JimmyJAPA

10 hours ago, Geng said:

@JimmyJAPA I've heard reports of the decrypter.exe files they send you contains viruses. Can you confirm or deny this?

Hello, Geng,

I am aware of the possibility and I scanned the decryptor immediately after downloading it, using Microsoft Security Essentials.

There was no virus in it.  I checked it again just now since you asked.  Still no virus.

My system is always clean after every reboot.

For your reference.

10 hours ago, LeonardCaldwell said:

Talk about "taking one for the team" (two, actually)! 

I am not quite sure about your question, sorry.

Could you elaborate?

Of course I am willing to do my part to relieve all the other victims of suffering, especially I have two sets of keys to Cry36.

However, I don't know how and what to do.

I also wrote a lot to them to dissuade them from doing this after I decrypted almost all my files.

Dear all,

  I had no choice but to pay the ransom for Cry36 yesterday and got almost all my files back.

  The negotiation was long and tiring, and the payment was made via BitCoin.

  I paid twice, for I was infected twice.

  Just for your reference.

  Thanks for all your attention and time.

  Case closed.

Sincerely,

[email protected]

Dear all,

  I had no choice but to pay the ransom for cry36 yesterday and got almost all my files back.

  The negotiation was long and tiring, and the payment was made via BitCoin.

  I paid twice, for I was infected twice.

  Just for your reference.

  Thanks for all your attention and time.

  Case closed.

Sincerely,

[email protected]

OMG!  Today I use Tor to connect to http://gebdp3k7bolalnd4.onion to check out information.

It was shutdown and said,

"This resource more is not available.

You can find out the details decrypting files / buy decryptor + key / ask questions in the chat:
https://fgb45ft3pqamyji7.onion.to, https://fgb45ft3pqamyji7.onion.cab (not need Tor)
http://fgb45ft3pqamyji7.onion (need Tor)"

It means the resource is gone?

What should I do???!!!  Q___Q

@nicksoti

I am so sorry to hear your story, really.

I also fell victim to a ransomware, Cry36, which locked all the files and photos that I have collected for more than 20 years, and I still can't decrypt it.

How would they feel if they see our stories, and other thousands of hundreds'?

I really curse these people who did this to all the victims!  Rot in hell!!!

BTW, if you re-install your system, be sure to patch the security leaks lest you should get infected again. (I was infected twice.)

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4019264

Glad it worked!  Happy for you!

Here I am again.

After keeping searching on the Net, I finally found a ransom-paying photo.

Just for your reference.

BTW, could you please tell me if this Cry36 can be decrypted or not, Sarah or other staff?

If yes, are you currently working on Cry36 or other ransomwares?

If not, I still much appreciate your efforts as well as time devoted to this, and please tell me ASAP so that I can take time to accept it.

Thanks a lot!

The price of 1 BitCoins has risen to almost $2000... Q_Q

I am also still waiting for Cry36...

Any good news?  Q_Q

This webpage contains the step-by-step procedure of paying the ransom.

Also for your reference.

http://www.techbang.com/posts/51240-blackmailing-virus-writers-have-been-practically-tell-you-whether-to-pay-the-ransom-the-network-has-emerged-black-black-hijacked-the-ransom-victim

On 2017/5/11 at 9:13 AM, mclaugb said:

The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you.

 

 

 

 

 

Dear McLaugb,

  This is Jimmy, another victim of the ransomware virus, gebdp3k7bolalnd4.onion.

  I saw the following sentence from you, and I am wondering if you have the e-mail address with which I can contact the kidnapper?

  "The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you."

  Your reply, either public or private, would be most appreciated.

  Thank you!

Sincerely,

Jimmy

@kygiacomo

As I mentioned before, I use Win7 with a real IP connection, and the details are in my post on May 11, which is on the above.

Also, I didn't have the system updates after 2016.06.

So, I guess that the reason why I got infected was that I directly connected to the Internet with a real IP.

The other computers of mine using virtual IPs didn't get the virus.

Just for your reference.

@kygiacomo @bruticus0

Hey men,

I don't think the data recovery company would help, but thanks, aka Plan Y.

Besides, I am prepared to pay the ransom twice, if necessary and if the first time succeeds.

Of course I will do some surveys before doing so, and it will be my last resort, aka Plan Z.

There are a few webpages that describe the process of transaction in detail, and I would peruse them a bunch of times to make sure everything goes right.

Still looking everywhere for a solution.  Wish me luck!

Let's give the guys working on this some cheers!

Sincerely,

Jimmy

@bruticus0

Hello!  Thanks for reminding me.  I check the related threads almost every day, hoping to get the latest information.

Well, I tried the solution at the beginning of the infection, but data recovery is of no use for me, for I regularly defragment my hard disk to keep it clean.

I will just wait for a little longer for the geniuses in Emsisoft to see if they can come up with something.

If anything good happens, I would definitely donate to them for appreciation.

Finally, the IC3 forms are too complicated to me, a non-American, but I would consider filling in them someday.

