Abhijit

Cry9 - Invalid CRYPTON file pair

Recommended Posts

I have 2 separate ID's and keys just incase someone can get this working.

 

ID: 2529*********
KEY: PM ME If you want it 

ID: 363***********
Key: PM ME if you want it 

 

None of them are working on my files but the decryptor file is exactly the same as above I tried changing the first few characters which seems to represent the ID and their software does remove the extra 36 bytes but the file is still encrypted 

Share this post


Link to post
Share on other sites

Someone need to reverse engineer the cryptor and the decryptor to see how are generated those keys and what is the relation between them, the ID and the last 36 bytes of the file.

I'm pretty good at C system programming, I have some notions on cryptography (what is asymetric and symetric encryption and hashing) but assembly and debugging is totaly obscure to me. I'm currently trying to learn assembly but it's a very long way.

My greatest fear is that the pirates disapear in the nature!

Share this post


Link to post
Share on other sites

The decryptor is doing the following (Win API Monitor):

  • Read 10240 encrypted bytes
  • Read 36 last bytes separatly: first 32 bytes then last 4 bytes (so they could mean different things...?)
  • Write 10240 decrypted bytes and discard 36 last bytes.

I also saw that some files are totally encrypted (with always appended 36 bytes), so perhaps the last 36 bytes have something to do with this (a sort of marker of total/partial encryption?).

Share this post


Link to post
Share on other sites
3 hours ago, kygiacomo said:

from what i have read on the emsisoft blog its gonna be nearly impossible to decrypt the files without getting some professionals that use forensic data recovery to get your files back or paying the ransom. i hope everyone has learned a valuble lesson here and updates their OS,makes back ups of files and gets the proper internet security such as emsisoft to protect your computers. i have emsisoft internet secuirty,zemana and malwarebtyes on my system and i have yet to get any malware,virsus or ransomware on my computer.

 
 

Having an antivirus did no good in mine and many others case.  Malwarebytes actually quarantined a file.  By the time the full scan was done, the damage was done and malwarebytes disabled.  I think most people are like my and have an actual archive of files in a RAID0 or external drives.  It's just that ransomware attacks the attached drives, so to guard against it, you have to have your file archives offline.  Which is a pain in the butt.  

So I don't think any victim here wants the whole "valuable lesson" crap.  I"m not sure why someone that hasn't had an issue with this particular ransomware is here posting in the first place >.> 

The only ones at fault, and the ones that need a "valuable lesson", are the criminals/terrorists that are doing the attacks.

  • Upvote 2
  • Downvote 1

Share this post


Link to post
Share on other sites

I was thinking: the ransomware have to generate a keys pair (public/private), it must do it (I think) on the victim's computer (using some random data and/or UUID of the machine), then use the public key to encrypt and transfert the private key to the criminals master server.

What if I re-execute the ransomware on my computer and try to intercept the keys in memory using a debugger? Is it a good idea? (Note: I didn't yet formated my computer, I juste secured my sensitive data)

The problem is that I'm a complete noob in assembly and debugging...

What I want to say here is that it is not mendatory to "crack" the encryption keys, If each one can reverse engineer the malware on his own computer (supposing the key generation doesn't use random data) then this could work (intercept a key that hopefully will be the same)!

Share this post


Link to post
Share on other sites
5 hours ago, bruticus0 said:

Having an antivirus did no good in mine and many others case.  Malwarebytes actually quarantined a file.  By the time the full scan was done, the damage was done and malwarebytes disabled.  I think most people are like my and have an actual archive of files in a RAID0 or external drives.  It's just that ransomware attacks the attached drives, so to guard against it, you have to have your file archives offline.  Which is a pain in the butt.  

So I don't think any victim here wants the whole "valuable lesson" crap.  I"m not sure why someone that hasn't had an issue with this particular ransomware is here posting in the first place >.> 

The only ones at fault, and the ones that need a "valuable lesson", are the criminals/terrorists that are doing the attacks.

i come to learn that is all. i didnt mean to sound mean i just meant i hope that everyone has learned to back up files,update their OS so this will never happen again to people. it looks like most people was running windows xp,so they was running their business on a outdated system. while it might be a pain in the butt to do what u said about the archives it has to be less of a pain then dealing with this infection..malwarebtyes has really went down hill recently and once my premium account runs out im not gonna re up it. im gonna stick with zemana and emsisoft only.

