Kestukas 1 Posted May 27, 2017 Report Share Posted May 27, 2017 9 hours ago, NnitehawkK-fb said: http://borncity.com/win/2017/05/25/wannacry-co-eternalblue-vulnerability-checker-und-crysis-ransomware-decryptor/ anyone wanna try this? not work Quote Link to post Share on other sites
matwachich 3 Posted May 27, 2017 Report Share Posted May 27, 2017 (edited) About JPEG files recovery, I have been able to recover nearly 90% of my pics with the tool I created. <LINK TO UNAUTHORIZED SOFTWARE REMOVED> Another news, the onion ressource is no more available. It is redirected to fgb45ft3pqamyji7.onion and we are able to chat to the bad guys! Edited May 30, 2017 by Kevin Zoll 1 Quote Link to post Share on other sites
GeorgeB 3 Posted May 28, 2017 Report Share Posted May 28, 2017 On 06.05.2017 at 9:10 AM, GeorgeB said: Same problem here. After a short view files are crypted in blocks of 32 bytes. If file is larger than 320 bloks of 32 bytes (10kb) rest of file remain uncrypted. At end of file 36 bytes is added, first byte differ from file to file and rest of 35 bytes are the same (00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EF 52 5E A0). If file size does not divide exactly to 32 then last block of less than 32 bytes remain uncrypted. samples.rar Analyzing small files I noticed it encrypts on blocks of 16 bytes. Example: 1 Quote Link to post Share on other sites
NnitehawkK-fb 1 Posted May 30, 2017 Report Share Posted May 30, 2017 i get the impression decryption is never gonna happen - i dont care about photos just my wav and mp3 files album masters ectera Quote Link to post Share on other sites
LeonardCaldwell 0 Posted May 30, 2017 Report Share Posted May 30, 2017 In the midst of the turmoil - THANK YOU to the Emsisoft team! Sarah W. - thanks for a prompt response to my separate post. I'll patiently wait as the professionals do what they do, unrewarded, but for tidbits of Appreciation. Quote Link to post Share on other sites
Alex B 0 Posted June 1, 2017 Report Share Posted June 1, 2017 Looks like Nemesis Ransomware chat website is down can anyone confirm if they got caught or moved on to new version if so are they releasing any keys ? Quote Link to post Share on other sites
a1fa 0 Posted June 2, 2017 Report Share Posted June 2, 2017 17 hours ago, Alex B said: are they releasing any keys ? probably not... Quote Link to post Share on other sites
JimmyJAPA 3 Posted June 2, 2017 Report Share Posted June 2, 2017 Dear all, I had no choice but to pay the ransom for Cry36 yesterday and got almost all my files back. The negotiation was long and tiring, and the payment was made via BitCoin. I paid twice, for I was infected twice. Just for your reference. Thanks for all your attention and time. Case closed. Sincerely, [email protected] 1 Quote Link to post Share on other sites
MTG Joel 2 Posted June 2, 2017 Report Share Posted June 2, 2017 Any chance you could submit the decryption keys for analysis so that the rest of us might be saved the burden? 1 Quote Link to post Share on other sites
JimmyJAPA 3 Posted June 2, 2017 Report Share Posted June 2, 2017 Of course I am willing to do my part to relieve all the other victims of suffering, especially I have two sets of keys to Cry36. However, I don't know how and what to do. I also wrote a lot to them to dissuade them from doing this after I decrypted almost all my files. 1 Quote Link to post Share on other sites
LeonardCaldwell 0 Posted June 2, 2017 Report Share Posted June 2, 2017 6 hours ago, JimmyJAPA said: Dear all, I had no choice but to pay the ransom for Cry36 yesterday and got almost all my files back. The negotiation was long and tiring, and the payment was made via BitCoin. I paid twice, for I was infected twice. Just for your reference. Thanks for all your attention and time. Case closed. Sincerely, [email protected] Talk about "taking one for the team" (two, actually)! Quote Link to post Share on other sites
Geng 0 Posted June 2, 2017 Report Share Posted June 2, 2017 @JimmyJAPA I've heard reports of the decrypter.exe files they send you contains viruses. Can you confirm or deny this? Quote Link to post Share on other sites
Kevin Zoll 309 Posted June 2, 2017 Report Share Posted June 2, 2017 Decryption keys are infection and system specific, they are of no help to anyone other than the victim. 1 Quote Link to post Share on other sites
