Everything posted by BJammin
We paid 2 bitcoin to get the decryption tool but the tool wouldn't decrypt anything over 2 GB and only decrypted a small amount of the files under 2 GB. When communicating with the attackers, they demanded another bitcoin to give us a "plugin" to decrypt the rest. We were able to get a majority of the main files from the file allocation tables before the attack happened. This is the first ransomware attack I've seen where the ransom was paid and the attackers didn't follow through with their end of the deal and just asked for more money. This is where we drew the line and didn't pay any more. Never paying ransom again!!! Also, I tried the Avast decrypter and it didn't do anything for me. Nomoreransom.org and other sites don't currently have a decryption tool for this that I'm aware of.
Since we paid the ransom to get the decryption tool, and the decryption tool worked for a brief moment, why would it suddenly stop working? I don't see any rhyme or reason to why it works then it doesn't. Now it doesn't work at all.
I have 200,000 files that are encrypted ending with .sys via compromised RDP. The attackers were malicious and deleted a lot of files. It looks like it's a variant of the DLL Cryptomix ransomware: https://blog.watchpointdata.com/dll-cryptomix-exposes-ransomware-infection-method I reluctantly paid the ransom and they sent me a decryptor tool but it's not working. It worked on some files that were less than 2 GB then suddenly stopped working on everything. The criminals sent us a message demanding more ransom to decrypt anything over 2 GB. Since I have the decryptor tool they sent me and it worked for a little while on some files, is there any way to reverse engineer it to work with everything else? Ransom note: Hello! Attention! All Your data was encrypted! For specific informartion, please send us an email with Your ID number: [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] Please send Your email to our all email addresses! We will help You immediately! As faster You will contact us as cheaper will be the recovery price! IMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER! DECRYPT-ID-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX number - I removed the ID number just in case. Any feedback or ideas would be much appreciated, I'm lost on what to do next.