5 hours ago, bruticus0 said:

 

 

Share this post


Link to post
Share on other sites

i got all signs of the ransomeware itself out of my system and the svhost a cmrss file out that was running from the C:\windows\twain32 folder - fear being that if i do a system restore will it return with the system restore?

 

oldest retore point left is may 5th

files were encrypted on may 15th

 

started noticing my system was acting odd and overloaded not long after the latest skype update that defaulted dumping files sent you with out interaction which may have been previous to may 5 -- ADVICE?

 

Share this post


Link to post
Share on other sites
On 2017/5/11 at 9:13 AM, mclaugb said:

The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you.

 

 

 

 

 

Dear McLaugb,

  This is Jimmy, another victim of the ransomware virus, gebdp3k7bolalnd4.onion.

  I saw the following sentence from you, and I am wondering if you have the e-mail address with which I can contact the kidnapper?

  "The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you."

  Your reply, either public or private, would be most appreciated.

  Thank you!

Sincerely,

Jimmy

Share this post


Link to post
Share on other sites

I'm not sure the System Restore would help you or not.  System Restore doesn't affect your personal files, which are the important ones encrypted.  The ransomware here doesn't affect windows or Program Files folders usually.  What would help before you try a System Restore, might be to right click your files and go to 'Previous Versions".  See if anything is there that could "rollback" the encryption.

You can usually undo a System Restore.  And if you're using any recovery tools like EaseUS or Necuva, you could try them before and after a System Restore and see if they're giving you anything good.

If that's not working for you, usually the best thing to do is backup your encrypted files somewhere away from your file structures.  If there's ever a decryptor, you'll have them available to you.  Get your OS back in working order.  i did a fresh OS install on mine.  

Also, if you had a mapped drive disappear, look at the online version of the files and see if they are still intact there.  I'd also change all your personal information/passwords just in case.  Especially if you think they attacked through Remote Desktop or something.

Share this post


Link to post
Share on other sites

I'm nowhere near qualified enough to know if that has the significance I think it does, but I'm sure master keys are always a good thing.  Thanks for posting with whatever information you have, we appreciate it :P

 

Ah, ok.  Seems that in the past, when Dharma group were done using a variant of their ransomware, there would be a "leak" of master keys.  The master keys released this time around were for the .wallet extensions that people have been having trouble with.  The new Dharma variant is {[email protected]}.onion type.  

 

I don't know what relation, if any, the new Dharma variant has with our Cry9 variant.  But Avast and Kapersky have both released decryptors for the .wallet ransomwares now.  So that's good news.

Share this post


Link to post
Share on other sites

Can someone tell me why there is a ransom letter every time I open the excel? Does that mean the virus is still not removed? 

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***
 
To decrypt your files you need to buy the special software. To recover data, follow the instructions!
You can find out the details/ask questions in the chat:
https://fgb45ft3pqamyji7.onion.to (not need Tor)
https://fgb45ft3pqamyji7.onion.cab (not need Tor)
https://fgb45ft3pqamyji7.onion.nu (not need Tor)

 

Share this post


Link to post
Share on other sites

after removing the virus itself i have a service starting up this happens in a command window after i close the sandboxed service that eats 50% cpu resources

 


C:\WINDOWS\system32>ping 127.0.0.1 -n 10

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time=8ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64

Ping statistics for 127.0.0.1:
    Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 8ms, Average = 0ms

C:\WINDOWS\system32>net1 user IISUSER$ /del  & net1 user IUSR_Servs /del
System error 1722 has occurred.

The RPC server is unavailable.

System error 1722 has occurred.

The RPC server is unavailable.


C:\WINDOWS\system32>sc config MpsSvc start= auto  & net start MpsSvc
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

System error 123 has occurred.

The filename, directory name, or volume label syntax is incorrect.


