Angel Aguilar

MRCR/Merry X-Mas Ransomware (.PEGS1, .MRCR1, .RARE1, .MERRY, or .RMCM1; YOUR_FILES_ARE_DEAD.HTA, MERRY_I_LOVE_YOU_BRUCE.HTA)

Recommended Posts

Pretty sure I got this thru the Chrome Font thing. I can not find a pair of files to drop on the program. How do  I run the program without the pair? (I don't know where an unencrypted file would be - all I see is the files with "MERRY" added to the file name - no other files.

 

Share this post


Link to post
Share on other sites
6 hours ago, Peter Morgan said:

Hi Kevin,

Just running through some files now, but the decryption tool has found dozens of potential key pairs with the two files I used to start the decryption process. As a result, I've no idea which one to pick from the drop-down menu. I've tried a few, but they do not successfully decrypt any files.

Best regards,

Peter

 

Get a few files, put them into a directory, try to decrypt the directory using the different keys, see if the files open. Repeat until you found the right one. You can also try to find a different file pair, which depending on the content, may result in less matching keys overall.

Share this post


Link to post
Share on other sites

Hello,
I was also infected with this virus on Friday. I also live in France.
Friday, right after I reset the computer with the factory settings ...

Today the virus has come back and it is spreading in my google drive files.

I have not yet managed to get rid of it ... all the tips gleaned from the internet have not been effective for now.

Share this post


Link to post
Share on other sites

Well, i managed to recover some video files that interested me, but i need some jpg files + pdf files. CR2 (raw) were also succesfully recovered. Are there different versions that could work for a specific file ? :( I would pay for a solution, sincerely.

Share this post


Link to post
Share on other sites

Update: I ran version 1.0.0.50 against a few pairs of files. It does find keys and I was able to run, however the resulting files are not readable.

First pair (drummond_large.png) found approximately 32 keys. I tried the first few and did not get any readable files

The second pair (menuicons.png) generated 2 keys, but no readable files with either key

The third pair (background.jpg) generated a single key, but also no readable files.

background.jpg
Download Image

background.jpg.MERRY

Share this post


Link to post
Share on other sites

Hi,

According to the instruction I've made scans and logs.

I used decrypt_MRCR ver. 1.0.0.50 but it doesn't work.

File after decryption is not good.

There are also infected, original and after decryption (error) files.

Thank you for what you do and for your help.

Best regards,

Hania

Addition.txt

FRST.txt

logs.db3

Rada pedagogiczna after decryption.pdf

Rada pedagogiczna.pdf

Rada pedagogiczna.pdf.MERRY

Share this post


Link to post
Share on other sites

@Pen You will have to try all encryptions keys to determine which ones are correct.  Alternately you can try another file pair that may produce a smaller key set.

Share this post


Link to post
Share on other sites

Hi Kevin,

I did try those other two file pairs that generated only one or two keys, The decrypter ran, but the files produced were not readable in any cases. I tried serval file types.

Thanks

Share this post


Link to post
Share on other sites

Hi Kevin,

Great tool! 

We got the I_LOVE_YOU_BRUCE ransomware last Thursday. The decrypter seems to work on most file types - doc, docx, xls and xlsx. I have not got it to work with any pdfs or csv files. There is another problem - it only seems to work in the top level folder - files in any subfolders below the top folder added to the decrypter (Add Folder button) do not seem to be properly decrypted. The files with the correct extensions are created, but they are not readable by the appropriate apps. 

I am using version 1.0.0.50.

Many thanks for your great work.

 

Share this post


Link to post
Share on other sites

Thank you very much!  It work perfectly.  I tried it using version 1.0.0.50.

I did have a few bumps while i was testing that may help others with any issues.

I had copied the files that were infected to another machine.  When I tried running the decryptor on the other machine it found keys to try but did not work.  It was only when I went to the original infected machine did it generate additional keys to try and then it worked.

I ran it in a few different scenarios and came up with the same issue if I didn't use the original infected machine.

 

Again thank you all for the work you guys do.  I know what software to recommend when people ask for antivirus requests.

Share this post


Link to post
Share on other sites

Ok, downloaded the updated decrypter from link above. 

Added the same pdfs I used before and i gave permission for emisoft to make changes to compter, then I get..."emisoft not responding".