Thanks for everything!

Sincerely,

Jimmy from Taiwan

7 hours ago, izuran said:

@JimmyJAPA just so you know paying didn't help us, they just moved the balance out of the Bitcoin wallet

Well, if the decryptor cannot be made, I will have no choice but to pay, for the data are too precious to me.

However, in the depth of my heart, I do curse these culprits who build happiness and wealth on others' suffering!

How can they destroy others' data of the whole life time just to make money!!!

God damn them!!!  Q_Q

After reading all the information and trying every means currently known, I feel helpless and am close to giving in to the culprits...

Wish us luck!  Q_Q

@bruticus0

  I tried the link you provided, but it deals with the 68 bytes file size difference (in my case the difference is 36 bytes).  Thanks, anyway.

  Regarding this virus, I don't think most Anti-Virus software are workable because it attacks the security holes directly, just like "Blaster Worm Virus" in 2003.  Re-installing and patching the security holes are, I think, the top priority.  Thank you!

18 hours ago, bruticus0 said:

No Jim, she meant recovery tools like EaseUS Data Recovery and such.  They scan a hard drive for deleted and older versions of files if they still exist.  If they find anything, you can see if you can recover them.  Tools like this basically scan every byte of your hard drive and shows you what files are still there.  You can try it and see if any of your old non-encrypted files show up.

Dear bruticus0,

  Thanks for your explanation.  I took it in the wrong way...

  I will try your way, but I think it would be very complicated. Q_Q

  Good luck to myself!

----- update -----

  I just tried to use Data Recovery Tools to see if there is any luck.

  Just so you know, it turned out to be in vain. Q___Q

Hi, Sarah,

  You meant some users recovered files using decrypt_Cry128.exe?

  Actually, I have tried at least 5 different pairs of files, but none worked out...

  If it is true, I will keep on trying different files.

Sincerely,

Jimmy

Dear Sarah, Emsisoft,

  You wouldn't know how glad I was when reading your reply.

  Since we are at the topic.  Here is the deal.

  I myself run the FBWF (File-Based Write Filter) on my Win7, and when I reboot, everything changed in Drive C: would be erased.

  Last week when I sat at my desk, I found all the icons on the desktop changed to "unidentified items."

  It seemed that almost everything in my computer was encrypted, so I then started searching for a solution, which led me to your site.

  After one reboot, I got my C: back intact and clean.  However, all the other files in other drives were not so lucky.

  So I started reading information about this virus, and I also tried your Cry128 1.0.0.54, finding it infeasible to brute force the key.

  It might mean the virus that my computer was infected with was a variant.

  Since I could not solve the problem, I left it on hold, waiting for your breakthrough for this.

  The next day, something unbelievable happened --- my computer was infected with the same virus!!!  AGAIN!!!  For the SECOND time!!!

  Now, I have two layers of encryption on my files.  Maybe no one on earth is as unfortunate as I am.  Q_Q

  Hence, I began to look into what might have caused the two infections, and the following are my conditions.

  1. I was using PPPOE connection for ADSL and have a real IP instead of a virtual one (192.168.xxx.xxx).

  2. I didn't have the system updates after 2016.06.

    (All the other computers in my place, not updated either, using NAT, have not been infected with this virus.  Only mine was attacked.)

  What I think is that I didn't get the virus because of the fake flash player update like others but because of a Win7 security problem.

  Now, I have updated most of the Win7 updates, changed from PPPOE to NAT, and closed DMZ function.

  Everything seems to work fine except for the encrypted files, so I am still waiting.

  Enclosed are the infected and twice-infected files.  Hope they can be of help.

  Also, hope the genius that is working on this virus is getting better.  It was said that he or she was a little bit under the weather last week.

  Please send my regards to him or her.  Thanks!

  Best regards,

  Jimmy from Taiwan

gebdp3k7bolalnd4.onion.zip

Excuse me.  May I ask if Emsisoft is working on this new variant of Cry128 - gebdp3k7bolalnd4?

I keeping checking on the decryptor page every now and then.

Is there any way I can do to recover my data?

Thanks a lot!

Dear Bruticus,

  Thanks for your comfort as well as advice.

  Paying the ransom would be the last resort for me to retrieve my precious data.

  I was really furious about the virus makers!  How could they destroy others' things for sake of money!

  I know it is no use blaming them here, but I believe every victim feels the same thing!

  We victims' only hope lies on you technological supermen and superwomen!

  I will keep checking on the new releases of the decryption tools!

  Let's all get informed if any new hope comes up!

  Hope everything will turn out to be fine!  (With fingers crossed!)

Everything.lng

Everything.lng.id_1025931295_gebdp3k7bolalnd4.onion._

setup.exe

setup.exe.id_1025931295_gebdp3k7bolalnd4.onion._

IMAG1556.jpg.id_1025931295_gebdp3k7bolalnd4.onion._

_DECRYPT_MY_FILES.txt