C:\WINDOWS\system32>netsh advfirewall set allprofiles state on

WARNING: Could not obtain host information from machine: [STUDIO]. Some commands
 may not be available.
The specified service does not exist as an installed service.

The following command was not found: advfirewall set allprofiles state on.

C:\WINDOWS\system32>netsh advfirewall firewall add rule name="tcp all" dir=in pr
otocol=tcp localport=0-65535 action=allow

WARNING: Could not obtain host information from machine: [STUDIO]. Some commands
 may not be available.
The specified service does not exist as an installed service.

The following command was not found: advfirewall firewall add rule "name=tcp all
" dir=in protocol=tcp localport=0-65535 action=allow.

C:\WINDOWS\system32>netsh advfirewall firewall add rule name="deny tcp 445" dir=
in protocol=tcp localport=445 action=block

WARNING: Could not obtain host information from machine: [STUDIO]. Some commands
 may not be available.
The specified service does not exist as an installed service.

The following command was not found: advfirewall firewall add rule "name=deny tc
p 445" dir=in protocol=tcp localport=445 action=block.

C:\WINDOWS\system32>netsh advfirewall firewall add rule name="tcpall" dir=out pr
otocol=tcp localport=0-65535 action=allow

WARNING: Could not obtain host information from machine: [STUDIO]. Some commands
 may not be available.
The specified service does not exist as an installed service.

The following command was not found: advfirewall firewall add rule name=tcpall d
ir=out protocol=tcp localport=0-65535 action=allow.

C:\WINDOWS\system32>netsh ipsec static add policy name=win

WARNING: Could not obtain host information from machine: [STUDIO]. Some commands
 may not be available.
The specified service does not exist as an installed service.

The following command was not found: ipsec static add policy name=win.

C:\WINDOWS\system32>netsh ipsec static add filterlist name=Allowlist

WARNING: Could not obtain host information from machine: [STUDIO]. Some commands
 may not be available.
The specified service does not exist as an installed service.

The following command was not found: ipsec static add filterlist name=Allowlist.


C:\WINDOWS\system32>netsh ipsec static add filterlist name=denylist

WARNING: Could not obtain host information from machine: [STUDIO]. Some commands
 may not be available.
The specified service does not exist as an installed service.

The following command was not found: ipsec static add filterlist name=denylist.

C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=an
y dstaddr=me description=not protocol=tcp mirrored=yes dstport=135

WARNING: Could not obtain host information from machine: [STUDIO]. Some commands
 may not be available.
The specified service does not exist as an installed service.

The following command was not found: ipsec static add filter filterlist=denylist
 srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135.

C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=an
y dstaddr=me description=not protocol=tcp mirrored=yes dstport=137

WARNING: Could not obtain host information from machine: [STUDIO]. Some commands
 may not be available.
The specified service does not exist as an installed service.

The following command was not found: ipsec static add filter filterlist=denylist
 srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137.

C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=an
y dstaddr=me description=not protocol=tcp mirrored=yes dstport=138

WARNING: Could not obtain host information from machine: [STUDIO]. Some commands
 may not be available.
The specified service does not exist as an installed service.

The following command was not found: ipsec static add filter filterlist=denylist
 srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138.

C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=an
y dstaddr=me description=not protocol=tcp mirrored=yes dstport=139

WARNING: Could not obtain host information from machine: [STUDIO]. Some commands
 may not be available.
The specified service does not exist as an installed service.

The following command was not found: ipsec static add filter filterlist=denylist
 srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139.

C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=an
y dstaddr=me description=not protocol=tcp mirrored=yes dstport=445

WARNING: Could not obtain host information from machine: [STUDIO]. Some commands
 may not be available.
The specified service does not exist as an installed service.

The following command was not found: ipsec static add filter filterlist=denylist
 srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445.

C:\WINDOWS\system32>netsh ipsec static add filteraction name=Allow action=permit

Share this post


Link to post
Share on other sites

I'm not sue about either of your problems.  

For the ransom notes, there is still something there calling up the ransom notes, so I would think your system still has something there from the attack.  Demonslayer has made a Ransom Note Cleaner program you can find here .  But even if the cleaner works, there will still be something running trying to call up the ransom note....it just won't be there.

