Billy C

.crypt files possibly encrypted twice?

Recommended Posts

Hi All,

So I have an issues in which it looks like the files are encrypted twice by two different crypt versions.

I ran the tools but not of them worked.  I've tried some other tools and it errors saying that files are not exact same size.  Seems like the encrypted files are slightly larger by variant sizes.

Ransomeware gave me 4 possible variants on the upload.

Seems like it was first encrypted with an earlier variant of a .crypt (how to open file.hta)

Then by how to open files.html as the hta files are also.crypt.

I've attached a few pairs to see the different size variants between the files.  I couldn't find an exe or any suspicious quarantine file so I loaded the FRST.txt file as well.

HOW_OPEN_FILES.hta.crypt

FRST.txt

different sizes.jpg
Download Image

HOW_OPEN_FILES.html

no key found.jpg
Download Image

cmain.dll.zip

Share this post


Link to post
Share on other sites

Hi there,

Can you please upload this (C:\Documents and Settings\Guest\Application Data\Neazgy\owub.exe) file to virustotal and post the link.

It looks like you were infected with two different ransomwares, is this correct?

Please download this decrypter and drag and drop the c21.exe and c21.exe.crypt onto it. Let me know if you have any issues.

Regards,

Sarah

Share this post


Link to post
Share on other sites
1 hour ago, Sarah W said:

Hi there,

Can you please upload this (C:\Documents and Settings\Guest\Application Data\Neazgy\owub.exe) file to virustotal and post the link.

It looks like you were infected with two different ransomwares, is this correct?

 

Hi Sara,  Unfortunately the owub.exe is no longer in the location.  I checked the virus vault in avast and a few other scanners (malwarebytes) to see if it caught anything but no trace.  Currently doing a deep search for it on the computer.  Hopefully will update soon.

Yes, it seems like 2 different ransomewares.  the .hta extension first and then the .html version with both .crypt extensions.

After 2nd run of the decryptor

2nd run.jpg
Download Image

Share this post


Link to post
Share on other sites

Hi there,

Sorry about the delay, it's been rather a busy week, but we managed to find a sample as this happens to be a new version. Unfortunately, they generate the key in a secure way now. We cannot recover your files for free.

Regards,

Sarah

Share this post


Link to post
Share on other sites
3 hours ago, Sarah W said:

Hi there,

Sorry about the delay, it's been rather a busy week, but we managed to find a sample as this happens to be a new version. Unfortunately, they generate the key in a secure way now. We cannot recover your files for free.

Regards,

Sarah

Thank you for getting back to me.  Please message me options.  Luckily, it's not a super emergency.

Share this post


Link to post
Share on other sites

Hi Billy,

The only options for restoring files are from a backup, or trying a program like shadow explorer or any data recovery tool.

If this is a server, please change your RDP password to something more secure or disable it if you no longer need it.

Regards,

Sarah

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.