrorists or perhaps a forensic data recovery company. While Emsisoft is taking a look at this variation, it doesn't mean they will actually be able to come up with a decryptor. There's no timelines or guarantees here. First thing is first though. Disconnect the attached drives and try to get your C drive working again. Emsisoft makes a portable malware scanner here . It has a command line utility, so you can run it in DOS mode from the Windows Recovery options if you have to. Try running it and getting anything it finds quarantined. It helps to have the malware quarantined, that way it can be uploaded to help with decryption tool. Although I think Emsisoft has the malware, it won't hurt to have another copy of it. This version of malware usually installs a bitcoin miner on your machine too. If you look on page 2 here , you'll see mention where the registry values for the miner are. Now, this thing usually deletes all your Shadow Copies and Restore Points. You can try Restore Point to get back your program folders, but it won't do any good for your personal files on C. There's something called Shadow Explorer that might find some files. Also, if you right click files and go to "Previous Versions" tab, you may be able to find something. This thing works by copying a file, encrypting it, then deleting the original. So it's nasty that way. Now, while we can't get all your files back, there are some files we can do some stuff with. .ISO files, .zip files, they can both be renamed and "hopefully" be accessed and used. Also, thankfully, matwachich has made a wonderful little tool that you might have a great need of. You can follow and download his JPEG recovery tool from the link he posted above on this page. It's a bit of hassle since it restores many files and you have to pick out the right one, but it's well worth it if there's no other way to recover the picture. You'll also see other posts about the malware making holes in the firewall, tcp settings and so on. On my machine, I restored my C drive, recovered some files from it using EaseUS Data Recovery, and did a fresh install of Windows OS to get my C drive back functioning again. You can use tools like EaseUS Data Recovery, which might find lost files on different hard drives. There's a quick scan and deep scan. Be sure to wait until deep scan is finished. There is also a Recuvium program I think it's called that does similar. So, get your C drive working. If you can, archive all encrypted files away from your computer. Just pack them up neatly and keep them somewhere. It may be a long time, if ever, we can get a working decryptor for our files. So it's best to get them archived and out of the way so you can go back to semi-normal operation. Then check back here for any updates. It's about all you can do. Now, if you start over again with a fresh install, you need to do it right this time. Get a paid anti-malware. Emsisoft's is on sale and easy to use btw. And they're the only ones trying to make decrypters. Other ones you see only do it when the keys are public. Bitdefender has an anti ransomware with it., but aggravatingly, it likes to lock down most any file it deems bad. Which is most of my PS3 programs. There's a couple of free anti ransomware programs you can get. One is Cybereason. They donated the anti ransomware part of their large business anti malware programs for the common folk to use. I think it was pretty nice of'em. The other is Malwarebytes Anti Malware. Next, you'll want some backup. As you know now, you need an offline backup. Using either the cloud or an offline disk. Macrium is backup program that's kinda expensive, but has some cloud options and also has a scheduler. Even if you're using the free version, it's still really useful. With the free version, you can make two things. You can make a compressed backup image of your whole drive. AND, more importantly, you can make a rescue USB/Disk that has Windows Portable Edition on it with Macrium preloaded. So if your hard drive fully fails, you can load up the USB with Windows PE and Macrium, point it to the backup image wherever it may be and it will restore it for you. So you can save the backup image to any cloud or filesharing service and download it to usb whenever you need it. You'll also want to install all important updates from microsoft to keep protected from OS vulnerabilities. Also, some have reported these guys also got in via Remote Desktop. If you don't use Remote Desktop, it's best just to disable it and Remote Assistance. No reason to leave a vulnerability open. OK finally done with my rant. Good Luck.
  5. Nvmind. Cybereason makes some hidden folders on all your drives. ^.^ Really wish I'd known that an hour or so ago. Anyway, all OK.
  6. You're gonna have to give us more to work with than that. The amnesia decrytor seems to work for everyone that's tried it. So let's start from square one. What's your encrypted file extension? Did you go to the RansomID website here and make sure what kind of ransomware you have. Upload a file pair. A "File Pair" is an unencrypted file, and the same file after it has been encrypted. If your Microsoft Excel is encrypted, download the same version of Excel from the internet and use that.
  7. Didn't you already have a method for recovering image files? Or was that for fully encoded jpeg? Meant to PM you about that actually if it's viable. If you still have the method, mind sending the instructions to me in PM? I'd appreciate it. And it's good we just have partially encrypted them. I"d be more worried about any possible solution if they were.