JimmyJAPA 3 Posted June 3, 2017 Report Share Posted June 3, 2017 10 hours ago, Geng said: @JimmyJAPA I've heard reports of the decrypter.exe files they send you contains viruses. Can you confirm or deny this? Hello, Geng, I am aware of the possibility and I scanned the decryptor immediately after downloading it, using Microsoft Security Essentials. There was no virus in it. I checked it again just now since you asked. Still no virus. My system is always clean after every reboot. For your reference. 10 hours ago, LeonardCaldwell said: Talk about "taking one for the team" (two, actually)! I am not quite sure about your question, sorry. Could you elaborate? Quote Link to post Share on other sites
MTG Joel 2 Posted June 3, 2017 Report Share Posted June 3, 2017 Kevin, though I am well aware that the decryption keys are case specific, the method of decryption is not. By examining and comparing multiple decryption keys there may be a way of identifying a pattern within them that could point to how to reengineer the decryption engine itself. Or perhaps you have a more effective approach in mind, in which case please do be sure to let us all know about it as there are a large number of people out there who would like to recover their files and the sooner the better. 1 Quote Link to post Share on other sites
Palat Bo 0 Posted June 4, 2017 Report Share Posted June 4, 2017 Any news about the Cry36 decrypter? Quote Link to post Share on other sites
Geng 0 Posted June 5, 2017 Report Share Posted June 5, 2017 It's been over a month. They can't crack this one. I suggest if you want your files back to try the Proven Data Recovery company as someone mentioned earlier in this thread. Please report back with your experiences with them. 1 Quote Link to post Share on other sites
GeorgeB 3 Posted June 5, 2017 Report Share Posted June 5, 2017 I have studied the behavior of the decryption program (unlock.exe) and have noticed some aspects of the decryption key structure. To match ID and KEY: 1) At the beginning of the key is the ID in HEX followed by the character "_" (0x5F) 2) The last byte must be 0x00 3) If any byte is changed in the range between 0x5F and 0x00, the key is accepted. 4) If you delete bytes from this interval (shorten the key) the key is accepted. Considering these I produced a fake key corresponding to Id 1: ID: 1 KEY HEX 315F00 KEY ASCII 1_ (null) When we click on the "Unlock One" button, the error "Access violation at address 005CC02E in module" unlock.exe "is displayed. From here I have concluded that a minimum length is required. Let's extend the key and test it: ID: 1 KEY HEX 315F0000 KEY ASCII 1_(null) (null) When we click the "Unlock One" button, the key is accepted and we are invited to choose the encrypted file (whose original name we modified to match the id 1: testfile.txt.id_1_gebdp3k7bolalnd4.onion._) The content of the file is modified (decrypted with a wrong key), the extension is modified correctly in testfile.txt but the last 36 bytes from the end of the encrypted file are not deleted. The next test is the incremental addition of bytes in the key. From successive increments we reached the following key contents: ID: 1 KEY HEX 315F + 48x (0X00) + 2 * (0X00) 315F 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 0000 KEY ASCII 1_ + 48 x (null) + 2 x (null) This key is accepted and this time in the decrypted file the last 36 bytes are also removed, but obviously with the fake key the decryption is incorrect. I do not know if what I have exposed is helpful but I hope to help and encourage those more experienced than me. 1 Quote Link to post Share on other sites
Fabian Wosar 390 Posted June 5, 2017 Report Share Posted June 5, 2017 We know everything there is to know about the format and how these keys are created. It is because we know exactly how those keys are generated and used that we know we can't do anything at least for the time being. While an attack is still possible, it simply would take too long to be feasible (we are talking many years here). Quote Link to post Share on other sites
Cesar1986 0 Posted June 5, 2017 Report Share Posted June 5, 2017 hi Just as documentation. My server was attacked with a ransomware with an extension .830s7 If anyone has any solution. Please Quote Link to post Share on other sites