 

Then my computer becomes unresponsive.

 

 

Share this post


Link to post
Share on other sites

Worked beautifully!

(and the Norton Virus Team assistant manager was stunned when he called back to find out if I had had any progress...I hope this results in much extra business for you.)

Are there places I can post reviews about this result, or other such things that would tangibly show appreciation?

 

Please let me know if there is any solution to a couple of small things.

But, first-and-foremost, you just help save some very important legal work about democracy and voting rights.

1. The "modified" date on all the files is now, of course, 1/29/17 which is--in fact--the last time they were modified (but by the decrypter).  This eliminates the possibility of me sorting for my most recent work, or work that I did during a certain time period, etc.  Obviously what's most important is that the files are back.  But, any solution to this result?

2. Some background files are still having issues.  Example: when I asked MSWord to insert page numbers, I got an error message that said: "Word cannot open this document template. (C:\Users\...\15/~$ilding Blocks.dotx)".  Suggestions?

 

Thank you, thank you, thank you.

Share this post


Link to post
Share on other sites
1 hour ago, YMiller said:

1. The "modified" date on all the files is now, of course, 1/29/17 which is--in fact--the last time they were modified (but by the decrypter).  This eliminates the possibility of me sorting for my most recent work, or work that I did during a certain time period, etc.  Obviously what's most important is that the files are back.  But, any solution to this result?

 

That is technically impossible. The ransomware does not save the original timestamps anywhere. Therefore, the decrypter can't restore them. When you check your encrypted files, you will see that all the timestamps of those files are from the time of encryptiopn.

Quote

2. Some background files are still having issues.  Example: when I asked MSWord to insert page numbers, I got an error message that said: "Word cannot open this document template. (C:\Users\...\15/~$ilding Blocks.dotx)".  Suggestions?

Then you still haven't found the correct key based on the possible keys yet.

5 hours ago, Jarkman said:

Hello,

I have the same problem with decryption of files in Windows 10. I have ver 10.0.50 and receives messages "The decrypter could not determine a valid key for your system" Please help. Below please find files

Kopia Znaki towarowe ADS_status.xlsx.MERRY

Kopia Znaki towarowe ADS_status.xlsx

4

I will require the ransomware executable from your system. This will usually be a file named Chrome_Font.exe which also encrypted your files initially. Without the file, there is nothing I can do for you.

8 hours ago, Lidz said:

Then my computer becomes unresponsive.

 

The decrypter is most likely busy attempting to figure out the key. On most systems, that shouldn't take too long. However, if your processor is a low budget or an older model, it may take some time. Just wait.

12 hours ago, Pen said:

I did try those other two file pairs that generated only one or two keys, The decrypter ran, but the files produced were not readable in any cases. I tried serval file types.

 

Can you please provide the ransomware file from your system? This will usually be a file named Chrome_Font.exe which also encrypted your files initially. Without the file, there is nothing I can do for you.

On 1/30/2017 at 2:25 PM, mek said:

Your software requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the encrypted file. But if I had the original unencrypted file why would I bother at all with decryption problem. This looks as a nonsens to me. All my files are encrypted wit .merry and I do not have a original file. That is the issue. How do we deal with that ?

You need one file pair. Not the original files to all your encrypted files. One file pair is enough to extrapolate the encryption key and use that to decrypt all your other files. In the years I have been doing this there hasn't been a single case where a user genuinely wasn't able to find at least one original file to one of the encrypted files he has. To give you a few pointers:

  • Were sample pictures or wallpapers encrypted, that ship with Windows? Just get the original files from a different system running the same Windows version.
  • Were files you downloaded encrypted (check your Download folder)? Simply download the same file again. The Download history may come in handy for that (pressing CTRL + J in most browsers will bring it up).
  • Were files encrypted that you recently shared with colleagues or friends/family? Simply get the original from your "Sent Mail" folder.

There are literally dozens of ways. 

Share this post


Link to post
Share on other sites
10 minutes ago, Fabian Wosar said:

That is technically impossible. The ransomware does not save the original timestamps anywhere. Therefore, the decrypter can't restore them. When you check your encrypted files, you will see that all the timestamps of those files are from the time of encryptiopn.

