Abhijit

Cry9 - Invalid CRYPTON file pair

Recommended Posts

About JPEG files recovery, I have been able to recover nearly 90% of my pics with the tool I created.

<LINK TO UNAUTHORIZED SOFTWARE REMOVED>

Another news, the onion ressource is no more available. It is redirected to fgb45ft3pqamyji7.onion and we are able to chat to the bad guys!

Edited by Kevin Zoll
  • Upvote 1

Share this post


Link to post
Share on other sites
On 06.05.2017 at 9:10 AM, GeorgeB said:

Same problem here. After a short view files are crypted in blocks of 32 bytes. If file is larger than 320 bloks of 32 bytes (10kb) rest of file remain uncrypted. At end of file 36 bytes is added, first byte differ from file to file and rest of 35 bytes are the same (00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EF 52 5E A0). If file size does not divide exactly to 32 then last block of less than 32 bytes remain uncrypted.

samples.rar

Analyzing small files I noticed it encrypts on blocks of 16 bytes.
Example:

files.thumb.jpg.e69b55607aee967229c418c49465fd88.jpg
Download Image

  • Upvote 1

Share this post


Link to post
Share on other sites

In the midst of the turmoil - THANK YOU to the Emsisoft team! Sarah W. - thanks for a prompt response to my separate post. I'll patiently wait as the professionals do what they do, unrewarded, but for tidbits of Appreciation.

Share this post


Link to post
Share on other sites

Looks like Nemesis Ransomware chat website is down can anyone confirm if they got caught or moved on to new version if so are they releasing any keys ?

Share this post


Link to post
Share on other sites

Dear all,

  I had no choice but to pay the ransom for Cry36 yesterday and got almost all my files back.

  The negotiation was long and tiring, and the payment was made via BitCoin.

  I paid twice, for I was infected twice.

  Just for your reference.

  Thanks for all your attention and time.

  Case closed.

Sincerely,

[email protected]

  • Upvote 1

Share this post


Link to post
Share on other sites

Of course I am willing to do my part to relieve all the other victims of suffering, especially I have two sets of keys to Cry36.

However, I don't know how and what to do.

I also wrote a lot to them to dissuade them from doing this after I decrypted almost all my files.

  • Upvote 1

Share this post


Link to post
Share on other sites
6 hours ago, JimmyJAPA said:

Dear all,

  I had no choice but to pay the ransom for Cry36 yesterday and got almost all my files back.

  The negotiation was long and tiring, and the payment was made via BitCoin.

  I paid twice, for I was infected twice.

  Just for your reference.

  Thanks for all your attention and time.

  Case closed.

Sincerely,

[email protected]

Talk about "taking one for the team" (two, actually)! 

Share this post


Link to post
Share on other sites

Decryption keys are infection and system specific, they are of no help to anyone other than the victim.

  • Downvote 1

Share this post


Link to post
Share on other sites
10 hours ago, Geng said:

@JimmyJAPA I've heard reports of the decrypter.exe files they send you contains viruses. Can you confirm or deny this?

Hello, Geng,

I am aware of the possibility and I scanned the decryptor immediately after downloading it, using Microsoft Security Essentials.

There was no virus in it.  I checked it again just now since you asked.  Still no virus.

My system is always clean after every reboot.

For your reference.

10 hours ago, LeonardCaldwell said:

Talk about "taking one for the team" (two, actually)! 

I am not quite sure about your question, sorry.

Could you elaborate?

Share this post


Link to post
Share on other sites

Kevin, though I am well aware that the decryption keys are case specific, the method of decryption is not. By examining and comparing multiple decryption keys there may be a way of identifying a pattern within them that could point to how to reengineer the decryption engine itself. 

Or perhaps you have a more effective approach in mind, in which case please do be sure to let us all know about it as there are a large number of people out there who would like to recover their files and the sooner the better.

  • Upvote 1

Share this post


Link to post
Share on other sites

It's been over a month. They can't crack this one.

I suggest if you want your files back to try the Proven Data Recovery company as someone mentioned earlier in this thread.

Please report back with your experiences with them.

 

  • Downvote 1

Share this post


Link to post
Share on other sites

I have studied the behavior of the decryption program (unlock.exe) and have noticed some aspects of the decryption key structure.
To match ID and KEY:
1) At the beginning of the key is the ID in HEX followed by the character "_" (0x5F)
2) The last byte must be 0x00
3) If any byte is changed in the range between 0x5F and 0x00, the key is accepted.
4) If you delete bytes from this interval (shorten the key) the key is accepted.

