Jump to content

GeorgeB

Member
  • Posts

    12
  • Joined

  • Last visited

  • Days Won

    1

Posts posted by GeorgeB

  1. My name is GeorgeB and I'm not a cybercriminal.
    Also I'm not a victim of this ransom virus. I want to help someone that ignored my advice about real backup solution. When he lost all data he wanted to pay ransom. My advice was: "Do not pay for ransom!". 
    While we are debating that is right or not to share knowledbe about how this ransom works autors build new versions, becouse they share their knowledge each others. 
    I think that is nothing wrong to study and share. Great discoveries have come from people who do not know that one thing is impossible.

  2. I have studied the behavior of the decryption program (unlock.exe) and have noticed some aspects of the decryption key structure.
    To match ID and KEY:
    1) At the beginning of the key is the ID in HEX followed by the character "_" (0x5F)
    2) The last byte must be 0x00
    3) If any byte is changed in the range between 0x5F and 0x00, the key is accepted.
    4) If you delete bytes from this interval (shorten the key) the key is accepted.

    Considering these I produced a fake key corresponding to Id 1:
    ID: 1
    KEY HEX
            315F00
    KEY ASCII
            1_ (null)
    When we click on the "Unlock One" button, the error "Access violation at address 005CC02E in module" unlock.exe "is displayed. From here I have concluded that a
    minimum length is required.

    Let's extend the key and test it:
    ID: 1
    KEY HEX
            315F0000
    KEY ASCII
            1_(null) (null)

    When we click the "Unlock One" button, the key is accepted and we are invited to choose the encrypted file (whose original name we modified to match the id 1:
    testfile.txt.id_1_gebdp3k7bolalnd4.onion._)
    The content of the file is modified (decrypted with a wrong key), the extension is modified correctly in testfile.txt but the last 36 bytes from the end of the
    encrypted file are not deleted.

    The next test is the incremental addition of bytes in the key. From successive increments we reached the following key contents:
    ID: 1
    KEY HEX
    315F + 48x (0X00) + 2 * (0X00)
    315F
    00000000000000000000000000000000
    00000000000000000000000000000000
    00000000000000000000000000000000
    0000

    KEY ASCII
    1_ + 48 x (null) + 2 x (null)
    This key is accepted and this time in the decrypted file the last 36 bytes are also removed, but obviously with the fake key the decryption is incorrect.


    I do not know if what I have exposed is helpful but I hope to help and encourage those more experienced than me.
     

    • Upvote 1
  3. On 06.05.2017 at 9:10 AM, GeorgeB said:

    Same problem here. After a short view files are crypted in blocks of 32 bytes. If file is larger than 320 bloks of 32 bytes (10kb) rest of file remain uncrypted. At end of file 36 bytes is added, first byte differ from file to file and rest of 35 bytes are the same (00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EF 52 5E A0). If file size does not divide exactly to 32 then last block of less than 32 bytes remain uncrypted.

    samples.rar

    Analyzing small files I noticed it encrypts on blocks of 16 bytes.
    Example:

    files.thumb.jpg.e69b55607aee967229c418c49465fd88.jpg

    • Upvote 1
  4. 7 hours ago, mclaugb said:

    Hi Folks, I'm not sure if these files will help, but I've posted all of the virus files, ID, decryption key (provided by the scammers), etc.

    I'm hopeful that this will help those with the expertise to save others time and money.  But it was a horrible experience with CRY128 which i hope will guide others in how the scam can be cracked.  I had no backup and was in a time pinch at our company, so I could not wait it out for a crack.  I also use R-soft tools for recovery and found some files, but unfortunately R-soft cannot recognize common engineering formatted files so it couldn't find those.

    First I found the virus files reaking havoc by looking at Endpoint Security logs and windows System / App logs.

    The smoking gun appeared to be pointed at a c:\windows\dell folder containing some batch files.  Also a file 15321.exe kept appearing in my c:\ directory  (All of these files are zipped in folder VIRUS_FILES).  I password protected the ZIP file with the word "infected" so that no accidents happen.

    In a pinch, I had to pay the ransom. Using the Tor browser, the Ransom page asks you to enter your FILE ID.

    In my case, all files were named "*1638578921*.onion  You can play with the attached encrypted files and the decryptor.

    The TOR Browser pulls up a "Decrypt panel"

    THe ID KEY must be typed in:  (in my case 1638578921)

    There is then a "Show code" box which currently displays "35352" with a blank box.  You must re-enter the code in that box.  (Presumably this is used in some way to generate the key).

    You then press enter and it provides you with an address to send the bitcoins to.  

    Note, the number was the same when I visited the webpage multiple times within a 24 hour period, but I think it has changed.  

    Once paid, it provides you three files to download.  (I have attached all three versions in the zip file).  I have attached the instruction page (after you pay) and the "decrypt" password for all of the decryption software.

    Your ID: 1638578921

    PRIVATE KEY:
    313633383537383932315FB78EB17DCE9907B7E60F97A278A391F8497C82918C9523B80364249F1E9290C75FD2B0817449A77D8D32097A9DB94FB0BF5F652D94F73902A514DDD91E683E415FF26D19F0A860C8D743DEBB73E5AAC703D35F805065EEB1111EE828D301637FEA7EB90B5DB744E04B20026440BB398CD9169EDF7237CDFAB4611FE9563922D151A757A151B5E1D046FC4A53379B9859D9B5598082E84A7F6651CC805FE562AE8973AEA8845CF2DC25E8E409DBE7434F31C1B0B5FD5CA3EA60736DA77A2CAA1C8C17AC23EEECA445FBAB95B2F5E668C5729DB6DBB4738E10508C802BED5742064CD3F902ED75E7151033E2419F1037E283AB9F835AA25C1975C98FE3D5966D545039FA9C2B3A4FEAE1A6906BDA11417C34F96ECEF86FEC5173DBBA10526D0F8BE586D616B01CA030F6EF16182C1AA6EB493F0612836D7CC2DD8B510C93B1BA7454FA2539D296ACC6272431DDE2AB50940BBE2F00

    The decryptor does not work as you will see without checking "ignore checksum" box.  Then it decrypts the files just fine.