Then you still haven't found the correct key based on the possible keys yet.

I will require the ransomware executable from your system. This will usually be a file named Chrome_Font.exe which also encrypted your files initially. Without the file, there is nothing I can do for you.

The decrypter is most likely busy attempting to figure out the key. On most systems, that shouldn't take too long. However, if your processor is a low budget or an older model, it may take some time. Just wait.

Can you please provide the ransomware file from your system? This will usually be a file named Chrome_Font.exe which also encrypted your files initially. Without the file, there is nothing I can do for you.

You need one file pair. Not the original files to all your encrypted files. One file pair is enough to extrapolate the encryption key and use that to decrypt all your other files. In the years I have been doing this there hasn't been a single case where a user genuinely wasn't able to find at least one original file to one of the encrypted files he has. To give you a few pointers:

  • Were sample pictures or wallpapers encrypted, that ship with Windows? Just get the original files from a different system running the same Windows version.
  • Were files you downloaded encrypted (check your Download folder)? Simply download the same file again. The Download history may come in handy for that (pressing CTRL + J in most browsers will bring it up).
  • Were files encrypted that you recently shared with colleagues or friends/family? Simply get the original from your "Sent Mail" folder.

There are literally dozens of ways. 

Complete files...

Kopia Znaki towarowe ADS_status.xlsx.MERRY

Kopia Znaki towarowe ADS_status.xlsx

Chrome_Font.exe

Share this post


Link to post
Share on other sites
Quote
  • Were sample pictures or wallpapers encrypted, that ship with Windows? Just get the original files from a different system running the same Windows version.
  • Were files you downloaded encrypted (check your Download folder)? Simply download the same file again. The Download history may come in handy for that (pressing CTRL + J in most browsers will bring it up).
  • Were files encrypted that you recently shared with colleagues or friends/family? Simply get the original from your "Sent Mail" folder.

C:\Users\Public\Pictures\Sample Pictures on another computer, same folder on your own system

Share this post


Link to post
Share on other sites

I've used about 20 different file pairs so far and haven't gotten anything to work properly.  A few different ones have given me the same decrypt key(s).  Is it possible that most of the files are just totally damaged?  Or do I still just not have the right decrypt key?

Share this post


Link to post
Share on other sites

Hi

Version .50 really detetect files and begin cure process

Unfortunately recovered files are not readable.

I still belive in You - Emsisoft :-)

 

/BR

Share this post


Link to post
Share on other sites

The  .50 version still doesn't work on three different files pairs I have tried.  I get this pop up...

Capture.JPG.28ffae3ebe41378991a005f093b26f74.JPG
Download Image

I don't know where to find the chrome_font.exe on my system to send for analysis,  can anybody help with that? Is it possible that it has been removed by my Malware program? 

Thankful for any help! 

Share this post


Link to post
Share on other sites

Dear Emsisoft Team,

Finaly I have to do something with infected PC.
Format or cure (recover) MARRY files.

Is there any chance for "medicine"?

/BR

Share this post


Link to post
Share on other sites

Dear Team,

I recently got infected by this ransomware a few days ago. Unfortunately the most recent version of your decryptor is unable to locate any keys. 

I have attached an example of a PDF pair as well as the original chrome_font.exe that caused the infection.

Please let me know if you require anything further and thank you in advance.

Kind Regards,

Matt

NYE-Argyle.pdf

NYE-Argyle.pdf.MERRY

Chrome_Font.exe

Share this post


Link to post
Share on other sites

I got a code to decrypt a couple pictures.  If I then take one of those decrypted pictures and send the encrypted version along with it in to the decryption program, should that work?  Or is the new decrypted photo a different file?  I tried this method and got about 30 codes, none of which worked with all files.

Share this post


Link to post
Share on other sites

Dear Team,

By way of update, I have now attempted to use version 1.0.0.53 but it still states that it is unable to detect any keys. Example files and the original malware file are above.

Looking forward to an update that fixes this new strain.

Thanks in advance to everyone working on this.

Kind Regards,

Matt

Share this post


Link to post
Share on other sites
On 1/30/2017 at 2:35 PM, Pen said:

Update: I ran version 1.0.0.50 against a few pairs of files. It does find keys and I was able to run, however the resulting files are not readable.