  8. This isn't Dharma. Dharma uses [[email protected]].onion. You've got same thing we all have here . Read up and wait for any updates
  9. I think mclaughb is the only one mentioned having the actual attack file. Unless ganymede has any ideas, just have to PM mclaughb and see if he's still around. Sorry ;P
  10. Normal users can't download your files, so I can't try it myself. But if Sarah got it work, there should be a way for you to get it to work to. You're prolly really excited I know, but be patient. They're really busy so it may take her a while to get back to you. In the meantime, I would just use the picture file you provided and try again. I guess make sure you're using the decryptor here . The "detailed usage guide" says the files need to be at least 4kB of so. You shouldn't have to do anything special with your system config. Though, if you wanted to, you could run Windows Pocket Edition from a usb stick and run the decryptor from there. Only if you think your computer is blocking the decryptor for some reason. But first, I would right click the Nemucod Decryptor....go to properties and check the "Run as Administrator" box just in case your system is blocking it from running. There's also a discussion on this at bleepingcomputer here . From the info there, if your files are the same size, the decryptor should work. But if there is a big difference in file sizes, it might be a new "7zip" variant of Nemucod that is not currently decryptable. You might want to post there too and let them take a look at your files. Good Luck.
  11. I can't d/l links since I'm just a user. So I don't know your file's extensions. The updated decryptor is for these files extensions: .01, .02, [email protected]_2017, .amnesia, .CRYPTOBOSS, .[[email protected]].SON, .[[email protected]].LOCKED The detailed usage of the Amnesia Decryptor is here . The thread for Amnesia at bleepingcomputer is here, where it looks like most everyone has gotten their files back. Looks like those with the .02 extension might have to be renamed to .amnesia to get it to work. But that was before the decryptor update. You need to use an original file and it's encrypted counterpart to get the key for your system. If excel is encrypted, download the same version and use that as your file pair. Program Readmes, PNGs, and favorites rarely change even across versions. The original doesn't have to come from your own system, just has to be the very same file unencrypted.
  12. I'm not sue about either of your problems. For the ransom notes, there is still something there calling up the ransom notes, so I would think your system still has something there from the attack. Demonslayer has made a Ransom Note Cleaner program you can find here . But even if the cleaner works, there will still be something running trying to call up the ransom note....it just won't be there. As for the other, the attack installed a bitcoin miner on a lot of our systems also. It's possible it could have installed other things. If it's a service, you could try tracking down its location through task manager. Running the Emsisoft Emergency Kit, or doing scans with the regular Anti Malware might help. The Emergency Kit has a command line function to it. So you can reboot into "Recovery Mode", bring up the dOS prompt, and run it from usb if you have to. I formatted and started all over again on mine, just to be safe. Just backup any important encrypted files somewhere so you can access them later if you need to. If someone punches a bunch of holes in your brick wall, it's better to just start again and build a better, stronger wall.
  13. I'm nowhere near qualified enough to know if that has the significance I think it does, but I'm sure master keys are always a good thing. Thanks for posting with whatever information you have, we appreciate it Ah, ok. Seems that in the past, when Dharma group were done using a variant of their ransomware, there would be a "leak" of master keys. The master keys released this time around were for the .wallet extensions that people have been having trouble with. The new Dharma variant is {[email protected]}.onion type. I don't know what relation, if any, the new Dharma variant has with our Cry9 variant. But Avast and Kapersky have both released decryptors for the .wallet ransomwares now. So that's good news.
  14. I'm not sure the System Restore would help you or not. System Restore doesn't affect your personal files, which are the important ones encrypted. The ransomware here doesn't affect windows or Program Files folders usually. What would help before you try a System Restore, might be to right click your files and go to 'Previous Versions". See if anything is there that could "rollback" the encryption. You can usually undo a System Restore. And if you're using any recovery tools like EaseUS or Necuva, you could try them before and after a System Restore and see if they're giving you anything good. If that's not working for you, usually the best thing to do is backup your encrypted files somewhere away from your file structures. If there's ever a decryptor, you'll have them available to you. Get your OS back in working order. i did a fresh OS install on mine. Also, if you had a mapped drive disappear, look at the online version of the files and see if they are still intact there. I'd also change all your personal information/passwords just in case. Especially if you think they attacked through Remote Desktop or something.
  15. From what I can gather, it's a newer one. Seems Fabian posted a blog here about it. And bleepingcomputer has a thread started for it here . I thought there was another thread on it I saw earlier this week. They might have reorganized them. Anyway, read those over and keep checking back/posting at the bleepingcomputer thread and here to see if there are any updates. Good Luck.