As for the other, the attack installed a bitcoin miner on a lot of our systems also.  It's possible it could have installed other things.  If it's a service, you could try tracking down its location through task manager.  

Running the Emsisoft Emergency Kit, or doing scans with the regular Anti Malware might help.  The Emergency Kit has a command line function to it.  So you can reboot into "Recovery Mode", bring up the dOS prompt, and run it from usb if you have to.

I formatted and started all over again on mine, just to be safe.  Just backup any important encrypted files somewhere so you can access them later if you need to.  If someone punches a bunch of holes in your brick wall, it's better to just start again and build a better, stronger wall.

Share this post


Link to post
Share on other sites

@NnitehawkK-fb, thanks for posting that. It's a script that the hacker ran to open up a bunch of vulnerabilities on your machine, so now I know where to look to plug all the holes. For example, go to the command prompt and type `netsh ipsec static show all` and likely there will be a bunch of filters and whatnot listed that you'll want to remove. Another place you'll want to go to remove stuff is in the windows firewall with advanced security snap-in to take out the tcp-all rule et al.

here're the commands cleaned up:

C:\WINDOWS\system32>ping 127.0.0.1 -n 10
C:\WINDOWS\system32>net1 user IISUSER$ /del  & net1 user IUSR_Servs /del
C:\WINDOWS\system32>sc config MpsSvc start= auto  & net start MpsSvc
C:\WINDOWS\system32>netsh advfirewall set allprofiles state on
C:\WINDOWS\system32>netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
C:\WINDOWS\system32>netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block
C:\WINDOWS\system32>netsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow
C:\WINDOWS\system32>netsh ipsec static add policy name=win
C:\WINDOWS\system32>netsh ipsec static add filterlist name=Allowlist
C:\WINDOWS\system32>netsh ipsec static add filterlist name=denylist
C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
C:\WINDOWS\system32>netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
C:\WINDOWS\system32>netsh ipsec static add filteraction name=Allow action=permit
 

Something curious -- why would they want to deny inbound port 445? Seems like that would be a precautionary thing.

Share this post


Link to post
Share on other sites

so you think they blocked port 445 so that our systems wouldn't be infected with wannacry? we must have been the "expeditionary front" of the wannacry plague to test it out before launching it en masse.

Share this post


Link to post
Share on other sites

i retired the system have it sitting waiting for a decyption

all the removal stuff does not fully work yet either gotta go dig in your registeray and dump all the onion and wcry entries

after running several different removal tools it just simply cam back or tried to and ill never trust that box again anyway- so its in the corner being called bad dog

i really needed to update this bussiness interface anyway just been putting it off due to all the automation required for a radio stations switchboard if i had not lost my email i wouldnt even give a crap 

plus i just did'nt wanna join the NSA or all the yea i got a tin hat - BS that comes along with windows 10

 

 

Share this post


Link to post
Share on other sites
5 hours ago, matwachich said:

Please, can somebody upload the malware files.

I am unable to download them from this forum. (Please use some file sharing websites: box, dropbox...)

I think mclaughb is the only one mentioned having the actual attack file.  Unless ganymede has any ideas, just have to PM mclaughb and see if he's still around.  Sorry ;P

Share this post


Link to post
Share on other sites

Small correction: there are no entirely encrypted files! I thought so because I couldn't find the SOS (0xFFDA) marker in some JPEG pics, this is because the file is so small that the 0xFFDA is within the first 10 encrypted kilobytes.

I have to find a way to recover partial JPEG encoded data...

Share this post


Link to post
Share on other sites
Just now, matwachich said:

Small correction: there are no entirely encrypted files! I thought so because I couldn't find the SOS (0xFFDA) marker in some JPEG pics, this is because the file is so small that the 0xFFDA is within the first 10 encrypted kilobytes.

I have to find a way to recover partial JPEG encoded data...

Didn't you already have a method for recovering image files?  Or was that for fully encoded jpeg?  Meant to PM you about that actually if it's viable.  If you still have the method, mind sending the instructions to me in PM? :P  I'd appreciate it.  

And it's good we just have partially encrypted them.  I"d be more worried about any possible solution if they were.