First pair (drummond_large.png) found approximately 32 keys. I tried the first few and did not get any readable files

The second pair (menuicons.png) generated 2 keys, but no readable files with either key

The third pair (background.jpg) generated a single key, but also no readable files.

background.jpg
Download Image
Download Image

background.jpg.MERRY

Another update: version 1.0.0.53 fails to return any keys for the same 3 file pairs. Thank you for your efforts.

Share this post


Link to post
Share on other sites

Hi Fabian,

I realised I also had another font executable that I have now uploaded - not sure which exe i opened so this may be the correct one (it is the only other one that I have). My apologies for the mix up. 

Kind Regards,

Matt

Font_Update.exe

Share this post


Link to post
Share on other sites

for me: EOT
unfortunately here is no cure for encrypted files - as i see
I formatted hdd, most data recovered from backup

I curious, enyone payed these bandits for decryption?

Share this post


Link to post
Share on other sites

Hi - so, I am in the line of fools, that actually clicked the Chrome_Font.exe file...
My question is : What is the efficient way to actually remove the malware ?
I am afraid of turning my pc on, since I it seems to decrypt more files when it is on. 
And, decrypting my files will not help, if the malware is still running... I tried Windows´ cleaning soulution, malwarebytes (freeware) scanner + 2-3 others, with no definite luck, maybe i got the malware stopped but I am not sure that I got it removed ?
Some people in this thread write that they used Spyhunter to remove the malware, but many sites claim it to be a risky, dodgy piece of software, carrying ad-ware etc ? 

I am, like everybody else, really thankfull that emisoft is making the decrypter, and making it free ! Do you also have a good solution for finding and removing the actual malware ?

 

Share this post


Link to post
Share on other sites

Hi Frans DK,

I suggest downloading and running Emsisoft Anti-Malware to check for any leftover malware, as we provide a 30 day free trial. Personally, we do not recommend Spyhunter as you cannot remove the threats detection without paying, and there are plenty of products out there (including our own) which have no such requirements to remove any malware found.

Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support and the fact that we provide a free decrypter, why not do yourself and your files a favour and consider buying our full product.

Regards,

Sarah 

  • Upvote 1

Share this post


Link to post
Share on other sites
On 18/2/2017 at 4:33 PM, Sarah W said:

Hi Frans DK,

I suggest downloading and running Emsisoft Anti-Malware to check for any leftover malware, as we provide a 30 day free trial. (...)

Regards,

Sarah 

Hey Sarah - Thank you, I will try this. My plan is: 1: starting my pc in safe mode 2: run your anti-malware software as stand-alone software from a usb-stick (if possible?) 3: otherwise, install the software (if possible from safe mode?) and then run it.
I´m an on a win7/32 bit platform... any suggestions/corrections to my plan ? 
Would the the emisoft emergency kit (https://www.emsisoft.com/en/software/eek/download/) do the cleaning job too ?

thx !

Share this post


Link to post
Share on other sites
7 hours ago, Frans DK said:

Hey Sarah - Thank you, I will try this. My plan is: 1: starting my pc in safe mode 2: run your anti-malware software as stand-alone software from a usb-stick (if possible?) 3: otherwise, install the software (if possible from safe mode?) and then run it.
I´m an on a win7/32 bit platform... any suggestions/corrections to my plan ? 
Would the the emisoft emergency kit (https://www.emsisoft.com/en/software/eek/download/) do the cleaning job too ?

thx !

 

Yes, you can use EEK instead as it can run from the USB stick. I think your plan sounds good.

For all you who were having issues, we just published a new version. Would you mind checking that new version? :)

Regards,

Sarah

Share this post


Link to post
Share on other sites

Okay, so I ran the EEK (emergency kit) from a usb in safe mode (first unpacking it to the usb stick and updated virus definitions from the net, on another pc)- It found nothing.
Then I tried to install the ´full´ antialware kit, but could not instal in safe mode /safe mode with internet. Then i crossed my fingers and did a normal boot, installed, updated and ran the scanner... and found nothing....
Meanwhile, when searching for ´.merry´ on the infected pc, it came up with a consistent 455 files - the amount of encrypted files did not change for over an hour, so I guess I got rid of the virus, even though the scans revealed nothing ? 

