Angel Aguilar

MRCR/Merry X-Mas Ransomware (.PEGS1, .MRCR1, .RARE1, .MERRY, or .RMCM1; YOUR_FILES_ARE_DEAD.HTA, MERRY_I_LOVE_YOU_BRUCE.HTA)

Recommended Posts

No problem,

It may seem severely restrictive but also eliminates confusion when working on several infected systems.

  • Upvote 1

Share this post


Link to post
Share on other sites

I think it's ok for all .doc files..
It is a pity that we can not choose the type of extension to extract with the decrypter
if i try to decrypt all files, there
will create a copy of each corrupted original file.

What extension do you want i try except .doc file ?

logMRCR.txt

Share this post


Link to post
Share on other sites

Any media or image files does not really matter, that are still encrypted.

By default, the decrypter will not delete any encrypted files during the decryption process.  You either have to change the settings in the decrypter or manually delete the encrypted files once they have been decrypted.

Share this post


Link to post
Share on other sites

Kevin,

Thanks to you and your team for your efforts. Unfortunately, the updated 1.0.0.42 decrypter did not work on the first file pair I tried and I'm fairly certain it was a valid pair. I will try others and let you know.

Share this post


Link to post
Share on other sites

Hi all,  

I started a new thread so I don't piggyback off of Pen's original post.

I've been following the post and tried the new update that was released to decrypt the Merry I love you bruce encryption, but unfortunately I get the same message that it can't find a decryption key.

I've uploaded the exe and the pair of files I used for the decryption.

I thank everybody involved with this project.

Deposits Dec 2016.zip

no key message.jpg
Download Image

Share this post


Link to post
Share on other sites

Huge Thanks for You! I have run 1.0.0.42 ver and worked like a charm.

I understand that I should now remove all html applic files in all infected folders. Do you know if apart from encryption and this html applic the system was also compromised in another way ? Should I also change all passwords related to an account (local and web) ?

Thanks, k

Share this post


Link to post
Share on other sites

good.. dear Kevin Zoll the new  version 1.0.0.42 to handle Merry X-Mas Bruce is very good, 've decrypter mor than 55.000 file, but only for the file than are under 10 MB size... for the other too big of 10 MB it don't decrypt anything
Stefano by Trento -Italy thank you...

Share this post


Link to post
Share on other sites

 Can you post the log of those files being decrypted and additionally:

1. The malware file that encrypted your files.
2. A file pair consisting of one encrypted and original file between 64 KB and 100 MB.
3. Some of the files that don't decrypt properly.

I will need all of that to figure out what is going wrong if anything goes wrong really. 

Share this post


Link to post
Share on other sites

Hello,

Firstly, thank you for your effort to provide this free tool. A friend also encountered this issue on a laptop (Win 7 Pro 64 bit), and decryption partially works on a few jpgs, however, word, excel, pdfs don't seem to decrypt and I have a vague feeling that the decription key retrieved is partial.

 

I am linking a zipped file that contains:

1. Malware executable

2. A pair of files that retrieve the key

3. A pair of files that don't retrieve the key

4. Files that don't decrypt with the retrieved key

5. Decrypt log.

Link:

 

I am providing URL because attaching the archive failed in either rar or zip format. Please remove the link from my post after you downloaded the zip file.

Hope this helps.

Thank you again for the effort!

 

Share this post


Link to post
Share on other sites
1 hour ago, Fabian Wosar said:

 Can you post the log of those files being decrypted and additionally:

1. The malware file that encrypted your files.
2. A file pair consisting of one encrypted and original file between 64 KB and 100 MB.
3. Some of the files that don't decrypt properly.

I will need all of that to figure out what is going wrong if anything goes wrong really. 

Hello Fabian and thanks for your help..