Share this post


Link to post
Share on other sites

My method actually works for say 60-80% of my pictures. I'm currently searching a mean to recover them event if the essential Start Of Scan marker (0xFFDA) is encrypted. It will be partial recovery..

I'm developping a small tool to do it. I don't know if I'm gonna release the source because I'm afraid that the hackers will see it and adapt their encryption routines.

Share this post


Link to post
Share on other sites

Ok, now I think I have a pretty good version of the JPEG recover script. So I will share!

How to use: create a folder named "__models__" aside the ImageSaver.exe and place in it valid jpeg files taken with the same camera(s) as the encrypted ones, with different resolutions, orientation and quality settings, give them clear names because the model name is appended to the recovered file (ex. s7-1080-paysage.jpg). Then, just drag and drop the encrypted files on the exe.

It will try to rebuild the lost pics using what remains valid in them. It gonna create many files (for each model), many of them will be invalid. It's up to you then to delete the invalid files and keep the valid one.

It will surely not recover all pics, I'm still working on this...

PS: about the padding, try first big numbers (as 4000) then decrease or increase to see the result.

ImageSaver.exe

  • Upvote 1

Share this post


Link to post
Share on other sites

People are unofficially calling it Cry36, not to be confused with Cry128. You may want to ask Emsisoft folks to see if they have a name for it though.

 

Share this post


Link to post
Share on other sites

If no good progress is being made towards the decrypter then at least tell us? A lot of us are waiting when we could pay data restoration companies. Been 3+ weeks.

Share this post


Link to post
Share on other sites

Hi all,

My name is Nick, I have the virus since few hours ago. It is a disaster!

Al my files have "<ID REMOVED>.onion" at the end....

This happened to almost all my disks connected to my pc. As I am a wedding videographer, terrabytes of video files. to ALL my disks, even backups. Even 2-3 weddings i was working right now and must deliver to customer....

Also most programs don't work, running in safe mode right now. Removed my raid drives from pc. I found a txt file in some places named "decrypt my files"

content:

 


"*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

To decrypt your files you need to buy the special software. To recover data, follow the instructions!
You can find out the details/ask questions in the chat:
https://fgb45ft3pqamyji7.onion.to (not need Tor)
https://fgb45ft3pqamyji7.onion.cab (not need Tor)
https://fgb45ft3pqamyji7.onion.nu (not need Tor)

You ID: 826638745

If the resource is not available for a long time, install and use the Tor-browser:
1. Run your Internet-browser
2. Enter or copy the address https://www.torproject.org/download/download-easy.html in the address bar of your browser and press key ENTER
3. On the site will be offered to download the Tor-browser, download and install it. Run.
4. Connect with the button "Connect" (if you use the English version)
5. After connection, the usual Tor-browser window will open
6. Enter or copy the address http://fgb45ft3pqamyji7.onion in the address bar of Tor-browser and press key ENTER
7. Wait for the site to load

If you have any problems installing or using, please visit the video tutorial https://www.youtube.com/watch?v=gOgh3ABju6Q"

Please help me folks, I am desperate. I don't even have time and maybe knowledge to follow their instructions, but even if i had, have no money for ransom these days... 

P.S. some things i noticed while virus took action. I had my raid drives spinning for some time, checked task manager and had hi cpu utilization, checked processes and an "lsass" process was taking 50% of my cpu. Log out and log in, same, then checked my drives....  as i cannot find both version of unencrypted and encrypted files in my pc, i went to "download" folder and found a utility that i could download again, so have both versions. I attach them both:

TimeWarpInstaller-1.0.2.exe.id_826638745_fgb45ft3pqamyji7.onion

TimeWarpInstaller-1.0.2.exe

Edited by Kevin Zoll

Share this post


Link to post
Share on other sites
On 5/22/2017 at 9:48 PM, nicksoti said:

Hi all,

My name is Nick, I have the virus since few hours ago. It is a disaster!

Al my files have " <ID REMOVED>.onion " at the end....

This happened to almost all my disks connected to my pc. As I am a wedding videographer, terrabytes of video files. to ALL my disks, even backups. Even 2-3 weddings i was working right now and must deliver to customer....

