Abhijit

Cry9 - Invalid CRYPTON file pair

By Abhijit, in Help, my files are encrypted!

Recommended Posts

MTG Joel    2

MTG Joel
Posted

No luck with the .onion files here either. Got my hopes up for a minute there. Oh well, hopefully the Kaspersky tool will help out some of the other people dealing with this at least. 

Share this post

Link to post
Share on other sites

Fabian Wosar    390

Fabian Wosar
Posted
10 hours ago, ganymede said:

Never mind, apparently it works in Windows 7 at least. Didn't accept my .onion files as being compatible though. :/

It has nothing to do with the Windows version. Nemesis is a ransomware-as-a-service offer, that means everyone can subscribe to it and get their own ransomware. Kaspersky only liberated the required keys for some of the Nemesis partners. That means only campaigns associated with those partners can be decrypted.

Share this post

Link to post
Share on other sites

ganymede    3

ganymede
Posted

Sounds like some sort of syndicate. Ransomware-as-a-service? Could you explain that a little more? When you say anyone can get their own ransomware, do you mean get the app/whatever that initiates the encryption on other machines?

 

Share this post

Link to post
Share on other sites

Smok3d    0

Smok3d
Posted
12 hours ago, Fabian Wosar said:

It has nothing to do with the Windows version. Nemesis is a ransomware-as-a-service offer, that means everyone can subscribe to it and get their own ransomware. Kaspersky only liberated the required keys for some of the Nemesis partners. That means only campaigns associated with those partners can be decrypted.

Ruben-e on bleeping Computer forum posted and had the same extension as I did (830s7). The decryptor worked for him but not me? Wouldn't the same extension be apart of the same campaign?

Share this post

Link to post
Share on other sites

Cesar1986    0

Cesar1986
Posted
14 hours ago, Smok3d said:

Ruben-e on bleeping Computer forum posted and had the same extension as I did (830s7). The decryptor worked for him but not me? Wouldn't the same extension be apart of the same campaign?

We seem to have the same problem. I tried the file that Kaspersky sent me and it did not work.

Share this post

Link to post
Share on other sites

Smok3d    0

Smok3d
Posted
12 hours ago, Cesar1986 said:

We seem to have the same problem. I tried the file that Kaspersky sent me and it did not work.

Did you let Kaspersky know that the decryptor did not work? Are they going to help you more?

Share this post

Link to post
Share on other sites

pannico    0

pannico
Posted
10 hours ago, Alessandro Domingues said:

Ola boa noite , hoje tive uma otima noticia , a Kaspersky atualizou seu software de decriptografia , e agora tive todos os meus arquivos desencriptados 

Compartilha esse link jovem \o/

Share this post

Link to post
Share on other sites

jimmy    0

jimmy
Posted

All my files  just have been encrypted, all my videos and photos of my family, my sons since they were born are gone. Looks like it was Cry36 which I believe no decryptor till now.

I have uploaded sample  of encrypted and original unencrypted file if this will help anyone to create the decryptor.

https://www.dropbox.com/s/u2uro2uxbndayja/cry36 encrypted files.zip?dl=0

 

Many thanks

Share this post

Link to post
Share on other sites

Kestukas    1

Kestukas
Posted

yes, seems it is hard to decrypt this one, as at start i wanted to look for encryption because thys encryption virus crypting only 36bytes of file, so other parts of files is recoverable, and posted info how people can try recovering data if they have large files, but EMSI denied my post saying this is harmfull , and need to wait for emsisoft to make an decryptos :) , so we wait now :)) because i have no will to do it myself , while i get punch in a head trying to help.

Share this post

Link to post
Share on other sites

Fabian Wosar    390

Fabian Wosar
Posted

As mentioned before in various places: We classified Cry36 as not feasible to decrypt using the restrictions we try to operate within. Kaspersky was able to "liberate" some of the private keys, so you can try to contact them. But it is highly unlikely that there will be a new decrypter for Cry36 from us.

Share this post

Link to post
Share on other sites

GT500    808

GT500
Posted

To my knowledge, there has been no news about a free cry36 decryption tool.

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

  • Upvote 1

Share this post

Link to post
Share on other sites

GT500    808

GT500
Posted
5 hours ago, anto19900 said:

Any news about cry36 ? how much would it cost (cry36 decrypter) ? 

I've already answered this via private message, however for anyone else who's curious there's still no known way to decrypt files encrypted by Cry36 without first obtaining the private key from the criminals who made/distributed the ransomware.

Share this post

Link to post
Share on other sites

Nova    2

Nova
Posted
On 10/23/2018 at 4:07 AM, GT500 said:

I've already answered this via private message, however for anyone else who's curious there's still no known way to decrypt files encrypted by Cry36 without first obtaining the private key from the criminals who made/distributed the ransomware.

However, cry36 still exists, but cannot to contact the criminals even I wants to pay for it.

Share this post

Link to post
Share on other sites

GT500    808

GT500
Posted
3 hours ago, Nova said:

However, cry36 still exists, but cannot to contact the criminals even I wants to pay for it.

It's possible that at some point in the future someone will gain access to the database of private keys on the servers operated by the criminals who made/distributed Cry36, and be able to make a free decryption tool. Until then, it is recommended to keep a backup copy of encrypted files, that way you'll have them in a safe place if a free decrypter is released.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.