Considering these I produced a fake key corresponding to Id 1:
ID: 1
KEY HEX
        315F00
KEY ASCII
        1_ (null)
When we click on the "Unlock One" button, the error "Access violation at address 005CC02E in module" unlock.exe "is displayed. From here I have concluded that a
minimum length is required.

Let's extend the key and test it:
ID: 1
KEY HEX
        315F0000
KEY ASCII
        1_(null) (null)

When we click the "Unlock One" button, the key is accepted and we are invited to choose the encrypted file (whose original name we modified to match the id 1:
testfile.txt.id_1_gebdp3k7bolalnd4.onion._)
The content of the file is modified (decrypted with a wrong key), the extension is modified correctly in testfile.txt but the last 36 bytes from the end of the
encrypted file are not deleted.

The next test is the incremental addition of bytes in the key. From successive increments we reached the following key contents:
ID: 1
KEY HEX
315F + 48x (0X00) + 2 * (0X00)
315F
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
0000

KEY ASCII
1_ + 48 x (null) + 2 x (null)
This key is accepted and this time in the decrypted file the last 36 bytes are also removed, but obviously with the fake key the decryption is incorrect.


I do not know if what I have exposed is helpful but I hope to help and encourage those more experienced than me.
 

  • Upvote 1

Share this post


Link to post
Share on other sites

So Fabian, please don't take this the wrong way and also know that your efforts have been greatly appreciated, but it stands to reason that if you knew everything there was to know about this encryption then you would also know how to undo it.

Realize I'm flogging a dead horse here but any method of encryption by design has to have an equal decryption method or else these morally defunct a-holes would have trouble keeping the money rolling in and likewise if it were some insurmountable feat to decrypt it the slightly less morally defunct but equally greedy a-holes from services like the aforementioned Proven Data Recovery wouldn't be able to fix people's files (for an astronomical price). 

It seems from GeorgeB's posts (massive kudos to GeorgeB btw) that he has been making a fair amount of progress so maybe some benefit could be reached from collaboration and openly sharing findings and results. It's also goes without saying that any positive discoveries can help fundamentally to build defenses against future threats as these guys are not starting from scratch every time they come out with something new. Yep.

Share this post


Link to post
Share on other sites

My pc was attacked by a BE87R and all my files were encrypted with this extension. Can somebody help me? These are some of the files I could recover from a backup.

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: [email protected]

Your personal ID: XXXXXXXXX

Using the Cry128, Cry9, decrypt_Amnesia,decrypt_Amnesia2 decryptor, it doesn't recognize anything.

THANK YOU

Ventas 1.0 CompEnLinea exceldiario (1).xlsx

Ventas 1.0 CompEnLinea exceldiario (1).xlsx.id-3914712426_[[email protected]].be87r

Ventas 2.0 exceldiario (1).xlsx

Ventas 2.0 exceldiario (1).xlsx.id-3914712426_[[email protected]].be87r

GRUPO linkedin.docx

GRUPO linkedin.docx.id-3914712426_[[email protected]].be87r

Share this post


Link to post
Share on other sites

Dear Fabian,

So you mean we the victims cannot get the decryptor fo cry36 in a short time? At least in few months?

Thank you.

Share this post


Link to post
Share on other sites
On 2017-6-5 at 4:52 AM, GeorgeB said:

I have studied the behavior of the decryption program (unlock.exe) and have noticed some aspects of the decryption key structure.
To match ID and KEY:
1) At the beginning of the key is the ID in HEX followed by the character "_" (0x5F)
2) The last byte must be 0x00
3) If any byte is changed in the range between 0x5F and 0x00, the key is accepted.
4) If you delete bytes from this interval (shorten the key) the key is accepted.

Considering these I produced a fake key corresponding to Id 1:
ID: 1
KEY HEX
        315F00
KEY ASCII
        1_ (null)
When we click on the "Unlock One" button, the error "Access violation at address 005CC02E in module" unlock.exe "is displayed. From here I have concluded that a
minimum length is required.

Let's extend the key and test it:
ID: 1
KEY HEX
        315F0000
KEY ASCII
        1_(null) (null)

When we click the "Unlock One" button, the key is accepted and we are invited to choose the encrypted file (whose original name we modified to match the id 1:
testfile.txt.id_1_gebdp3k7bolalnd4.onion._)
The content of the file is modified (decrypted with a wrong key), the extension is modified correctly in testfile.txt but the last 36 bytes from the end of the
encrypted file are not deleted.