Also most programs don't work, running in safe mode right now. Removed my raid drives from pc. I found a txt file in some places named "decrypt my files"

content:

 


"*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

To decrypt your files you need to buy the special software. To recover data, follow the instructions!
You can find out the details/ask questions in the chat:
https://fgb45ft3pqamyji7.onion.to (not need Tor)
https://fgb45ft3pqamyji7.onion.cab (not need Tor)
https://fgb45ft3pqamyji7.onion.nu (not need Tor)

You ID: 826638745

If the resource is not available for a long time, install and use the Tor-browser:
1. Run your Internet-browser
2. Enter or copy the address https://www.torproject.org/download/download-easy.html in the address bar of your browser and press key ENTER
3. On the site will be offered to download the Tor-browser, download and install it. Run.
4. Connect with the button "Connect" (if you use the English version)
5. After connection, the usual Tor-browser window will open
6. Enter or copy the address http://fgb45ft3pqamyji7.onion in the address bar of Tor-browser and press key ENTER
7. Wait for the site to load

If you have any problems installing or using, please visit the video tutorial https://www.youtube.com/watch?v=gOgh3ABju6Q"

Please help me folks, I am desperate. I don't even have time and maybe knowledge to follow their instructions, but even if i had, have no money for ransom these days... 

P.S. some things i noticed while virus took action. I had my raid drives spinning for some time, checked task manager and had hi cpu utilization, checked processes and an "lsass" process was taking 50% of my cpu. Log out and log in, same, then checked my drives....  as i cannot find both version of unencrypted and encrypted files in my pc, i went to "download" folder and found a utility that i could download again, so have both versions. I attach them both:

TimeWarpInstaller-1.0.2.exe.id_826638745_fgb45ft3pqamyji7.onion

TimeWarpInstaller-1.0.2.exe

20

Hi!

You can try my program for Jpeg files (see my former posts). I'm always working on it.

For Mp4 videos, Google Recover_Mp4, it's a program that was able to recover many of my personnal videos.

For the rest, you can prey the gods... (sorry)

Edited by Kevin Zoll

Share this post


Link to post
Share on other sites

@nicksoti  You have the same thing we all have looks like.  You'll notice there's probably 36 bytes difference between your file pairs.  That's the same version of Cry most of us have.  There's no decryptor for it yet.  If there are any major updates, it'll get posted here.  But be calm.  You can't fix anything or do any good paniced.  

So unfortunately, it's just as bad as you thought it was.  There is no fix to get your files back besides paying the terrorists or perhaps a forensic data recovery company.  While Emsisoft is taking a look at this variation, it doesn't mean they will actually be able to come up with a decryptor.  There's no timelines or guarantees here.  

First thing is first though.  Disconnect the attached drives and try to get your C drive working again.  Emsisoft makes a portable malware scanner here .  It has a command line utility, so you can run it in DOS mode from the Windows Recovery options if you have to.  Try running it and getting anything it finds quarantined.  It helps to have the malware quarantined, that way it can be uploaded to help with decryption tool.  Although I think Emsisoft has the malware, it won't hurt to have another copy of it.

This version of malware usually installs a bitcoin miner on your machine too.  If you look on page 2 here , you'll see mention where the registry values for the miner are.  

Now,  this thing usually deletes all your Shadow Copies and Restore Points.  You can try Restore Point to get back your program folders, but it won't do any good for your personal files on C.  There's something called Shadow Explorer that might find some files.  Also, if you right click files and go to "Previous Versions" tab, you may be able to find something.  

This thing works by copying a file, encrypting it, then deleting the original.  So it's nasty that way.  Now, while we can't get all your files back, there are some files we can do some stuff with.  .ISO files, .zip files, they can both be renamed and "hopefully" be accessed and used.  Also, thankfully, matwachich has made a wonderful little tool that you might have a great need of.  You can follow and download his JPEG recovery tool from the link he posted above on this page.  It's a bit of hassle since it restores many files and you have to pick out the right one, but it's well worth it if there's no other way to recover the picture.