1.The malware was cancel by FRST..
2.I joint files are decrypt property by mrcr: (TARIFS A4.doc) The files are in my first post.
The other one are in .docx and pdf, they don't work. (This is Original files) ATELIER NET PUBLIC.docx

and ATELIER NET PUBLIC.pdf

3. files that don't decrypt properly called NW.  NW-ATELIER NET PUBLIC.pdf     NW-ATELIER NET PUBLIC.docx

ATELIER NET PUBLIC.docx.MERRY

ATELIER NET PUBLIC.pdf.MERRY

Share this post


Link to post
Share on other sites

I just understood one thing...
This is not the same decryption key for all extensions.
The .doc has a number and the .docx has another number.
How to recover everything in one go?

When i put a docx.merry file and the original, it works for all .docx files and pdf files too.

 

EDIT : I'm back, All files are decrypted with the combinaison ATELIER NET PUBLIC.docx and ATELIER NET PUBLIC.docx.MERRY 

I think it's ok for all files, i tested jpg, txt, pdf, docx.. .I try mp3 and mp4 for see.

There is my MRCR results report : logMRCR2.txt

It's a verry verry good job realy realy thank you !!

Share this post


Link to post
Share on other sites

Hello, i have the same problem, please help me!

I've made 2 logs with Farbar Recovery Scan Tool and i've attached you.

I can't do copies of the original file and i can't use any your programs.

Wait news from you.

Cheers!

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

I just downloaded the new release of the decripter: 1.0.0.45, and I managed to decrypt all files. You guys are lifesavers. Thank you for your involvement and dedication in fixing this issue. God bless you!

Share this post


Link to post
Share on other sites

Hello!
I was recently duped into the whole Chrome_font.exe virus/ransomware. I didn't really see an actual ransom though - I had left my computer for a couple hours only to return to all my personal files be changed to the .merry extension.

Before finding this forum, I had already made efforts to remove the Chrome_font.exe virus by stopping it's processes and doing a system restore - although I'm not sure it's completely gone? Still, my personal files are still encrypted and I cannot access them.

I'm reaching out for further assistance as I am having difficulty decrpyting the files using  the newest update on this site.  Advice?

logs.db3

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

Same issue, though I caught the virus part way through and seem to have disabled it (ironically, but simply doing a search for the .exe filename (which showed up over 11,000 times), and then pressing "delete."

 

That was Wednesday.  No files have been modified since, but I'm getting an error when I try to use the decryption program.

But I'm stuck at trying to recover files.  If the files have .MERRY extensions, does that mean they're encrypted?

 

The program asks me to "drag and drop both an encrypted file as well as its unencrypted counterpart onto the decrypter."  I have plenty of files from older backups which are unencrypted versions of files that now have the .MERRY extension, but when I drag-and-drop the pairs, the decrypter asks me for permission to run, but then pops up the same error message: "The decrypter could not determine a valid key for your system.  Please drag & drop..."

 

Anybody out there able to help?

Share this post


Link to post
Share on other sites

I'm jumping over to where this is posted in another topic.

But I see that the decrypter was updated from v1.0.0.34 to 1.0.0.45.

Downloaded that and now it's doing something!!!

 

(We'll see what happens)

 

Share this post


Link to post
Share on other sites

I'm having a similar issue here as well. However, I'm confused as to how I would attain unencrypted counterparts of my files if I'm trying to decrypt the files to begin with. I guess what I'm saying is that, unfortunately, I don't have any unencrypted backups of my files so I have nothing to pair with these files. Is there any other way to get these pairs or am I doing something wrong?

Share this post


Link to post
Share on other sites

You're not confused.

You'd--hopefully--have an old file somewhere and then the same file that got encrypted.  An old backup?  A file you emailed to someone so you could retrieve it from your email?

 

I gather the program is basically automatically reverse-engineering the encryption by comparing files.

Y'all are brilliant.

  • Upvote 1

Share this post


Link to post
Share on other sites

Mine's running.  It's literally got tens of thousands of files to process, so no idea how long it will take, but it is running faster than I can see it.  Every once in a while it pauses and I'm able to see "Status: Successfully processed," so I'm hopeful.

