PS98

Files have .crypt extension

Recommended Posts

This looks like it could be a new variant of CryptXXX.

I will need to get a couple of logs to see if I can find the malware file responsible for the infection.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Share this post


Link to post
Share on other sites

Hi there,

Have you moved the files from the original location? 

You can try other file pairs, but if they do not work then we will need the malware file.

Regards,

Sarah

Share this post


Link to post
Share on other sites

I ran the decryptor on another computer using a file pair I copied from the affected computer.  Does that make a diffrerence?  i can repeat the procedure on the original computer if necessary.

It presume this happened via a Remote Desktop connection using the CARLLA profile (the real user and profile is CARLA.) They must have created this profile by some means (the real user has a strong password) and then logged into it remotely.  I looked around in the bad profile and couldn't find any suspicious files.  Where would I look for the malware file?

Thanks.

Share this post


Link to post
Share on other sites
11 minutes ago, PS98 said:

I ran the decryptor on another computer using a file pair I copied from the affected computer.  Does that make a diffrerence?  i can repeat the procedure on the original computer if necessary.

It presume this happened via a Remote Desktop connection using the CARLLA profile (the real user and profile is CARLA.) They must have created this profile by some means (the real user has a strong password) and then logged into it remotely.  I looked around in the bad profile and couldn't find any suspicious files.  Where would I look for the malware file?

Thanks.

 

Yes, please run it on the actual computer the infection happened on and the original copies (hopefully not moved) :)

I suggest perhaps restricting what IPs can connect to RDP and making sure that the password is changed and not reused anywhere else, as they tend to brute force their way in. Considering it was done by RDP, good chance it may be deleted, but I suggest checking recycling bins and running a scanner/antivirus (can use our programs).

Regards,

Sarah

Share this post


Link to post
Share on other sites

I placed the good file into the same folder as the encrypted one on the affected computer as well as the decryptor but received the same "The decrypter could not determine a valid key..." message.  A complete scan for virus/malware came up clean.

This is dreadful!

 

Share this post


Link to post
Share on other sites

We decided to pay the ransom and received the decryption program which worked for us.  In case this is of value to anyone as far as creating a tool for general use, I've attached the decryption file here.  I renamed the file from .EXE to .TXT and made a ZIP file out of it.  I presume it has both my and the private key built into it. I didn't have to supply any parameters and it says in the ransom note that it won't work on anyone else's machine since each machine encrypted has a different key.  It just walks the entire C: drive, decrypting .crypt files as it goes. I don't recommend anyone else use this particular program if they were similarly attacked as it may make any possible future recovery impossible.

decryptor.zip

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.