Maxim

New CryptON Ransomware

By Maxim, in Ransomware First Aid

Recommended Posts

pursang    0

pursang
Posted

Make that a "Me too"; also for the RDP question.

However, I'm still trying to figure out how they pulled that one - AFAIK no password(s) (was)were compromised.

If anyone wants some details of what I have, feel free to ask.

Waiting patiently to see if there's a resolution. Fingers crossed.

 

Share this post

Link to post
Share on other sites

Sarah W    26

Sarah W
Posted

Hi all,

Yes, they are hacking in via insecure RDP configuration. Make sure if you continue to use RDP that you set a strong password.

We are looking into it and hopefully will have something for you in terms of decryption, though it may take a while since the member who does the decryption is ill.

Regards,

Sarah

Share this post

Link to post
Share on other sites

hmtech    0

hmtech
Posted

Same issue with us.

Have a pc struck with a new version of crypton.

files changed to *[wqfhdgpdelcgww4g.onion.to].mf8y3, but size seems to be the same between the original and the encrypted one ..

When we uploaded the ransom note file and an ecrypted via ID Ransomware, we got 2 results. That it's either Cry128 (which is still under analysis) or Cry9 (but we tried the decryptor and we got an error that it's not a valid crytpton file pair etc.

(probably it was via rdp here too..)

Share this post

Link to post
Share on other sites

Edwin    0

Edwin
Posted

Same problem here!

Looking for solution...

Shell I format my computer wait for cry128 decryptor?

Or leave it and wait for decryptor?

(I have made copy of infected files)

Share this post

Link to post
Share on other sites

monkeymatic    0

monkeymatic
Posted
On 26/04/2017 at 6:39 PM, Edwin said:

Same problem here!

Looking for solution...

Shell I format my computer wait for cry128 decryptor?

Or leave it and wait for decryptor?

(I have made copy of infected files)

Can't really give advice beyond...I think it's always best to leave it and wait, just in case, maybe image your hard drive if you wanna format, then you can always re-image to get the original setup back

Share this post

Link to post
Share on other sites

Sarah W    26

Sarah W
Posted
On 26/04/2017 at 6:39 PM, Edwin said:

Same problem here!

Looking for solution...

Shell I format my computer wait for cry128 decryptor?

Or leave it and wait for decryptor?

(I have made copy of infected files)

 

Hi Edwin,

You can format your computer and then copy over the encrypted files to the new system.

We are currently still working on the solution.

Regards,

Sarah

  • Upvote 1

Share this post

Link to post
Share on other sites

Battery Low    0

Battery Low
Posted
10 hours ago, Sarah W said:

Hi Edwin,

You can format your computer and then copy over the encrypted files to the new system.

We are currently still working on the solution.

Regards,

Sarah

Appreciate your efforts, waiting for some solution...

Share this post

Link to post
Share on other sites

mikeody1989    0

mikeody1989
Posted

Hi

New member here! Same issue (36 bytes difference between original and encrypted file). RDP password was very strong although we used the default port and it wasn't secure.

When we kicked them out, they removed us from their database so we don't even have the option of paying the ransom...

Thankfully we have original files to match with the encrypted ones in case Emsisoft releases a decryptor.

We really appreciate your efforts guys! Sending positive energy!

 

 

 

 

Share this post

Link to post
Share on other sites

juicefish    0

juicefish
Posted

I have same problem on my PC.

Here's some files of mine infected files.

 

Sounds like RDP is a problem let it can access my PC,

but I've close all Windows 7 native RDP before it happened.

If there have some problem that can be done in Chrome RDP?  (I notice that I recieve google account login SMS, but I don't login and input code)

Or I just have wrong knowledge with RDP Hacking?

Cry128_Sample.zip

Share this post

Link to post
Share on other sites

izuran    0

izuran
Posted

Hi,

I have the same issue, here is a sample with a file Before and After.

It seems to be triggered from a file called:
QQSS77889900.EXE

And created other exe like:

L.EXE, A.EXE, A[1].exe, A[2].exe, G.exe, a[3].exe

_DECRYPT_MY_FILES.txt

Summary.xml

Summary.xml.id_1756635677_2irbar3mjvbap6gt.onion.to._

 

I would also add do not try to pay for these to be de-crypted as it does not work.

Share this post

Link to post
Share on other sites

mclaugb    2

mclaugb
Posted

My files have the same gebdp3k7bolalnd4.onion._ extensions.  Mine was a windows machine with Remote Desktop connections disabled but Remote assistance enabled.  I consider myself very computer savvy but so far I've found no applications, no processes running in the background.  MalwareBytes and McAfee both cannot detect this strain.

Files do not appear to be any specific number of kb larger than the originals (it seems to vary depending on the file).  The Cry128 decrypter attempted two sets of files without success.  I've attached a few files here.  I can come up with more of them.