MTG Joel 2 Posted June 6, 2017 Report Share Posted June 6, 2017 So Fabian, please don't take this the wrong way and also know that your efforts have been greatly appreciated, but it stands to reason that if you knew everything there was to know about this encryption then you would also know how to undo it. Realize I'm flogging a dead horse here but any method of encryption by design has to have an equal decryption method or else these morally defunct a-holes would have trouble keeping the money rolling in and likewise if it were some insurmountable feat to decrypt it the slightly less morally defunct but equally greedy a-holes from services like the aforementioned Proven Data Recovery wouldn't be able to fix people's files (for an astronomical price). It seems from GeorgeB's posts (massive kudos to GeorgeB btw) that he has been making a fair amount of progress so maybe some benefit could be reached from collaboration and openly sharing findings and results. It's also goes without saying that any positive discoveries can help fundamentally to build defenses against future threats as these guys are not starting from scratch every time they come out with something new. Yep. Quote Link to post Share on other sites
Fabian Wosar 390 Posted June 6, 2017 Report Share Posted June 6, 2017 9 hours ago, MTG Joel said: So Fabian, please don't take this the wrong way and also know that your efforts have been greatly appreciated, but it stands to reason that if you knew everything there was to know about this encryption then you would also know how to undo it. We know both how to encrypt and decrypt. They use standard AES-256 and RC4. What most people don't understand, you included, is that for modern encryption it is irrelevant whether you know how a file is encrypted or decrypted. Quite frankly, any encryption algorithm worth anything will have been thoroughly analysed, scrutinised and discussed publicly, often for years, before they are used in production. They are designed in a way so that without the key the algorithm and the knowledge what the ransomware does with the key and the data isn't worth anything. Quote Realize I'm flogging a dead horse here but any method of encryption by design has to have an equal decryption method or else these morally defunct a-holes would have trouble keeping the money rolling in and likewise if it were some insurmountable feat to decrypt it the slightly less morally defunct but equally greedy a-holes from services like the aforementioned Proven Data Recovery wouldn't be able to fix people's files (for an astronomical price). What these companies do is pay the ransomware authors to get the keys, then sell you those keys with a markup. Nothing else. Quote It seems from GeorgeB's posts (massive kudos to GeorgeB btw) that he has been making a fair amount of progress so maybe some benefit could be reached from collaboration and openly sharing findings and results. Openly sharing findings and results just leads to ransomware authors fixing the underlying flaws. Quote Link to post Share on other sites
Teutonia 0 Posted June 6, 2017 Report Share Posted June 6, 2017 My pc was attacked by a BE87R and all my files were encrypted with this extension. Can somebody help me? These are some of the files I could recover from a backup. *** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED *** To decrypt your files you need to buy the special software – «Nemesis decryptor» You can find out the details / buy decryptor + key / ask questions by email: [email protected] Your personal ID: XXXXXXXXX Using the Cry128, Cry9, decrypt_Amnesia,decrypt_Amnesia2 decryptor, it doesn't recognize anything. THANK YOU Ventas 1.0 CompEnLinea exceldiario (1).xlsx Ventas 1.0 CompEnLinea exceldiario (1).xlsx.id-3914712426_[[email protected]].be87r Ventas 2.0 exceldiario (1).xlsx Ventas 2.0 exceldiario (1).xlsx.id-3914712426_[[email protected]].be87r GRUPO linkedin.docx GRUPO linkedin.docx.id-3914712426_[[email protected]].be87r Quote Link to post Share on other sites
Fabian Wosar 390 Posted June 6, 2017 Report Share Posted June 6, 2017 @Teutonia, that is Cry36. No fix for that as of yet. Quote Link to post Share on other sites
Nova 2 Posted June 6, 2017 Report Share Posted June 6, 2017 Dear Fabian, So you mean we the victims cannot get the decryptor fo cry36 in a short time? At least in few months? Thank you. Quote Link to post Share on other sites
Fabian Wosar 390 Posted June 6, 2017 Report Share Posted June 6, 2017 It's rather unlikely that there will be a change anytime soon unless the C2 server is seized or the keys get released somehow. Quote Link to post Share on other sites