 

Will update!

Share this post


Link to post
Share on other sites
18 minutes ago, YMiller said:

You'd--hopefully--have an old file somewhere and then the same file that got encrypted.  An old backup?  A file you emailed to someone so you could retrieve it from your email?

Hey thanks! This actually helped.. For some reason I thought I would need a counterpart for ALL the encrypted files. Per your example, I found a file that I recently e-mailed to someone and used that to drag/drop.. and now it's doing something too! *crossing fingers

Share this post


Link to post
Share on other sites

You're welcome, though I'm going to disconnect from this thread because I see there were some steps I was supposed to follow including starting my own thread.

 

Share this post


Link to post
Share on other sites

I have tried the latest decrypter and it is still not working for my files.  I have tried it on a pdf and a .doc file.  Any suggestions?  Do you have the Emergency Kit that I can run on a XP machine?

Share this post


Link to post
Share on other sites

I had the same problem yesterday..all my files got encrypted..but when i downloaded the decryptor on this dite , it found a key when i used the encrypted and unencrypted version of a pdf file. However, it decrypts the jpg files and pdf files successfully but the video files with .wav and mp4 extensions are not decrypted..Though the decryptor has successfully decrypted them as it shows in the resulats but the video does not play..I think the key is different for different kinds of files. What should i do ?? plss help..

I used the following encrypted and unencrypted files for the decryption..

 

Lab Anim-1971-Moore-239-50.pdf

Lab Anim-1971-Moore-239-50.pdf.MERRY

here is the log file in which the decryptor says that the files have been successfully decrypted however the files annot be played actually in video players..

log.txt

Share this post


Link to post
Share on other sites

I also have this problem. I removed the Merry i love bruce virus with Spyhunter and now i am trying to recover my files. I have a pair of original/infected files but i receive this error. Can you tell me why ? :( 

err.PNG
Download Image

Share this post


Link to post
Share on other sites

First:  Y'all sure do handle things in a nice way.  Really appreciated the "just try it for 30 days" approach.  Also really appreciated the "here's something you can learn while our program is scanning." LIkely you already know that the FRST program is so unknown that (another company's antivirus--product starts with No and company starts with Sy) flagged and removed the program as soon as I downloaded it. Telling that program to "ignore" something it has flagged that strongly is a little scary for those of us who know nothing about this and just got infected by a rather potent virus.  

 

Tuesday 6:52pm (the first time files were modified): Duped by the same Chrome font display scam as everybody else.

Windows 10.

Wednesday noticed Bruce's .exe in a document folder.

Searched "This PC" for the .exe's filename.  11,000+ hits.  (another company's) SearchAndDestroy's "kill file" option did nothing.  Tried "select all" and "delete" and, much to my surprise, it seems to have worked!  No more files altered after that (Wed 3:54pm)

Approx 1/2 the files on my harddrive now have .MERRY appended.

Removing the extra extension did nothing.

Ran your decryption tool 1.0.0.34 on Friday and, even though I think I was following the instructions correctly, kept getting the error message instructing me to drag a pair of files over the program.

Last evening, went onto forum, and saw people were using 1.0.0.45. Downloaded. Dragging a pair of files (the .docx files attached) has started the decrypter doing something.  Has been running all night.

 

4 pairs of files, of different types, attached, along with the reports requested.

 

Thank you.

Addition.txt

FRST.txt

Voting Rights Cases chronological, 16-10-20.xlsx.MERRY

Friends of Brennan v NC 16-04-28.docx

Friends of Brennan v NC 16-04-28.docx.MERRY

ginsburg umbrella.jpg
Download Image

ginsburg umbrella.jpg.MERRY

Voting Rights Booklist.pdf

Voting Rights Booklist.pdf.MERRY

Voting Rights Cases chronological, 16-10-20.xlsx

scan_170129-084758.txt

Share this post


Link to post
Share on other sites

Hi,
Thank you for the great work you're doing.