Bobbin REV 6 Specification print.pdf

Bobbin REV 6 Specification print.pdf.id_1638578921_gebdp3k7bolalnd4.onion._

TDS-DC25-UB25-RW-MAC-07-2014.pdf

TDS-DC25-UB25-RW-MAC-07-2014.pdf.id_1638578921_gebdp3k7bolalnd4.onion._

Share this post

Link to post
Share on other sites

pursang    0

pursang
Posted

I didn't have any luck with the new tool, although my files appear to be strong candidates.

So, now I'm wondering about the tool. Does it have a better chance of success if it has more memory available? Larger files? What?

Clearly Fabian has had successful hits in finding keys, but there seems to be hidden depths to this one. What more can we (the community) do to help?
 

 

 

Share this post

Link to post
Share on other sites

mikeody1989    0

mikeody1989
Posted

Unfortunately no luck for us either :/ On this link: http://blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/ it mentions 16 bytes, whereas in our case (and most of the people in this thread from what I understand) it is 36 (EDITED TYPO) bytes. The decryptor accepts the files anyway... but with no luck in brute forcing the key (we tried several files). Does that mean we are out of luck? I am attaching files here in case someone can... save my life :):P 

 

EntityFramework.xml.id_3575451207_2irbar3mjvbap6gt.onion.to._

EntityFramework.xml

Share this post

Link to post
Share on other sites

TheMask    0

TheMask
Posted

my files have all same size. encrypted files is 32 bytes more than the original files

maybe emsisoft will release new decrypter maybe we are lucky :)

 

Share this post

Link to post
Share on other sites

Shlomi    0

Shlomi
Posted

Hi,

Thank you for the quick release for the cry128 Ransomware.

Unfortunately, I tried it and after 80% of brute-forcing the files - it said that it failed to generate the key.

I'm 99% sure I was attacked by the cry128 (checked online by submitting the files, 36 bytes, same ransom note, same extension etc..)

Can you suggest what else I can do?

Maybe I have a newer version?? (I submitted the files to you)

Thanks! 

Share this post

Link to post
Share on other sites

Geng    0

Geng
Posted

Correcting a couple of the above users who said they have a 32 byte difference - it's 36 bytes, at least, that's what 99% of us here are dealing with.

  • Upvote 1

Share this post

Link to post
Share on other sites

Borro97    0

Borro97
Posted

Me  too

- many (almost all)  files 36 bytes bigger..

- some zip files only renamed

 

Decrypter Cry128 did not work .   After 100%   I got this message at the end.

"The decryption key for your system could not be found. Please

attempt to drag and drop both an encrypted and its original file on

the decrypter executable. If that didn't work there is unfortunately no

way this decrypter will be able to decrypt your files. We instead

suggest to restore your files from your latest backup."

 

Thanks 

 

Share this post

Link to post
Share on other sites

DrAries77    0

DrAries77
Posted

Dear All,

on 28th April almost all files of my PC was encrypted by the ransomware gebdp3k7bolalnd4.onion._

We need to pay "You need to pay: 0.14451 BTC (~200$)" to receive the decrypter (HOPE)...

Do you have found any solution for this bastard ransomware?

 

Regards.

Share this post

Link to post
Share on other sites

mclaugb    2

mclaugb
Posted

Okay, here are some more data points for you anti-virus making people.  Mcafee, your tools are not detecting this one.  These are logs from Windows Application Logs.  

Started svchost.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:8888 -u 48aNFV3juaCLLQF8zPtdwdgvxt3YX1HmC3nvCu9psPuBDcoEBJGps3YFKU2diFBLby7WoQUqAo3ZP1Z3ay9yt2fDVAaWBuj -p x for service Mysqlvers in C:\windows.

Started C:\Windows\dell\run64.bat  for service Windows32_Update in C:\Windows\dell.

bat file says:
Update64 -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 45EngfR9yFHGSGLXMSVh88XuErCN95qQYirYNm4pVaJDakxthy3KWPP2hgDBVaAwcBafup6sefXML3CTYXmZfSJLUfHQQXW -p x -dbg -1

In c:\windows\dell  there is 
'run.bat'
'run64.bat'
'svchost.exe'

Other windows application logs show:

C:\Windows\systxm\winlogon.exe

NT AUTHORITY\SYSTEM ran C:\Windows\svchoot.exe, which attempted to access C:\Windows\systxm\svchost.exe. The potentially unwanted program named CoinMiner was detected and deleted.

Mysqlvers 
   1500 
   2000 

 Mysqlvers 
   0 
   Restart 
   svchost.exe 
 

Share this post

Link to post
Share on other sites

mclaugb    2

mclaugb
Posted

I can post the .exe files from this folder if anyone wants them.  I submitted them to Emisoft's website.  But i don't want to infect others.