antoniocmoura 0 Posted June 7, 2017 Report Share Posted June 7, 2017 On 2017-6-5 at 4:52 AM, GeorgeB said: I have studied the behavior of the decryption program (unlock.exe) and have noticed some aspects of the decryption key structure. To match ID and KEY: 1) At the beginning of the key is the ID in HEX followed by the character "_" (0x5F) 2) The last byte must be 0x00 3) If any byte is changed in the range between 0x5F and 0x00, the key is accepted. 4) If you delete bytes from this interval (shorten the key) the key is accepted. Considering these I produced a fake key corresponding to Id 1: ID: 1 KEY HEX 315F00 KEY ASCII 1_ (null) When we click on the "Unlock One" button, the error "Access violation at address 005CC02E in module" unlock.exe "is displayed. From here I have concluded that a minimum length is required. Let's extend the key and test it: ID: 1 KEY HEX 315F0000 KEY ASCII 1_(null) (null) When we click the "Unlock One" button, the key is accepted and we are invited to choose the encrypted file (whose original name we modified to match the id 1: testfile.txt.id_1_gebdp3k7bolalnd4.onion._) The content of the file is modified (decrypted with a wrong key), the extension is modified correctly in testfile.txt but the last 36 bytes from the end of the encrypted file are not deleted. The next test is the incremental addition of bytes in the key. From successive increments we reached the following key contents: ID: 1 KEY HEX 315F + 48x (0X00) + 2 * (0X00) 315F 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 0000 KEY ASCII 1_ + 48 x (null) + 2 x (null) This key is accepted and this time in the decrypted file the last 36 bytes are also removed, but obviously with the fake key the decryption is incorrect. I do not know if what I have exposed is helpful but I hope to help and encourage those more experienced than me. Dude, could you send me this program? I need to do some testing because everything I've tried so far has not worked. Thank you. [email protected] Quote Link to post Share on other sites
NnitehawkK-fb 1 Posted June 7, 2017 Report Share Posted June 7, 2017 You accepted Rebeatus's request. Mike who sent ya? Rebeatus I look all over to assist people Mike cry36 lost everything dont see getting it back question being how do you know i got hit? i keep my circle small i run anti govt site and radio sattion so only straight up criminals would have targeted me anyway Mike m sure you can understand my suspicion if you are a whitehat Rebeatus Go search .onion on Facebook and you will see your post among all Mike so is there a decryption solution? so far not https://support.emsisoft.com/topic/27231-cry9-invalid-crypton-file-pair/?page=3 Rebeatus so you tried it all Mike yep 36 is a very badly formed piece of crap and you cant even con tact the criminals that do it becasu eit was built so badly id never pay em but id like to get a few of the files back mostly just music library the rest of the stuff was usless replacable or backed up i use linux for the importent stuff if your whte hat jump in and assist i guess https://support.emsisoft.com/topic/27231-cry9-invalid-crypton-file-pair/?page=4 the two systems that got hit already went thru the grinder and i tool the encrypted files a put em away in case a key comes up Quote Link to post Share on other sites
Kevin Zoll 309 Posted June 7, 2017 Report Share Posted June 7, 2017 7 hours ago, antoniocmoura said: Dude, could you send me this program? I need to do some testing because everything I've tried so far has not worked. Thank you. [email protected] And that will not work either. GeorgeB stated " but obviously with the fake key the decryption is incorrect " Quote Link to post Share on other sites
Alessandro Domingues 0 Posted June 8, 2017 Report Share Posted June 8, 2017 Hi, I have in my machine more than 30000 encrypted files, how do I know which malware to decrypt? How do I know if I can recover these files? I have tested more than 20 tools and none worked, my files are with the extension id-1238399656_ [[email protected]] .830s7, can anyone help me ???? Quote Link to post Share on other sites
Kestukas 1 Posted June 8, 2017 Report Share Posted June 8, 2017 On 2017-05-17 at 4:53 PM, Frank chen said: Can we know how the progress of cry128 36b variant decrypter is now? I am about to graduate in 1 month and all my matlab code is encrypted. I am not sure if I should pay or wait for you guys to save me. @Kevin Zoll May god bless u share your mathlab file here, we can try look into it Quote Link to post Share on other sites
