gostevie

Merry Christmas infected, Decrypter v 1.0.0.50 not working

Recommended Posts

Hi there. My girlfriend's laptop got infected with the Merry Christmas ransomware after she opened a Chrome_Font.exe. I tried using your decrypter, v1.0.0.50, but it won't detect any keys, unfortunately. Do you think the problem is a new encryption that's not in your decrypter? I've included six files (3 corrupted, 3 normal). Thank you for all the help. 

PD_2_File_001.jpg
Download Image

PD_2_File_001.jpg.MERRY

PD_8_File_002.jpg
Download Image

PD_8_File_002.jpg.MERRY

PD_9_File_001.JPG
Download Image

PD_9_File_001.JPG.MERRY

  • Upvote 1

Share this post


Link to post
Share on other sites

Hello there,

Do you still have the Chrome_Font.exe file that your girlfriend ran? It may be that they updated the ransomware.

Regards,

Sarah

  • Upvote 1

Share this post


Link to post
Share on other sites

Hi there, 

unfortunately, the file was deleted. I found out the name, though. It was "Font_Update.exe". I assume it was removed when we ran the Malwarebytes virus scan. I've uploaded the log of the Malwarebytes virus scan, that's all that I could find. Thank you for any help.

malware.txt

Share this post


Link to post
Share on other sites

Great acall! I found it quarantined, restored it, then uploaded it here. There were a few other suspicious files in the same folder as the FONT_UPDATE.EXE, such as DRIVER-UPDATER-SETUP.EXE and WIPERSOFT-INSTALLER.EXE that were quarantined by Malwarebytes. I'm not sure if they have anything to do with the virus though, so I didn't restore and upload them, but can do that if you want.

And thank you so so much for helping us with this problem, we really appreciate it. Thank you.

PS: I tried decrypting using the v.53 software, didn't work either.

FONT_UPDATE.EXE

Share this post


Link to post
Share on other sites

Hi gostevie,

Thank you for that file. It is helpful. Fabian, who works on the decrypters, has been ill recently, but we are looking into this. Please be patient.

Regards,

Sarah

Share this post


Link to post
Share on other sites

Hej,  Version: 1.0.0.53 doesnt work for me either. It says that the decrypter could not determine key for my system. It repeats with different kind of files (I dont have jpg I think). I have Windows 10, I don't know if that matters. I got my laptop back from service point where they deleted virus by files are still blocked. Thanks for any help!

jak-nie-czuć-się-zerem.mobi

jak-nie-czuć-się-zerem.mobi.MERRY

Share this post


Link to post
Share on other sites

Unfortunately restoring from a system recovery point cannot decrypt your files, and we are still working on this, though there are some complications.

Regards,

Sarah

Share this post


Link to post
Share on other sites

@gostevie, I just published a new version. Would you mind checking that new version? :)

EDIT: Just tested it with your files. The correct key should be "4:2:Z_h_r_H_t_D_S_t_F_n_". Used the PF_2_File_001.jpg files you provided for the comparison. Results in 4 keys. The third one decrypts all the files you provided.

  • Upvote 1

Share this post


Link to post
Share on other sites

Hi gostevie,

I'm glad that our software could help us recover your files.

No need to donate, however as a note, Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support, why not do yourself and your files a favour and check our product out, and consider buying it.

Regards,

Sarah

Share this post


Link to post
Share on other sites

Hello, several months trying to decrypt virus merry christmas with your Decrypter for MRCR different versions, but unfortunately we do not always decode the picture. Please, could you look at this, I'm sending 10 photos (5 infected a good 5). Thank you

DSC06719.JPG
Download Image

DSC06719.JPG.MERRY

DSC08851.JPG
Download Image

DSC08851.JPG.MERRY

DSC08868.JPG
Download Image

DSC08868.JPG.MERRY

DSC08876.JPG
Download Image

DSC08876.JPG.MERRY

Mazda_mpv.JPG
Download Image

Mazda_mpv.JPG.MERRY

MERRY_I_LOVE_YOU_BRUCE.HTA

Share this post


Link to post
Share on other sites

Hi Jarin81,

You need to download the decrypter from here, and you will need to drag and drop DSC06719.JPG.MERRY and DSC06719.JPG files onto the decrypter. It will find 4 keys, you need to go into Options tab and select the 3rd option (-2:1:2_n_A_B_r_b_D_) in the Key Selection. Then you can switch to the Decrypter tab and click Decrypt.

Regards,

Sarah

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.