Share this post

Link to post
Share on other sites

mclaugb    2

mclaugb
Posted

I am posting the infected files here.  I have attached them here in "dell_Infected.zip".  The zip file requires a password "infected" to open it. Please use with caution as they are infected .exe files with the CRY128 virus. 

dell_Infected.zip

Share this post

Link to post
Share on other sites

GeorgeB    3

GeorgeB
Posted

Mcl

On 5/3/2017 at 4:13 PM, mclaugb said:

I am posting the infected files here.  I have attached them here in "dell_Infected.zip".  The zip file requires a password "infected" to open it. Please use with caution as they are infected .exe files with the CRY128 virus. 

dell_Infected.zip

Please send infected exe archive to me.  I want to let it to encrypt some files in vm.

Share this post

Link to post
Share on other sites

izuran    0

izuran
Posted

Just for reference this thing seems to only alter the first 10KB of information and the end 36bytes, which it adds on.

The last 4bytes is always the same on that computer.

So if you have a large database or file type with recovery tools, you can likely try to rebuild it.

Share this post

Link to post
Share on other sites

mclaugb    2

mclaugb
Posted

I ran R-soft deleted files recovery in case the ransomware had deleted the old files and left the file system table.  it came up with some deleted files but most are not readable--some were but all the old filenames are gone.

I did find some easy files to compare using a DIFF function in a hex editor.  These files are mostly ASCII text files (they were autocad files) so they make it very easy to see what the ransomware did.

If any of you know how to decrypt codes, these should be two easy files to look at.

 

3X8Sheep_Base_SingleBlock.dxf

3X8Sheep_Base_SingleBlock.dxf.id_1638578921_gebdp3k7bolalnd4.onion._

Share this post

Link to post
Share on other sites

Sarah W    26

Sarah W
Posted

Hi all,

We are currently still looking into seeing whether the ransomware is decryptable or not. We will let you know if we find out whether it is or not.

There may be a cryptocoin miner on the system (a program which uses your CPU to mine a cryptocurrency for the criminal, in this case), so if you want to check whether the system is clean then you can use our product; Emsisoft Anti-MalwareIf you like our product and it is of help then please consider buying itthe price is discounted and we protect against ransomware such as this one.

Some other advice is that investing in a good backup procedure is very important and well worth it. I would suggest having two or more backups, at least one disconnected. 

Regards,

Sarah

Share this post

Link to post
Share on other sites

lemmer89    0

lemmer89
Posted

Hello dear Sarah and other contributors,

My computer also has been infected (happened on end of April). A few gigabytes of precious data that was never backed up are waiting for a decrypt solution.

Nothing new here, same kind of files with 36 bytes added on the file size, with suffix ".id_2281068xxx_gebdp3k7bolalnd4.onion._" added to file names.

Some zip files were renamed but left untouched by the ransomware (i presume it was cry128).

Now, all of my company's computer have Emsisoft antimalware installed since this attack could have destroy several years of labour : or at least several days,

since most of us use backup devices from time to time.

Regarding the "non backed up data" : we are crying for your precious help.

If required, i can upload some infected files alongside with the original file. As a footnote : regarding infeted text files, it seems that only part of the file (say the first kilobytes) are encrypted.

Just want to say : good luck :-)

Share this post

Link to post
Share on other sites

MrDat    0

MrDat
Posted

Dear all,

 

These are what in my PC today:

 

### DECRYPT MY FILES ###.TXT

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***
 
To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: [email protected]
 
 
Your personal ID: 2840776094
 
All filenames are:
<OriginalFilename>.id-2840776094_[[email protected]].5d4s9
 
Encrypted file's size is more than 36 characters the original size, they are in attachments.
 
I think it's CRY36 but I tried with Avast, Kaspersky, Emsisoft... NOT WORKING!
 
Please help me, thanks!
 

allInOne.js

allInOne.js.id-2840776093_[[email protected]].5d4s9

favicon.ico

favicon.ico.id-2840776093_[[email protected]].5d4s9

### DECRYPT MY FILES ###.txt

Share this post

Link to post
Share on other sites

mrhadavand    0

mrhadavand
Posted
On 6/25/2017 at 11:50 PM, MrDat said:

Dear all,

 

These are what in my PC today:

 

### DECRYPT MY FILES ###.TXT

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***
 
To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: [email protected]
 
 
Your personal ID: 2840776094
 
All filenames are:
<OriginalFilename>.id-2840776094_[[email protected]].5d4s9
 
Encrypted file's size is more than 36 characters the original size, they are in attachments.
 
I think it's CRY36 but I tried with Avast, Kaspersky, Emsisoft... NOT WORKING!
 
Please help me, thanks!
 

allInOne.js

allInOne.js.id-2840776093_[[email protected]].5d4s9

favicon.ico

favicon.ico.id-2840776093_[[email protected]].5d4s9

### DECRYPT MY FILES ###.txt

please help meee !!!!!!

__Sys__.ldf.id_3946907184_[[email protected]].5d4s9
 

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.