Alessandro Domingues 0 Posted June 8, 2017 Report Share Posted June 8, 2017 On 03/06/2017 at 8:28 PM, MTG Joel said: 1 hour ago, Kestukas said: share your mathlab file here, we can try look into it I have this same problem, my files have also been encrypted, follow SICREDI.INI.id-1238399656_[[email protected]].830s7 Quote Link to post Share on other sites
Alessandro Domingues 0 Posted June 8, 2017 Report Share Posted June 8, 2017 23 hours ago, Kevin Zoll said: And that will not work either. GeorgeB stated " but obviously with the fake key the decryption is incorrect " Do you work in the development of new decryption tools? Quote Link to post Share on other sites
Kevin Zoll 309 Posted June 8, 2017 Report Share Posted June 8, 2017 No, I do not work with the development of the decryption tools. However, unless someone that is associated with Emsisoft tells you that a method is safe to use then do not use it. Everything that has been posted by non-Emsisoft personnel, with the exception of Demonslay335, that advice should be ignored. For all, you know it could be the malware author posting misinformation with the intent to cause further damage. Also, I know enough about cryptography to know what was suggested will not work. 1 Quote Link to post Share on other sites
GeorgeB 3 Posted June 9, 2017 Report Share Posted June 9, 2017 My name is GeorgeB and I'm not a cybercriminal. Also I'm not a victim of this ransom virus. I want to help someone that ignored my advice about real backup solution. When he lost all data he wanted to pay ransom. My advice was: "Do not pay for ransom!". While we are debating that is right or not to share knowledbe about how this ransom works autors build new versions, becouse they share their knowledge each others. I think that is nothing wrong to study and share. Great discoveries have come from people who do not know that one thing is impossible. Quote Link to post Share on other sites
Alessandro Domingues 0 Posted June 9, 2017 Report Share Posted June 9, 2017 I really wanted a solution to my problem, I just asked if you are part of development area because I wanted to know if there is anyone trying to develop something to descryptografar my files, I saw that there are several tools that descryptografam other types of ransowware and I understand that someone should create A tool that will do it for my files. Quote Link to post Share on other sites
ganymede 3 Posted June 9, 2017 Report Share Posted June 9, 2017 People need to understand that this forum is hosted by Emsisoft, a company selling anti-malware tools etc. They cannot endorse anything as a solution to this ransomware other than their software (or perhaps some other application from a digitally verified source), if for no other reason than corporate liability. No offense to anyone here trying to help, but if you want to "go rogue", I suggest starting a thread on Bleeping Computer. Knowledge sharing is always welcome though. Sounds to me like the folks here have done all they can with the info at hand. All we can do now is wait and hope people stop paying the ransom so the criminals get bored or something and leak info. Quote Link to post Share on other sites
Alessandro Domingues 0 Posted June 9, 2017 Report Share Posted June 9, 2017 I do not actually have the conditions to pay the ransom, and particularly had the backup of most of my files, but we always lost a few. I have entered this discussion to try to understand how file decryption works, since it's such a common process nowadays. I'll be waiting to see if anyone develops any tools that can decrypt the files that I don't have backup for the ransom payment, I have no intention of paying. Quote Link to post Share on other sites
Cesar1986 0 Posted June 9, 2017 Report Share Posted June 9, 2017 Paying is not an option. In my case they asked me for 12btc. The cybersecurity companies in my country advised me to pay but I will not. I shared the case with antivirus companies and I see more progress in finding the solution. I will keep you informed Quote Link to post Share on other sites
Alessandro Domingues 0 Posted June 9, 2017 Report Share Posted June 9, 2017 OK Cesar, I will also wait, even searched the local authorities, and denounced the crime of extortion, but they said they still can't do anything. I will continue to await the solution of this problem. Quote Link to post Share on other sites
