Cry9 - Invalid CRYPTON file pair

[MTG Joel 2]

No luck with the .onion files here either. Got my hopes up for a minute there. Oh well, hopefully the Kaspersky tool will help out some of the other people dealing with this at least. 

[Frank chen 0]

Mine is win7, no useful either

[Fabian Wosar 390]

10 hours ago, ganymede said:

Never mind, apparently it works in Windows 7 at least. Didn't accept my .onion files as being compatible though. :/

It has nothing to do with the Windows version. Nemesis is a ransomware-as-a-service offer, that means everyone can subscribe to it and get their own ransomware. Kaspersky only liberated the required keys for some of the Nemesis partners. That means only campaigns associated with those partners can be decrypted.

[ganymede 3]

Sounds like some sort of syndicate. Ransomware-as-a-service? Could you explain that a little more? When you say anyone can get their own ransomware, do you mean get the app/whatever that initiates the encryption on other machines?

 

[Smok3d 0]

12 hours ago, Fabian Wosar said:

It has nothing to do with the Windows version. Nemesis is a ransomware-as-a-service offer, that means everyone can subscribe to it and get their own ransomware. Kaspersky only liberated the required keys for some of the Nemesis partners. That means only campaigns associated with those partners can be decrypted.

Ruben-e on bleeping Computer forum posted and had the same extension as I did (830s7). The decryptor worked for him but not me? Wouldn't the same extension be apart of the same campaign?

[Fabian Wosar 390]

Not necessarily. More indicative of campaigns is the same C2 server being in use.

[Cesar1986 0]

14 hours ago, Smok3d said:

Ruben-e on bleeping Computer forum posted and had the same extension as I did (830s7). The decryptor worked for him but not me? Wouldn't the same extension be apart of the same campaign?

We seem to have the same problem. I tried the file that Kaspersky sent me and it did not work.

[Smok3d 0]

12 hours ago, Cesar1986 said:

We seem to have the same problem. I tried the file that Kaspersky sent me and it did not work.

Did you let Kaspersky know that the decryptor did not work? Are they going to help you more?

[Alessandro Domingues 0]

I also have the same problem, and I also sent my files to Kaspersky, and I still have no feedback, I think my option will be to pay, since I can not run out of some files.

[Alessandro Domingues 0]

Today even being advised not to make the payment, we made the payment requested by [email protected], email that was included in the redemption note. And after we made the payment, he did not provide the key to decrypt the files and asked him to make another payment. Unfortunately I got sick.

[Alessandro Domingues 0]

Really even after paying the amount requested the criminals did not release the keys and decryption software from my files, had to pay dearly for trusting these people, I ended my conversations with them. But be warned do not pay redemptions.

[Alessandro Domingues 0]

Ola boa noite , hoje tive uma otima noticia , a Kaspersky atualizou seu software de decriptografia , e agora tive todos os meus arquivos desencriptados 

[pannico 0]

10 hours ago, Alessandro Domingues said:

Ola boa noite , hoje tive uma otima noticia , a Kaspersky atualizou seu software de decriptografia , e agora tive todos os meus arquivos desencriptados 

Compartilha esse link jovem \o/

[Alessandro Domingues 0]

ftp://decrypt_tools_ro:[email protected]/RakhniDecryptor/1.21.3.6/RakhniDecryptor.rar


 

[NnitehawkK-fb 1]

anything yet on the .onion decryption?

[jimmy 0]

All my files  just have been encrypted, all my videos and photos of my family, my sons since they were born are gone. Looks like it was Cry36 which I believe no decryptor till now.

I have uploaded sample  of encrypted and original unencrypted file if this will help anyone to create the decryptor.

https://www.dropbox.com/s/u2uro2uxbndayja/cry36 encrypted files.zip?dl=0

 

Many thanks

[NnitehawkK-fb 1]

appears this is dead?

 

[Kestukas 1]

yes, seems it is hard to decrypt this one, as at start i wanted to look for encryption because thys encryption virus crypting only 36bytes of file, so other parts of files is recoverable, and posted info how people can try recovering data if they have large files, but EMSI denied my post saying this is harmfull , and need to wait for emsisoft to make an decryptos , so we wait now :)) because i have no will to do it myself , while i get punch in a head trying to help.

[Fabian Wosar 390]

As mentioned before in various places: We classified Cry36 as not feasible to decrypt using the restrictions we try to operate within. Kaspersky was able to "liberate" some of the private keys, so you can try to contact them. But it is highly unlikely that there will be a new decrypter for Cry36 from us.

[a1fa 0]

is there any other companies working on cure of cry36? (id_*********_fgb45ft3pqamyji7.onion)

[Kestukas 1]

yeah, my is exactly same encrypotion with same ending, when i logged in tor network on my id it said nemesis encryption id_2809157423_fgb45ft3pqamyji7.onion

[Fabian Wosar 390]

Avast was looking into Cry36 as well but ultimately came to the same conclusion that we did, that decryption is infeasible.

[a1fa 0]

any good news about cry36?

maybe someone released keys or decrypter?

[GT500 860]

To my knowledge, there has been no news about a free cry36 decryption tool.

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

[anto19900 0]

Any news about cry36 ? how much would it cost (cry36 decrypter) ? 

[GT500 860]

5 hours ago, anto19900 said:

Any news about cry36 ? how much would it cost (cry36 decrypter) ? 

I've already answered this via private message, however for anyone else who's curious there's still no known way to decrypt files encrypted by Cry36 without first obtaining the private key from the criminals who made/distributed the ransomware.

[Nova 2]

On 10/23/2018 at 4:07 AM, GT500 said:

I've already answered this via private message, however for anyone else who's curious there's still no known way to decrypt files encrypted by Cry36 without first obtaining the private key from the criminals who made/distributed the ransomware.

However, cry36 still exists, but cannot to contact the criminals even I wants to pay for it.

[GT500 860]

3 hours ago, Nova said:

However, cry36 still exists, but cannot to contact the criminals even I wants to pay for it.

It's possible that at some point in the future someone will gain access to the database of private keys on the servers operated by the criminals who made/distributed Cry36, and be able to make a free decryption tool. Until then, it is recommended to keep a backup copy of encrypted files, that way you'll have them in a safe place if a free decrypter is released.

[a1fa 0]

any good news on cry36? 🤞

[GT500 860]

8 hours ago, a1fa said:

any good news on cry36? 🤞

No, unfortunately nothing new has been discovered about this ransomware.

[a1fa 0]

anyone still working on solution for cry36 or it's totally dead? :(

[GT500 860]

On 1/10/2021 at 3:39 PM, a1fa said:

anyone still working on solution for cry36 or it's totally dead? :(

I doubt anyone has looked into it for at least a couple of years at this point. We know the kind of encryption it uses, and we know it isn't normally breakable.