  16. Having an antivirus did no good in mine and many others case. Malwarebytes actually quarantined a file. By the time the full scan was done, the damage was done and malwarebytes disabled. I think most people are like my and have an actual archive of files in a RAID0 or external drives. It's just that ransomware attacks the attached drives, so to guard against it, you have to have your file archives offline. Which is a pain in the butt. So I don't think any victim here wants the whole "valuable lesson" crap. I"m not sure why someone that hasn't had an issue with this particular ransomware is here posting in the first place >.> The only ones at fault, and the ones that need a "valuable lesson", are the criminals/terrorists that are doing the attacks.
  17. I've looked, and the only thing I can find on your particular problem is here . So you're not alone.....which I know feels better. But it doesn't look like yours is a very popular one. Seems something about the ransom note triggered a global imposter flag in the Ransom ID. But they don't seem to know what type of ransomware it really is. Besides here, bleepingcomputer is really the only place for updates about ransomware. Good Luck.
  18. Ya anything's worth a shot. It doesn't have to come from the actual hard drive. If there's an encrypted .exe program, you could download the same version again from the internet and use them as a file pair. Or generic redme files or generic images that come with programs or OSs. And I don't know about this particular variant, but some ransomwares could just rename smaller files. That could be why they are same size. In the cry9 variant I had, some files just seemed to be renamed. I also noticed many .iso and .zip files could easily be recovered just by renaming. It wouldn't hurt to copy an encrypted file and experiment.
  19. Jim, the company I mentioned is a data recovery company. They work with the actual hard drive disc to recover your files. Places like that usually have many tools and methods that cannot be used by regular users. That's why they charge so much money sometimes. I think some of them even have you send in your hard drive and they recover what they can and put it on a usb/external drive. No matter what you do to your hard drive, professionals should be able to find something I would think. Doing regular defragments might even help their chances at recovering data because your files existed in more than one place on your hard drive's history. Anyway, just a thought.
  20. No, not yet Nova. You will probably see it here when they do though.
  21. Thank you JAN22 for helping @Demonslay Has everyone here tried the decryptor you mentioned? Could you link to it so everyone can be sure to try it first? Thanks
  22. I guess this is a new ransomware. They have a thread just for this one over at bleepingcomputer here . There is no way to decrypt at the moment. Check the thread there at bleepingcomputer for any updates they have on it. And be sure to report the crime to your authorities. In Europe you can report ransomware here . And in US you can report ransomware here . Good Luck
  23. Thanks for the input Al, we appreciate it. Even if it costs some money, having another option open to recover your files is a good thing. On the subject of backups, I've found I kind of like the idea behind Macrium Reflect. It's expensive for the paid version, but the free version does what you need too without any bells and whistles. There's a two step thing. First you can make a backup that is a image of the drive itself. The image file is also compressed which saves you some space. You can do one time backups with free version, then put that backup on an external device you keep offline, or upload it yourself to the cloud somewhere. The second step you do is under "Other Tasks". It's called a "Rescue Media". What this does is put Windows Pocket Edition (PE), along with Macrium onto a bootable usb or CD. This can be stored offline as well. So to restore from a backup, take the usb, load it up, and it will start a Windows PE session on your computer. Then get your backup image from the cloud or wherever you kept it. Plug it in and direct Macrium to look there and you can choose that image. It will then start to restore your backup. It's a really simple process to do. I did a restore on my new OS install and everything went ok except for one or two Asus drivers. They didn't really like being restored that way. Other than that, it's a very easy backup plan I think. If you have the paid version of it, you can do backup schedules. Grandfather, Incremental, Differential, and a Full Synthetic type backup.
  24. Hey Jim. Any updates we have are always on this thread here. Remember I mentioned it before? Anyway, take a look at AL's post at the bottom. He mentions a data recovery place that might be able to help if your files are that important. I went to the site and it's free to open up a case and have'em look at what you got. Don't have to pay anything if they can't do anything. Wouldn't hurt to try as a last resort. They also mention that they act as a go between for ransom transactions if you need them to. Don't know if I like the sound of that or not. There will never be any guarantee you will actually get a working decryptor, no matter who brokers the deal. Especially in your case of having a second encryption on your files. Some people report paying and have decryptor fail, then charge you again to try another one. So the data recovery place could be at least one more option for you. Be sure to let us know how it turns out. Good Luck. Oh and be sure that no matter what you do, report this crime to the IC3 here. Ransomware is a cyber crime/terrorism and it needs to be reported so authorities are made aware of just how bad the problem is.
  • Create New...