You'll also see other posts about the malware making holes in the firewall, tcp settings and so on.  On my machine, I restored my C drive, recovered some files from it using EaseUS Data Recovery, and did a fresh install of Windows OS to get my C drive back functioning again.  You can use tools like EaseUS Data Recovery, which might find lost files on different hard drives.  There's a quick scan and deep scan.  Be sure to wait until deep scan is finished.  There is also a Recuvium program I think it's called that does similar.

So, get your C drive working.  If you can, archive all encrypted files away from your computer.  Just pack them up neatly and keep them somewhere.  It may be a long time, if ever, we can get a working decryptor for our files.  So it's best to get them archived and out of the way so you can go back to semi-normal operation.  Then check back here for any updates.  It's about all you can do.

Now, if you start over again with a fresh install, you need to do it right this time.  Get a paid anti-malware.  Emsisoft's is on sale and easy to use btw.  And they're the only ones trying to make decrypters.  Other ones you see only do it when the keys are public.  Bitdefender has an anti ransomware with it., but aggravatingly, it likes to lock down most any file it deems bad.  Which is most of my PS3 programs.  There's a couple of free anti ransomware programs you can get.  One is Cybereason.  They donated the anti ransomware part of their large business anti malware programs for the common folk to use.  I think it was pretty nice of'em.  The other is Malwarebytes Anti Malware.

Next, you'll want some backup.  As you know now, you need an offline backup.  Using either the cloud or an offline disk.  Macrium is backup program that's kinda expensive, but has some cloud options and also has a scheduler.  Even if you're using the free version, it's still really useful.  With the free version, you can make two things.  You can make a compressed backup image of your whole drive.  AND, more importantly, you can make a rescue USB/Disk that has Windows Portable Edition on it with Macrium preloaded.  So if your hard drive fully fails, you can load up the USB with Windows PE and Macrium, point it to the backup image wherever it may be and it will restore it for you.  So you can save the backup image to any cloud or filesharing service and download it to usb whenever you need it.

You'll also want to install all important updates from microsoft to keep protected from OS vulnerabilities.  Also, some have reported these guys also got in via Remote Desktop.  If you don't use Remote Desktop, it's best just to disable it and Remote Assistance.  No reason to leave a vulnerability open.  

OK finally done with my rant.  Good Luck.

Share this post


Link to post
Share on other sites

@bruticus0,

 

Thank you, I have a paid antimalware but it did not protect me.....

System restore was disabled unfortunatelly.

I am out of money right now to pay experts to recover my files. I contacted the criminal, wants 450$ in bitcoins... Nemessis something... I dont even know how to deal with bitcoins...

I am desperate.... Thank you for your time. This happened in my worse time in my life, i lost my job recently as a cameraman, i have to work from time to time as a 2hd cameraman in weddings for pennies... if i don't deliver the files i am dead... it seems i have to pay, even few hundred dollars are much for me right now but it seems i have no other option.

  • Upvote 1

Share this post


Link to post
Share on other sites

@nicksoti

I am so sorry to hear your story, really.

I also fell victim to a ransomware, Cry36, which locked all the files and photos that I have collected for more than 20 years, and I still can't decrypt it.

How would they feel if they see our stories, and other thousands of hundreds'?

I really curse these people who did this to all the victims!  Rot in hell!!!

BTW, if you re-install your system, be sure to patch the security leaks lest you should get infected again. (I was infected twice.)

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4019264

Share this post


Link to post
Share on other sites

Hello forum,

i can confirm that cry36 is not so harmfull as few ransomware before,

if your files is  super important, it can be fixed by having some knowlage, remove some bytes form back of file, and try to use 10kb of file in start of file (can confirm that it encrypt only 10kb of file in start) so basically if your data files is databases ,some big xls/doc , Theorically its possible to recreate it by using analogues

 

p.s. need more analysis but seems first and last lines of encrypted files is same (so easy to determinate encryption type)

1.png
Download Image

2.png
Download Image

  • Upvote 1

Share this post


Link to post
Share on other sites
2 minutes ago, Kestukas said:

Hello forum,

i can confirm that cry36 is not so harmfull as few ransomware before,

if your files is  super important, it can be fixed by having some knowlage, remove some bytes form back of file, and try to use 10kb of file in start of file (can confirm that it encrypt only 10kb of file in start) so basically if your data files is databases ,some big xls/doc , Theorically its possible to recreate it by using analogues

1.png
Download Image
Download Image

2.png
Download Image
Download Image

I confirm.

