Michal Nawrocik

  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About Michal Nawrocik

  • Rank
    New Member
  1. Thank you but I'm afraid these are just checksums which don't say if any of these variants uses 8 bytes block size encryption. Is there such a variant among them? It's good to know and very nice of you that you don't charge for it. I won't be able to retrieve the copy of that malware. It seems like the encrypting executable removed itself when the encryption was finished (which HiddenTear variants often do). And the file recovery software I consider very decent failed to find a suitable recoverable executable file. Do I get it right that I should provide you with the copy of the ransomware? And if not, could your analyst check if they have records of CerberTear variants using 8 bytes block size encryption? I hope they index such information and wouldn't have to analyze all of the samples now to check it. And even if they have a lot of such variants I guess I could check all their salts (and perhaps other parameters if they differ from standard CerberTear). I guess there were never so many of these variants in existence to make checking their parameters programmatically against a single encrypted file difficult.
  2. It's been a while but I still didn't get these files decrypted. GData Business subscription does not include help with file decryption anymore, at least from what I've been told by their support. Michael Gillespie helped me a lot, gave me some possible salt values for decryption but he didn't have a sample of this exact variant of CerberTear (with 8 bytes block size so perhaps using 3DES) so the results were uncertain and in the end I failed to decrypt the files anyway. Karsten Hahn couldn't help me to get it done either. I guess not much hope is left. But what if it's a slightly different variant which uses another encryption algorithm and more importantly another value for salt in the encryption process? Would your malware analyst know the different salt value? Would I get help with this, free or in paid support (or support included with subscription of your software)?
  3. Thank you very much, I will contact Michael Gillespie. I have noticed that as well, that the criminals ask to send bitcoin but the bitcoin address is the same for all victims and no contact info is included. So they wouldn't know who paid them and should receive the decryptor anyway.
  4. A friend of mine asked me to try to decrypt their files which were encrypted with some kind of ransomware. They say the infection took place in 2016 or at the beginning of 2017. The newest encrypted file is dated 30.08.2016. Unfortunately, my friend is not very tech-savvy so they deleted the virus itself leaving only the encrypted files and the ransom note. I'm also not much into ransomware, I'm a programmer. I ran undelete on the disk I got from my friend and found no recoverable executable files. Then I used the online identification tool with the following result: https://id-ransomware.malwarehunterteam.com/identify.php?case=6a2aa256aee1d973b13b3bdd1725def73d88b997 Then I clicked the link to read more on the 1st result found: As you can see, it says this ransomware, called CerberTear, is a fake Cerber, actually a variation of HiddenTear. I tried several HiddenTear decryptors I found on the internet, none of them seemed to work and I guess they couldn't, I'll explain this below. I also tried decryptors for other malware types suggested by id-ransomware, obviously to no avail. The thing is: I don't see a decryptor for CerberTear specifically, only for HiddenTear and CerberTear is quite different from original HiddenTear actually. HiddenTear encrypts whole file content and the files I am trying to decrypt got first 127 bytes unencrypted, then n times 8 bytes encrypted, then the remainder unencrypted. I analyzed the source code of hidden-tear-bruteforcer https://github.com/Demonslay335/hidden-tear-bruteforcer and I found it tries to decrypt the very beginning of the file, for all supported variants of HiddenTear. This can't work for me as the beginning of the file is not encrypted in my case. I didn't find the CerberTear malware itself available online in a brief search, maybe I would need to search some more or contact the people who posted links to virustotal (it's not only the tweet above). I'm kinda familiar with unpacking and deobfuscating so having this malware executable would help my attempts to decrypt the files. HiddenTear is written in C# which I use for writing code on daily basis. I got some samples of big encrypted files together with their unencrypted versions. With some effort, I could also obtain a pair of small files, encrypted + unencrypted. Didn't do this yet as first I'd like to get some more light shed on this exact kind of malware. In case you cannot provide me with a working decryptor or the malware executable for me to analyze, maybe you know the answers to the questions below. I've seen that some variants of HiddenTear use a secure method of generating random numbers instead of the one seeded with current time. What about CerberTear? If it uses the secure generator, then I guess case is closed, no more questions, no chance to get the files back. What is the password length? What characters can the password contain? What encryption algorithm is used? With what parameters? I guess it's not AES as in original HiddenTear since AES has the block size of 16 bytes and some of the files encrypted with CerberTear have ie. 40 bytes encrypted and that's why I presume the block size is 8 bytes and not 16. How is the key derived from the password (if it's done for the algorithm used in this case)? In original HiddenTear it was SHA256 but I guess it might not be the case here. I understand that there may be different variants of CerberTear which makes it more difficult to decrypt the files without knowing the exact variant. If I succeed to write the decryptor, I will make the source code available to the public (even though not many people could still benefit from a decryptor of such an old ransomware). Thanks in advance for any help provided.