SmartK8

CryptON decryption not working for me

Recommended Posts

Hi, I have been infected with (probably) CryptON (identified via ID Ransomware). It ends locked_by_krec, is 16 bytes longer and every folder contains How to decode your files.html.

I turned off RDP port on router, cleaned computer with Malewarebytes (quarantined everything), made a backup of important files and then I've tried to use EMSISOFT tool to decrypt it (on several pairs) but it doesn't work.

The files really are encrypted (not just random noise) consistently. I've compared two same files on (in two different places) and they're identical when encrypted.

Luckily I have been able to use ShadowExplorer to restore most of the system disk and source repositories were untouched as well as my main virtual machine (it was probably too big to encrypt and fit on the disk). 

Unfortunately my backup was password protected and even though I had multiple files with this password store all have been encrypted. So I can't use backup (I was caught by surprise on ransomware).

FRST.txt

Addition.txt

scan_170312-134925.txt

JRT.txt

Document.txt

Document.txt.id-4044008089_locked_by_krec

https://id-ransomware.malwarehunterteam.com/identify.php?case=5fc0a3ddc2e44e76e8899dab7846d9106ff24409

 

CryptONRansomware.png.0af8d66d5a6c03761ff9b317784ac3e2.pngCannotDecrypt.png.b29badb4ab9a83d4aca666fba865a2c8.png
Download Image
Download Image

 

 

 

Is there a possibility to help somehow to enhance the decryptor tool to work on my files as well? What more should I provide?

regards,

Kate

Share this post


Link to post
Share on other sites

Hello Kate,

I moved your thread into a more apropriate forum. We will require the malware file that encrypted your files in order to help. Can you check and post your Malwarebytes log by any chance? I can then tell you which of the files in your quarantine are the most likely candidates.

Share this post


Link to post
Share on other sites

After two days of layman analysis, I'm starting to think that the attacker brute forced my RDP (only recently opened port), ran the program, erased event logs (they start when the attack ended.. according to my crude established timeline), securely deleted the program (nothing notable in disk recovery software). All those programs in the cleanup seems to be legit libraries (free make updater, lavasoft libraries, spy hunter looked shady, but it was installed after and I removed it before using it) that were there at least on 2/25/2017 (long before attack) and are OK by TotalVirus. Definitely no signs of Crypton.exe or something obvious like that (not even in the past). I'm not sure what modus operandi is for RDP attacks (obviously different than when person is being infected via email attachement), but I hope it's not a new trend to erase the encryptor.

regards,

Kate

Share this post


Link to post
Share on other sites

I have recovered IP address of the attacker (he missed deleting parts of some specialized event log), their group, their web site, if it is of any use to someone?

The new version of decrypter works for me. I'm eternally grateful. 

Thanks and best regards,

Kate

DecryptorKey.png.f9f3604c2824cc00b0d0674e48dab2f2.png
Download Image

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.