The next test is the incremental addition of bytes in the key. From successive increments we reached the following key contents:
ID: 1
KEY HEX
315F + 48x (0X00) + 2 * (0X00)
315F
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
0000

KEY ASCII
1_ + 48 x (null) + 2 x (null)
This key is accepted and this time in the decrypted file the last 36 bytes are also removed, but obviously with the fake key the decryption is incorrect.


I do not know if what I have exposed is helpful but I hope to help and encourage those more experienced than me.
 

 

Dude, could you send me this program? I need to do some testing because everything I've tried so far has not worked. Thank you.

[email protected]

Share this post


Link to post
Share on other sites
You accepted Rebeatus's request.
Mike
who sent ya?
Rebeatus Ghoste
 
Rebeatus
I look all over to assist people
Mike
cry36
lost everything
dont see getting it back
question being how do you know i got hit?
i keep my circle small
i run anti govt site and radio sattion so only straight up criminals would have targeted me anyway
Mike
m sure you can understand my suspicion
if you are a whitehat
Rebeatus Ghoste
 
Rebeatus
Go search .onion on Facebook and you will see your post among all
Mike
so is there a decryption solution?
so far not
Rebeatus Ghoste
 
Rebeatus
so you tried it all
Seen by Rebeatus Ghoste at 2:39pm
Mike
yep
36 is a very badly formed piece of crap
and you cant even con tact the criminals that do it becasu eit was built so badly
id never pay em but id like to get a few of the files back mostly just music library
the rest of the stuff was usless replacable or backed up
i use linux for the importent stuff
if your whte hat jump in and assist i guess
the two systems that got hit already went thru the grinder and i tool the encrypted files a put em away in case a key comes up

Share this post


Link to post
Share on other sites
7 hours ago, antoniocmoura said:

 

Dude, could you send me this program? I need to do some testing because everything I've tried so far has not worked. Thank you.

[email protected]

 

And that will not work either. GeorgeB stated " but obviously with the fake key the decryption is incorrect "

Share this post


Link to post
Share on other sites
On 2017-05-17 at 4:53 PM, Frank chen said:

Can we know how the progress of cry128 36b variant decrypter is now? I am about to graduate in 1 month and all my matlab code is encrypted. I am not sure if I should pay or wait for you guys to save me. @Kevin Zoll  May god bless u 

share your mathlab file here, we can try look into it

Share this post


Link to post
Share on other sites

No, I do not work with the development of the decryption tools.  However, unless someone that is associated with Emsisoft tells you that a method is safe to use then do not use it.  Everything that has been posted by non-Emsisoft personnel, with the exception of Demonslay335, that advice should be ignored. For all, you know it could be the malware author posting misinformation with the intent to cause further damage.

Also, I know enough about cryptography to know what was suggested will not work.

  • Upvote 1

Share this post


Link to post
Share on other sites

My name is GeorgeB and I'm not a cybercriminal.
Also I'm not a victim of this ransom virus. I want to help someone that ignored my advice about real backup solution. When he lost all data he wanted to pay ransom. My advice was: "Do not pay for ransom!". 
While we are debating that is right or not to share knowledbe about how this ransom works autors build new versions, becouse they share their knowledge each others. 
I think that is nothing wrong to study and share. Great discoveries have come from people who do not know that one thing is impossible.

Share this post


Link to post
Share on other sites

I really wanted a solution to my problem, I just asked if you are part of development area because I wanted to know if there is anyone trying to develop something to descryptografar my files, I saw that there are several tools that descryptografam other types of ransowware and I understand that someone should create A tool that will do it for my files.

Share this post


Link to post
Share on other sites

People need to understand that this forum is hosted by Emsisoft, a company selling anti-malware tools etc. They cannot endorse anything as a solution to this ransomware other than their software (or perhaps some other application from a digitally verified source), if for no other reason than corporate liability. No offense to anyone here trying to help, but if you want to "go rogue", I suggest starting a thread on Bleeping Computer. Knowledge sharing is always welcome though.

Sounds to me like the folks here have done all they can with the info at hand. All we can do now is wait and hope people stop paying the ransom so the criminals get bored or something and leak info.