This is actually what I'm doing with my JPEG recovery tool.

I'm working on it now, I think it will be really accurate (release tonight or tomorrow).

  • Upvote 1

Share this post


Link to post
Share on other sites

@Everyone This forum is monitored by approved personnel.  Only authorized individuals are allowed to post advice in Malware Removal and Ransomware topics.  If you are not one the handful of individuals who are authorized by Emsisoft to provide assistance in this forum, it is requested that you cease providing advice and assistance to those who are infected.  We do not have problems with you posting links to solutions or information that may be helpful, but we ask that you refrain from posting any advice or providing any assistance, as that could result in unrecoverable data or non-functioning systems. This is the only warning you will receive.  Further posting of advice or assistance will result in the suspension of your posting privileges.

Some of the advice given in this thread by unauthorized helpers is downright dangerous.  Modification of files with the use of a hex editor is not recommended. Especially when dealing with encrypted files.

We understand that you are frustrated and are looking for a solution.  We do not discuss timelines, progress, or establish release dates for any of our tools.  Our support forum is monitored by  Malware and Ransomware authors. On occasions, one will register with our forums and post taunts, misinformation, and sometimes accurate information.  Like the recent post about the leaking of the Dharma (.wallet) master encryption keys and the abandoning of  Dharma(.wallet) for Dharma (.onion).

Your cooperation in this matter is appreciated.

Continue to monitor this forum and any new information will be posted when it is available.

Share this post


Link to post
Share on other sites

I believe everyone here are all frustrated that we still can't recover our file back. So am I.

I'm also thinking the possibility to pay to the terrorists to get my file saved.

But I still have some hope that Emsisoft Team can make the decryptor .

 

I hate cry36.

 

  • Upvote 2

Share this post


Link to post
Share on other sites

@Nova We understand that you and the others are frustrated and want your files back in their original format.  We do not recommend paying the ransom.  If you choose to pay the ransom there is a high probability that you will not receive a decryption tool and decryption key.  Many of these ransomware gangs just take your money and leave you with encrypted files.  I recommend that you first try using a file recovery tool like Recuva or EaseUS Data Recovery Wizard Free. If your files are important then you may want to consider employing the services of a company that specializes in forensic data recovery.

Share this post


Link to post
Share on other sites
On 5/9/2017 at 0:48 PM, ganymede said:

I think this guy might have the actual executable.

On a different note, I'm not sure why but I forgot to mention in my original post that I found the service registry of the virus in my Windows logs:

winlogon.exe
-a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 48Nk7Q5oB5gEVLabrgo3KhLbaTSDKvZNHBECoHyZcxWNDMgfDnHA8Ue2Skp7A6z2ZGG93wmLxxrKa1j4QR7kmi866AP1G8t -p x
Workstationt
C:\Windows
 

Maybe that long nonsense string has something to do with the key?

 

Hey, saw this and wanted to post about it. This appears to be related to SMB exploitation and they dropped this. We've also noticed compromised RDP and SMB exploits being pretty common. Someone correct me if I'm wrong.

Share this post


Link to post
Share on other sites
25 minutes ago, JesseBropez said:

Hey, saw this and wanted to post about it. This appears to be related to SMB exploitation and they dropped this. We've also noticed compromised RDP and SMB exploits being pretty common. Someone correct me if I'm wrong.

Agree. We were actually searching security logs when we noticed the hackers login via RDP. We immediately shutdown all access to RDP. Probably should have watched for a little bit but we were already so compromised and didn't have the skillset to protect against further damage.

Share this post


Link to post
Share on other sites

Exploiting SMB on vulnerable systems is a new development and rapidly gain traction by worm developers.  Exploiting insecure RDP setups has been, and most likely will continue to be, a preferred attack vector.  It ranks right up there with delivering malware via Social Engineering Emails.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.