Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


ganymede last won the day on May 16 2017

ganymede had the most liked content!

Community Reputation

3 Neutral

About ganymede

  • Rank

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Sounds like some sort of syndicate. Ransomware-as-a-service? Could you explain that a little more? When you say anyone can get their own ransomware, do you mean get the app/whatever that initiates the encryption on other machines?
  2. Never mind, apparently it works in Windows 7 at least. Didn't accept my .onion files as being compatible though. :/
  3. I double click the exe inside and nothing happens. That was disappointing...
  4. People need to understand that this forum is hosted by Emsisoft, a company selling anti-malware tools etc. They cannot endorse anything as a solution to this ransomware other than their software (or perhaps some other application from a digitally verified source), if for no other reason than corporate liability. No offense to anyone here trying to help, but if you want to "go rogue", I suggest starting a thread on Bleeping Computer. Knowledge sharing is always welcome though. Sounds to me like the folks here have done all they can with the info at hand. All we can do now is wait and hope
  5. People are unofficially calling it Cry36, not to be confused with Cry128. You may want to ask Emsisoft folks to see if they have a name for it though.
  6. so you think they blocked port 445 so that our systems wouldn't be infected with wannacry? we must have been the "expeditionary front" of the wannacry plague to test it out before launching it en masse.
  7. @NnitehawkK-fb, thanks for posting that. It's a script that the hacker ran to open up a bunch of vulnerabilities on your machine, so now I know where to look to plug all the holes. For example, go to the command prompt and type `netsh ipsec static show all` and likely there will be a bunch of filters and whatnot listed that you'll want to remove. Another place you'll want to go to remove stuff is in the windows firewall with advanced security snap-in to take out the tcp-all rule et al. here're the commands cleaned up: C:\WINDOWS\system32>ping -n 10 C:\WINDOWS\system32&
  8. Most commonly it's been brute force entry via Remote Desktop, though I've been hearing in the news lately that Office 365 and some other feature Windows comes with were also points of entry. I can't remember the name of the other thing off the top of my head but apparently it was a serious enough vulnerability that Microsoft released updates for old OSes as far back as XP.
  9. Ahh this was the company I reached out to as well. They quoted me ~$1900 for 5-7 day service. I opted not to pursue in the hopes that Emsi will come out with something in the near future, but if I need the data sooner, it's good to know now that they're a sure thing. Thanks for the info.
  10. Just an opinion here, but the folks at Emsisoft are doing what they can to provide a FREE service to restore peoples' files, and for that no one has any reasonable ground on which to complain. I too have wondered as to their status, but with updates like Sarah's, I know that it's not being ignored. How much could they possibly share on a topic that most would likely not understand? For my own situation, I have reached out to a specialist recovery service, and they claim to be able to restore my files for ~2000$, but I am waiting for the folks at Emsisoft because I'm confident they'll come
  11. I think this guy might have the actual executable. On a different note, I'm not sure why but I forgot to mention in my original post that I found the service registry of the virus in my Windows logs: winlogon.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 48Nk7Q5oB5gEVLabrgo3KhLbaTSDKvZNHBECoHyZcxWNDMgfDnHA8Ue2Skp7A6z2ZGG93wmLxxrKa1j4QR7kmi866AP1G8t -p x Workstationt C:\Windows Maybe that long nonsense string has something to do with the key?
  12. George, I'm not sure those bytes are meant to be constant. My last 4 in each file are 35 F6 5C 01. Also to Kenneth and mclaugb, you may have different variants than the one being discussed here, as your extensions end in .onion._. Those were linked to Cry128. Have you tried using the decrypter for it?
  13. Confirmed. Also, and this is probably a "duh, obviously" thing to mention, but check your Windows firewall with advanced security, inbound rules. I was in there whitelisting my RDP ports and noticed that the *&^%$! opened up all ports for tcp connections.
  14. yeah I noticed that some of my picture files (jpg & png) were renamed yet unencrypted too. I wasn't sure if it had to do with the extension or if maybe the virus renamed everything first and then went to encrypting. I would love to try renaming my files back en masse, but I literally have millions of files and I don't want to rename the ones that are actually encrypted because the decrypter won't recognize them then.
  • Create New...