Share this post


Link to post
Share on other sites

I do not actually have the conditions to pay the ransom, and particularly had the backup of most of my files, but we always lost a few. I have entered this discussion to try to understand how file decryption works, since it's such a common process nowadays. I'll be waiting to see if anyone develops any tools that can decrypt the files that I don't have backup for the ransom payment, I have no intention of paying.

Share this post


Link to post
Share on other sites

Paying is not an option. In my case they asked me for 12btc. The cybersecurity companies in my country advised me to pay but I will not.

I shared the case with antivirus companies and I see more progress in finding the solution. I will keep you informed

Share this post


Link to post
Share on other sites

Fabian, is it useful to you guys to get encrypted and unencrypted file pairs for cry36?  One of our lab computers was infected at the end of April and some of the files were backed up so I have several dozen pairs of files.  Also we did have important scientific data on the machine that was not backed up and we'd love to decrypt it without resorting to paying criminals.  Is there any chance of eventually releasing a decryptor like you have for cry9 or cry128?

Share this post


Link to post
Share on other sites

I notice some email adressen on aol.com being used for some time now.

Is it really that hard to trace the emails back to their origin? Does it have use to report a hostage of files to autorities, or is there nothing they can do?

Share this post


Link to post
Share on other sites

Hello to you all,

l don't know how some of you are going to react to my post but the end is what matters.

On Friday morning we (company) where infected from the Cry36 Virus(Ransom).

Our Server 2008R2 was with anti-virus and with Windows Update..  up to date..

At the time we had a external Hard drive connected to the server (the only one we had) since we didn't have a duplicate due the second one failed on us.

Due to hard times here in Greece we thought that one hard drive was enough.

Since our server was under repair with a raid problem we had an live backup.

All our files where encrypted.. Most you will probably understand.

We called local Police, Internet Crime Center Greece and Interpol.

We had support for a number o techs, antivirus profs in Greece and around the world.

We had no choice but to gamble with the hackers.

They asked for $800 in bit coin.

We had nearly every day email exchange with them.

The process to obtain bit coin was a long and stressing time. The amount of money we where loosing day by day was nightmare.

After 8 days we had the bit coin, we transferred them to the people responsible and in 15min we had the unlock.exe we our ID and a password from Greece to US.

They even gave us instructions and warnings not to damage the files.

We got all our files back!!!!!!!!!!!!!!

Yes we did the wrong thing and payed.

In the end we lost a lot of money and lived 10 days of hell!!!!!

The virus was infected from a personal email...

 

 

  • Upvote 2

Share this post


Link to post
Share on other sites
1 hour ago, Fabian Wosar said:

You can try this decrypter:

http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip

Kaspersky got their hands on some of the keys for Cry36/Nemesis. So that may work. Make sure the version is 1.21.2.0 or later.

Hi Fabian,

In some cases it works. In my case it does not support the 830s7 extension type.

Regards

Share this post


Link to post
Share on other sites
7 minutes ago, ganymede said:

I double click the exe inside and nothing happens. That was disappointing...

 

Never mind, apparently it works in Windows 7 at least. Didn't accept my .onion files as being compatible though. :/

Share this post


Link to post
Share on other sites

No luck with the .onion files here either. Got my hopes up for a minute there. Oh well, hopefully the Kaspersky tool will help out some of the other people dealing with this at least. 

Share this post


Link to post
Share on other sites

Sounds like some sort of syndicate. Ransomware-as-a-service? Could you explain that a little more? When you say anyone can get their own ransomware, do you mean get the app/whatever that initiates the encryption on other machines?

 

Share this post


Link to post
Share on other sites
12 hours ago, Fabian Wosar said:

It has nothing to do with the Windows version. Nemesis is a ransomware-as-a-service offer, that means everyone can subscribe to it and get their own ransomware. Kaspersky only liberated the required keys for some of the Nemesis partners. That means only campaigns associated with those partners can be decrypted.

Ruben-e on bleeping Computer forum posted and had the same extension as I did (830s7). The decryptor worked for him but not me? Wouldn't the same extension be apart of the same campaign?

Share this post


Link to post
Share on other sites
14 hours ago, Smok3d said:

Ruben-e on bleeping Computer forum posted and had the same extension as I did (830s7). The decryptor worked for him but not me? Wouldn't the same extension be apart of the same campaign?

We seem to have the same problem. I tried the file that Kaspersky sent me and it did not work.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.