    Anyway, I hope this helps.

    Bryan

     

     

    CRY128_FILES_UNLOCK.zip

    README.TXT.txt

    Please send these files. I cannot download from original post. Thanks.

    • Upvote 1
  5. 9 hours ago, Win32.DN said:

    My friend became the victim and I reversed uploaded "unlock.exe" yesterday.

    The 36 (0x24) bytes variant is actually based on Cry9.

    I already understand (i hope) how the unlocker decrypts the files.

    The problem is factoring the AES128 key (and 0x1000+ bytes additional table), which looks to be different per the victim.

    Maybe Fabian knows better about this part (or he is stuck at the same point).

    I will look more when I have more time but don't expect good news from me.

    Nice work,

    Let's name this variant CRY36, Please confirm that this variant crypt files in 32 byte block and only first 320 blocks of 32 bytes(10k). Please share any knowledge about how this variant works.  

    Thanks

  6. On 5/11/2017 at 4:13 AM, mclaugb said:

    I finally gave in to the scam as our business did not have a backup and had some time sensitive materials.  EMISOFT--it would be nice if you could communicate with people in the forum a little more frequently and indicate a timeline, how we can help, etc.  I find it a little frustrating that few if any of your team are even on these forums.  Maybe we're too incapable of helping you but some updating would be nice.

    Anyway, I saved all of the de-crypt exe files locally that the criminals gave me, my user number (number in all the filenames), and a >256 character keystring that the hacker website provided me.  The ransom allows you to download the decrypter exe for three different filetype extensions.  Mine are a bolal4nd.onion type so i used that exe.

    The hardest thing was actually buying bitcoins and getting that done reasonably quickly.  I went to a bitcoin ATM and put in cash and set up a bitcoin wallet on Coinbase.  Cost about $275 bucks all in all, but i had put 20 hours into this, a new hard drive, etc.

    For the record, the criminals tool did not initially decrypt the files correctly--it failed giving an error.  But there is a little checkbox "ignore checksum" that when clicked it says "may ruin the files".  I made a copy of some files I needed and pointed the decrypter at this "folder" to test whether it would damage the files.  The files opened near perfectly (some minor property information was lost) but It worked just fine and i have my files back.  Now i have it running on the whole hard drive.

    The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you.

    I'm not advocating for the path that we chose, but the good guys at EMSISOFT could do more to communicate more frequently to allow users to help them. 

    I now have the VIRUS exe files, unencrypted files, encrypted files, the exe decrypting engine, and at least one key for the engine.  EMSISOFT--SEND ME A MESSAGE IF YOU ARE INTERESTED.

     

     

     

     

    Dear Mclaugb,

    Please share unlocker ,key provided and sample of encrypted files. I want to try to dissasembly unlocker.

    Thanks!

  7. 9 hours ago, ganymede said:

    I think this guy might have the actual executable.

    On a different note, I'm not sure why but I forgot to mention in my original post that I found the service registry of the virus in my Windows logs:

    winlogon.exe
    -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 48Nk7Q5oB5gEVLabrgo3KhLbaTSDKvZNHBECoHyZcxWNDMgfDnHA8Ue2Skp7A6z2ZGG93wmLxxrKa1j4QR7kmi866AP1G8t -p x
    Workstationt
    C:\Windows
     

    Maybe that long nonsense string has something to do with the key?

     

    What is last 35 bytes at the end of encrypted files (in my case is 31 of 00 and EF 52 5E A0)?

  8. 2 hours ago, ganymede said:

    George, I'm not sure those bytes are meant to be constant. My last 4 in each file are 35 F6 5C 01.

    Also to Kenneth and mclaugb, you may have different variants than the one being discussed here, as your extensions end in .onion._. Those were linked to Cry128. Have you tried using the decrypter for it?

     

    Constant to all files encrypted. In my case all files have 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EF 52 5E A0.

  9. 8 hours ago, mclaugb said:

    Here are a few text files that got hit by the ransomware.  It is very easy to tell where the information was added/removed/etc.  I also have 4 exe and other files I have zipped up in case anyone wants to run the ransomware on a VM and see how it works.  

    3X8Sheep_Base_SingleBlock.dxf

    3X8Sheep_Base_SingleBlock.dxf.id_1638578921_gebdp3k7bolalnd4.onion._

    I cannot download these files. Please confirm that last bytes in encrypted files is EF 52 5E A0. Thanks!

  10. Mcl

    On 5/3/2017 at 4:13 PM, mclaugb said:

    I am posting the infected files here.  I have attached them here in "dell_Infected.zip".  The zip file requires a password "infected" to open it. Please use with caution as they are infected .exe files with the CRY128 virus. 

    dell_Infected.zip

    Please send infected exe archive to me.  I want to let it to encrypt some files in vm.

  11. Same problem here. After a short view files are crypted in blocks of 32 bytes. If file is larger than 320 bloks of 32 bytes (10kb) rest of file remain uncrypted. At end of file 36 bytes is added, first byte differ from file to file and rest of 35 bytes are the same (00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EF 52 5E A0). If file size does not divide exactly to 32 then last block of less than 32 bytes remain uncrypted.

    samples.rar

×
×
  • Create New...