My laptop was hit by the MILYB ransomeware  on January 27th while entering a super-legitimate website via the Chrome-font.exe download. I noticed the damage the next day.
In my machine there are a lot of files which are named in Hebrew.
In every directory were the virus "visited", the vast majority of the files were encrypted, however only those with files-names in English got the MERRY addition.
The Hebrew-named were encrypted, but with no rename.

I downloaded and operated the very recent version of your Decrypter and successfully decrypted English-named files with Merry extensions, however the decrypter ignored all the Hebrew-named files (I guess because the decrypter is primarily looking for the MERRY extension).
The decrypter worked on those files only if I manually added the Merry extension.

My questions:

  1. Since I have hundred of such files which are encrypted with no MERRY extension, is there a way to make the Decrypter work on them (without renaming them one by one, which is not realistic)?
  2. Alternatively, is there a way to add this extension to a mass of files?
    Assuming there is a way, in the case the extension is added to a file that was Not encrypted, will the decrypter identify it as encrypted an attempt to "decrypt' it?
    Will such a "decryption" process damage (the unencrypted yet marked) file?

In addition, I have a comment about the Decrypter (1.0.0.45) - it took me a while to find a pair of files as input for the decrypter that actually resulted success in decryption of all other files. In many cases after loading the sample file (Docx, Png, Jpg etc.), the decrypter failed to fix any other files except the original source. Eventually I loaded a pair of Pptx files the proved to be a "good source" for decrypting other files.

Thanks!!

Share this post


Link to post
Share on other sites

Hi Kevin Sir,

My system got infected with Pclock on 6 jan 2017 , and lot of my files got encrypted , i didnt know what to do so googled and detached the lan cable to avoid further encryption , i was not able to remove the virus or install any antivirus so re installed window and installed antivirus with the help of which i was able to detect the malware and remove it , i tried various tools to decrypt the files from trend mico avast etc , but none of which were able to detect the type of malware , Just yesterday i was able to detect the malware with the help of website idmalware.com , and found that malware here was pclock , i downloaded your tool to decrypt the files but when i try to run the tool the following message pops up. 

"This system does not appear to have been targetted by pclock malware in the past. To prevent you from damaging your files by accident the decrypter will close now".

Kindly help me .

Thanks 

Kamal Gyanani

 

Share this post


Link to post
Share on other sites

Hi Kevin,

Thanks for that! Seems to work well on a few test files although I haven't let it rip on the whole system yet. Will let you know the outcome.

Best regards,
Peter

Share this post


Link to post
Share on other sites

Hi Kevin,

Just running through some files now, but the decryption tool has found dozens of potential key pairs with the two files I used to start the decryption process. As a result, I've no idea which one to pick from the drop-down menu. I've tried a few, but they do not successfully decrypt any files.

Best regards,

Peter.

Capture.PNG
Download Image

Share this post


Link to post
Share on other sites

Thanks for the help.

 

Well, downloaded the new version of the encryption tool and got it to accept encrypt/nonencrypt pdf.

Software has been running since my last post with no results showing.

How long is reasonable to wait for encryption tool respond?

It's looks like might be able to use "control at delete" to force shut down.

Thanks

Share this post


Link to post
Share on other sites
vor 23 Stunden schrieb Alina:

I also have this problem. I removed the Merry i love bruce virus with Spyhunter and now i am trying to recover my files. I have a pair of original/infected files but i receive this error. Can you tell me why ? :( 

err.PNG
Download Image

Hello,

I have the same Problem... I tried different pairs of files (PDF, JPG, ...) but I got the same error message. :(

Thx,

Marius

Share this post


Link to post
Share on other sites

Hello Kevin,

Your software requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the encrypted file. But if I had the original unencrypted file why would I bother at all with decryption problem. This looks as a nonsens to me. All my files are encrypted wit .merry and I do not have a original file. That is the issue. How do we deal with that ?

regards

mek

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.