gostevie 1 Report post Posted February 3, 2017 Hi there. My girlfriend's laptop got infected with the Merry Christmas ransomware after she opened a Chrome_Font.exe. I tried using your decrypter, v1.0.0.50, but it won't detect any keys, unfortunately. Do you think the problem is a new encryption that's not in your decrypter? I've included six files (3 corrupted, 3 normal). Thank you for all the help. Download Image PD_2_File_001.jpg.MERRY Download Image PD_8_File_002.jpg.MERRY Download Image PD_9_File_001.JPG.MERRY 1 Quote Share this post Link to post Share on other sites
Sarah W 26 Report post Posted February 3, 2017 Hello there, Do you still have the Chrome_Font.exe file that your girlfriend ran? It may be that they updated the ransomware. Regards, Sarah 1 Quote Share this post Link to post Share on other sites
gostevie 1 Report post Posted February 4, 2017 Hi there, unfortunately, the file was deleted. I found out the name, though. It was "Font_Update.exe". I assume it was removed when we ran the Malwarebytes virus scan. I've uploaded the log of the Malwarebytes virus scan, that's all that I could find. Thank you for any help. malware.txt Quote Share this post Link to post Share on other sites
Sarah W 26 Report post Posted February 5, 2017 Hello there, Can you check the malwarebytes quarantine for me to see if it is in there? Regards, Sarah Quote Share this post Link to post Share on other sites
gostevie 1 Report post Posted February 6, 2017 Great acall! I found it quarantined, restored it, then uploaded it here. There were a few other suspicious files in the same folder as the FONT_UPDATE.EXE, such as DRIVER-UPDATER-SETUP.EXE and WIPERSOFT-INSTALLER.EXE that were quarantined by Malwarebytes. I'm not sure if they have anything to do with the virus though, so I didn't restore and upload them, but can do that if you want. And thank you so so much for helping us with this problem, we really appreciate it. Thank you. PS: I tried decrypting using the v.53 software, didn't work either. FONT_UPDATE.EXE Quote Share this post Link to post Share on other sites
Sarah W 26 Report post Posted February 9, 2017 Hi gostevie, Thank you for that file. It is helpful. Fabian, who works on the decrypters, has been ill recently, but we are looking into this. Please be patient. Regards, Sarah Quote Share this post Link to post Share on other sites
gostevie 1 Report post Posted February 13, 2017 Hi Sarah, thank you for your reply. Hope Fabian gets better soon. We're waiting patiently :-) Quote Share this post Link to post Share on other sites
Aga 0 Report post Posted February 13, 2017 Hej, Version: 1.0.0.53 doesnt work for me either. It says that the decrypter could not determine key for my system. It repeats with different kind of files (I dont have jpg I think). I have Windows 10, I don't know if that matters. I got my laptop back from service point where they deleted virus by files are still blocked. Thanks for any help! jak-nie-czuć-się-zerem.mobi jak-nie-czuć-się-zerem.mobi.MERRY Quote Share this post Link to post Share on other sites
Sarah W 26 Report post Posted February 18, 2017 Unfortunately restoring from a system recovery point cannot decrypt your files, and we are still working on this, though there are some complications. Regards, Sarah Quote Share this post Link to post Share on other sites
gostevie 1 Report post Posted February 19, 2017 Still waiting patiently :-) thank you for your help! Quote Share this post Link to post Share on other sites
Fabian Wosar 390 Report post Posted February 20, 2017 @gostevie, I just published a new version. Would you mind checking that new version? EDIT: Just tested it with your files. The correct key should be "4:2:Z_h_r_H_t_D_S_t_F_n_". Used the PF_2_File_001.jpg files you provided for the comparison. Results in 4 keys. The third one decrypts all the files you provided. 1 Quote Share this post Link to post Share on other sites
gostevie 1 Report post Posted February 23, 2017 Yeah, it worked for us!! We managed to decrypt everything! Thank you so much!! There's a donation coming your way!! Thanks! Quote Share this post Link to post Share on other sites
Sarah W 26 Report post Posted February 23, 2017 Hi gostevie, I'm glad that our software could help us recover your files. No need to donate, however as a note, Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support, why not do yourself and your files a favour and check our product out, and consider buying it. Regards, Sarah Quote Share this post Link to post Share on other sites
Jarin81 0 Report post Posted April 11, 2017 Hello, several months trying to decrypt virus merry christmas with your Decrypter for MRCR different versions, but unfortunately we do not always decode the picture. Please, could you look at this, I'm sending 10 photos (5 infected a good 5). Thank you Download Image DSC06719.JPG.MERRY Download Image DSC08851.JPG.MERRY Download Image DSC08868.JPG.MERRY Download Image DSC08876.JPG.MERRY Download Image Mazda_mpv.JPG.MERRY MERRY_I_LOVE_YOU_BRUCE.HTA Quote Share this post Link to post Share on other sites
Sarah W 26 Report post Posted April 13, 2017 Hi Jarin81, You need to download the decrypter from here, and you will need to drag and drop DSC06719.JPG.MERRY and DSC06719.JPG files onto the decrypter. It will find 4 keys, you need to go into Options tab and select the 3rd option (-2:1:2_n_A_B_r_b_D_) in the Key Selection. Then you can switch to the Decrypter tab and click Decrypt. Regards, Sarah Quote Share this post Link to post Share on other sites