Now, my only problem is, that all the encrypted files are drivers or dll´s - which I don´t have backups of... so no matching pairs of encrypted and un-encrypted files...
Again thank you so much for the support !

Share this post


Link to post
Share on other sites
5 hours ago, Frans DK said:

Okay, so I ran the EEK (emergency kit) from a usb in safe mode (first unpacking it to the usb stick and updated virus definitions from the net, on another pc)- It found nothing.
Then I tried to install the ´full´ antialware kit, but could not instal in safe mode /safe mode with internet. Then i crossed my fingers and did a normal boot, installed, updated and ran the scanner... and found nothing....
Meanwhile, when searching for ´.merry´ on the infected pc, it came up with a consistent 455 files - the amount of encrypted files did not change for over an hour, so I guess I got rid of the virus, even though the scans revealed nothing ? 

Now, my only problem is, that all the encrypted files are drivers or dll´s - which I don´t have backups of... so no matching pairs of encrypted and un-encrypted files...
Again thank you so much for the support !

 

It's possible that the ransomware may have finished and removed itself.

You can download the program to find clean versions if you need, or if any files in downloads are encrypted then you can redownload those usually.

Regards,

Sarah

Share this post


Link to post
Share on other sites

I am running the decrypter now - I started by dragging a pair of files onto the app, which started without any user interface, it just popped up on the task list... it has been running for more than 24 hours, steadily taking up more and more ram - it started around 130 kilobytes, now it is booking over 1 gigabyte... Am I on the right track, or should I restart ?

Share this post


Link to post
Share on other sites

In general: The smaller the files you use, the better. Otherwise the verification of the keys will take longer the bigger the files are. Best results can be achieved with about 100 - 500kb files.

Share this post


Link to post
Share on other sites

Hi All,

For my part, the updated decrypter still does not decypher any keys when uploading files (examples of the encrypted and non encrypted files previously attached to my previous post).

Kind Regards,

Matt

Share this post


Link to post
Share on other sites
2 hours ago, MXY said:

Hi All,

For my part, the updated decrypter still does not decypher any keys when uploading files (examples of the encrypted and non encrypted files previously attached to my previous post).

Kind Regards,

Matt

 
 

Hi Matt, 

The two files you uploaded are actually different sizes, this is why the decrypter does not work on them. You need a file pair with exactly the same size.

Regards,

Sarah

Share this post


Link to post
Share on other sites

OK ! I got rid of the malware ! I used a hadfull of different (free) scanners. Emsisoft found one file related to the .merry infection om my pc. I ran it again, and after getting a ´no virus found´ result from the emsisoft- scanner, I scanned with microsoft security essentials - which found 4 active instances of the trojan on my pc. It cleaned out all the ransomnotes (the .hta files) also.

I had success with the decrypter - I started with 2 files, approx. 2 mb each, and let the decrypter work for more that 24 hours without any results. Then I grew impatient and tried a different set of files, approx. 0,5 mb each - and the decrypter found a key within seconds. Now all the tilse are decrypted, but is seems that some don´t work ( I got some error-messsages when opening programs, that certain files were missing/did not work as expected) But overall, the rather small files did the job...

Hope this info helps someone somewhere... ~.~ 

Share this post


Link to post
Share on other sites
3 hours ago, Frans DK said:

OK ! I got rid of the malware ! I used a hadfull of different (free) scanners. Emsisoft found one file related to the .merry infection om my pc. I ran it again, and after getting a ´no virus found´ result from the emsisoft- scanner, I scanned with microsoft security essentials - which found 4 active instances of the trojan on my pc. It cleaned out all the ransomnotes (the .hta files) also.

I had success with the decrypter - I started with 2 files, approx. 2 mb each, and let the decrypter work for more that 24 hours without any results. Then I grew impatient and tried a different set of files, approx. 0,5 mb each - and the decrypter found a key within seconds. Now all the tilse are decrypted, but is seems that some don´t work ( I got some error-messsages when opening programs, that certain files were missing/did not work as expected) But overall, the rather small files did the job...

Hope this info helps someone somewhere... ~.~ 

 

Did you get multiple keys? If so, then you may have to try the other keys to fix those issues.

Regards,

Sarah

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.