evilxsystems 0 Posted June 10, 2017 Report Share Posted June 10, 2017 Fabian, is it useful to you guys to get encrypted and unencrypted file pairs for cry36? One of our lab computers was infected at the end of April and some of the files were backed up so I have several dozen pairs of files. Also we did have important scientific data on the machine that was not backed up and we'd love to decrypt it without resorting to paying criminals. Is there any chance of eventually releasing a decryptor like you have for cry9 or cry128? Quote Link to post Share on other sites
Robinnnn 0 Posted June 11, 2017 Report Share Posted June 11, 2017 I notice some email adressen on aol.com being used for some time now. Is it really that hard to trace the emails back to their origin? Does it have use to report a hostage of files to autorities, or is there nothing they can do? Quote Link to post Share on other sites
Alessandro Domingues 0 Posted June 12, 2017 Report Share Posted June 12, 2017 I here in Brazil I scoured the authorities, but they only deal with financial crimes, AOL has a department that receives these complaints, it verifies but the maximum that will do, it will cancel the access of this email account Quote Link to post Share on other sites
sofiapapas80 2 Posted June 13, 2017 Report Share Posted June 13, 2017 Hello to you all, l don't know how some of you are going to react to my post but the end is what matters. On Friday morning we (company) where infected from the Cry36 Virus(Ransom). Our Server 2008R2 was with anti-virus and with Windows Update.. up to date.. At the time we had a external Hard drive connected to the server (the only one we had) since we didn't have a duplicate due the second one failed on us. Due to hard times here in Greece we thought that one hard drive was enough. Since our server was under repair with a raid problem we had an live backup. All our files where encrypted.. Most you will probably understand. We called local Police, Internet Crime Center Greece and Interpol. We had support for a number o techs, antivirus profs in Greece and around the world. We had no choice but to gamble with the hackers. They asked for $800 in bit coin. We had nearly every day email exchange with them. The process to obtain bit coin was a long and stressing time. The amount of money we where loosing day by day was nightmare. After 8 days we had the bit coin, we transferred them to the people responsible and in 15min we had the unlock.exe we our ID and a password from Greece to US. They even gave us instructions and warnings not to damage the files. We got all our files back!!!!!!!!!!!!!! Yes we did the wrong thing and payed. In the end we lost a lot of money and lived 10 days of hell!!!!! The virus was infected from a personal email... 2 Quote Link to post Share on other sites
Fabian Wosar 390 Posted June 14, 2017 Report Share Posted June 14, 2017 You can try this decrypter: http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip Kaspersky got their hands on some of the keys for Cry36/Nemesis. So that may work. Make sure the version is 1.21.2.0 or later. 1 Quote Link to post Share on other sites
sofiapapas80 2 Posted June 14, 2017 Report Share Posted June 14, 2017 Well thank you.. But its too late now.. We have payed them and we have got back our data.. Quote Link to post Share on other sites
Cesar1986 0 Posted June 14, 2017 Report Share Posted June 14, 2017 1 hour ago, Fabian Wosar said: You can try this decrypter: http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip Kaspersky got their hands on some of the keys for Cry36/Nemesis. So that may work. Make sure the version is 1.21.2.0 or later. Hi Fabian, In some cases it works. In my case it does not support the 830s7 extension type. Regards Quote Link to post Share on other sites
Alessandro Domingues 0 Posted June 14, 2017 Report Share Posted June 14, 2017 Hi Fabian, In some cases it works. In my case it does not support the 830s7 extension type. Regards Quote Link to post Share on other sites
ganymede 3 Posted June 15, 2017 Report Share Posted June 15, 2017 11 hours ago, Fabian Wosar said: You can try this decrypter: http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip Kaspersky got their hands on some of the keys for Cry36/Nemesis. So that may work. Make sure the version is 1.21.2.0 or later. I double click the exe inside and nothing happens. That was disappointing... Quote Link to post Share on other sites
ganymede 3 Posted June 15, 2017 Report Share Posted June 15, 2017 7 minutes ago, ganymede said: I double click the exe inside and nothing happens. That was disappointing... Never mind, apparently it works in Windows 7 at least. Didn't accept my .onion files as being compatible though. :/ Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.