Jump to content

GeorgeB

Member
  • Content Count

    12
  • Joined

  • Last visited

  • Days Won

    1

GeorgeB last won the day on June 5 2017

GeorgeB had the most liked content!

Community Reputation

3 Neutral

About GeorgeB

  • Rank
    Member

Recent Profile Visitors

1380 profile views
  1. My name is GeorgeB and I'm not a cybercriminal. Also I'm not a victim of this ransom virus. I want to help someone that ignored my advice about real backup solution. When he lost all data he wanted to pay ransom. My advice was: "Do not pay for ransom!". While we are debating that is right or not to share knowledbe about how this ransom works autors build new versions, becouse they share their knowledge each others. I think that is nothing wrong to study and share. Great discoveries have come from people who do not know that one thing is impossible.
  2. I have studied the behavior of the decryption program (unlock.exe) and have noticed some aspects of the decryption key structure. To match ID and KEY: 1) At the beginning of the key is the ID in HEX followed by the character "_" (0x5F) 2) The last byte must be 0x00 3) If any byte is changed in the range between 0x5F and 0x00, the key is accepted. 4) If you delete bytes from this interval (shorten the key) the key is accepted. Considering these I produced a fake key corresponding to Id 1: ID: 1 KEY HEX 315F00 KEY ASCII 1_ (null) When we click on the "U
  3. Analyzing small files I noticed it encrypts on blocks of 16 bytes. Example:
  4. Please PM to me decryptor an your key. Thanks!
  5. Please send these files. I cannot download from original post. Thanks.
  6. Nice work, Let's name this variant CRY36, Please confirm that this variant crypt files in 32 byte block and only first 320 blocks of 32 bytes(10k). Please share any knowledge about how this variant works. Thanks
  7. Dear Mclaugb, Please share unlocker ,key provided and sample of encrypted files. I want to try to dissasembly unlocker. Thanks!
  8. What is last 35 bytes at the end of encrypted files (in my case is 31 of 00 and EF 52 5E A0)?
  9. Constant to all files encrypted. In my case all files have 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EF 52 5E A0.
  10. I cannot download these files. Please confirm that last bytes in encrypted files is EF 52 5E A0. Thanks!
  11. Mcl Please send infected exe archive to me. I want to let it to encrypt some files in vm.
  12. Same problem here. After a short view files are crypted in blocks of 32 bytes. If file is larger than 320 bloks of 32 bytes (10kb) rest of file remain uncrypted. At end of file 36 bytes is added, first byte differ from file to file and rest of 35 bytes are the same (00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EF 52 5E A0). If file size does not divide exactly to 32 then last block of less than 32 bytes remain uncrypted. samples.rar
×
×
  • Create New...