MTG Joel 2 Posted June 15, 2017 Report Share Posted June 15, 2017 No luck with the .onion files here either. Got my hopes up for a minute there. Oh well, hopefully the Kaspersky tool will help out some of the other people dealing with this at least. Quote Link to post Share on other sites
Frank chen 0 Posted June 15, 2017 Report Share Posted June 15, 2017 Mine is win7, no useful either Quote Link to post Share on other sites
Fabian Wosar 390 Posted June 15, 2017 Report Share Posted June 15, 2017 10 hours ago, ganymede said: Never mind, apparently it works in Windows 7 at least. Didn't accept my .onion files as being compatible though. :/ It has nothing to do with the Windows version. Nemesis is a ransomware-as-a-service offer, that means everyone can subscribe to it and get their own ransomware. Kaspersky only liberated the required keys for some of the Nemesis partners. That means only campaigns associated with those partners can be decrypted. Quote Link to post Share on other sites
ganymede 3 Posted June 15, 2017 Report Share Posted June 15, 2017 Sounds like some sort of syndicate. Ransomware-as-a-service? Could you explain that a little more? When you say anyone can get their own ransomware, do you mean get the app/whatever that initiates the encryption on other machines? Quote Link to post Share on other sites
Smok3d 0 Posted June 15, 2017 Report Share Posted June 15, 2017 12 hours ago, Fabian Wosar said: It has nothing to do with the Windows version. Nemesis is a ransomware-as-a-service offer, that means everyone can subscribe to it and get their own ransomware. Kaspersky only liberated the required keys for some of the Nemesis partners. That means only campaigns associated with those partners can be decrypted. Ruben-e on bleeping Computer forum posted and had the same extension as I did (830s7). The decryptor worked for him but not me? Wouldn't the same extension be apart of the same campaign? Quote Link to post Share on other sites
Fabian Wosar 390 Posted June 16, 2017 Report Share Posted June 16, 2017 Not necessarily. More indicative of campaigns is the same C2 server being in use. Quote Link to post Share on other sites
Cesar1986 0 Posted June 16, 2017 Report Share Posted June 16, 2017 14 hours ago, Smok3d said: Ruben-e on bleeping Computer forum posted and had the same extension as I did (830s7). The decryptor worked for him but not me? Wouldn't the same extension be apart of the same campaign? We seem to have the same problem. I tried the file that Kaspersky sent me and it did not work. Quote Link to post Share on other sites
Smok3d 0 Posted June 17, 2017 Report Share Posted June 17, 2017 12 hours ago, Cesar1986 said: We seem to have the same problem. I tried the file that Kaspersky sent me and it did not work. Did you let Kaspersky know that the decryptor did not work? Are they going to help you more? Quote Link to post Share on other sites
Alessandro Domingues 0 Posted June 27, 2017 Report Share Posted June 27, 2017 I also have the same problem, and I also sent my files to Kaspersky, and I still have no feedback, I think my option will be to pay, since I can not run out of some files. Quote Link to post Share on other sites
Alessandro Domingues 0 Posted June 28, 2017 Report Share Posted June 28, 2017 Today even being advised not to make the payment, we made the payment requested by [email protected], email that was included in the redemption note. And after we made the payment, he did not provide the key to decrypt the files and asked him to make another payment. Unfortunately I got sick. Quote Link to post Share on other sites
Alessandro Domingues 0 Posted June 29, 2017 Report Share Posted June 29, 2017 Really even after paying the amount requested the criminals did not release the keys and decryption software from my files, had to pay dearly for trusting these people, I ended my conversations with them. But be warned do not pay redemptions. Quote Link to post Share on other sites
Alessandro Domingues 0 Posted July 3, 2017 Report Share Posted July 3, 2017 Ola boa noite , hoje tive uma otima noticia , a Kaspersky atualizou seu software de decriptografia , e agora tive todos os meus arquivos desencriptados Quote Link to post Share on other sites
pannico 0 Posted July 3, 2017 Report Share Posted July 3, 2017 10 hours ago, Alessandro Domingues said: Ola boa noite , hoje tive uma otima noticia , a Kaspersky atualizou seu software de decriptografia , e agora tive todos os meus arquivos desencriptados Compartilha esse link jovem \o/ Quote Link to post Share on other sites
Alessandro Domingues 0 Posted July 6, 2017 Report Share Posted July 6, 2017 ftp://decrypt_tools_ro:[email protected]/RakhniDecryptor/1.21.3.6/RakhniDecryptor.rar Quote Link to post Share on other sites
NnitehawkK-fb 1 Posted July 10, 2017 Report Share Posted July 10, 2017 anything yet on the .onion decryption? 1 Quote Link to post Share on other sites
jimmy 0 Posted July 15, 2017 Report Share Posted July 15, 2017 All my files just have been encrypted, all my videos and photos of my family, my sons since they were born are gone. Looks like it was Cry36 which I believe no decryptor till now. I have uploaded sample of encrypted and original unencrypted file if this will help anyone to create the decryptor. https://www.dropbox.com/s/u2uro2uxbndayja/cry36 encrypted files.zip?dl=0 Many thanks Quote Link to post Share on other sites
NnitehawkK-fb 1 Posted July 31, 2017 Report Share Posted July 31, 2017 appears this is dead? Quote Link to post Share on other sites
Kestukas 1 Posted August 1, 2017 Report Share Posted August 1, 2017 yes, seems it is hard to decrypt this one, as at start i wanted to look for encryption because thys encryption virus crypting only 36bytes of file, so other parts of files is recoverable, and posted info how people can try recovering data if they have large files, but EMSI denied my post saying this is harmfull , and need to wait for emsisoft to make an decryptos , so we wait now :)) because i have no will to do it myself , while i get punch in a head trying to help. Quote Link to post Share on other sites
Fabian Wosar 390 Posted August 1, 2017 Report Share Posted August 1, 2017 As mentioned before in various places: We classified Cry36 as not feasible to decrypt using the restrictions we try to operate within. Kaspersky was able to "liberate" some of the private keys, so you can try to contact them. But it is highly unlikely that there will be a new decrypter for Cry36 from us. Quote Link to post Share on other sites
a1fa 0 Posted August 6, 2017 Report Share Posted August 6, 2017 is there any other companies working on cure of cry36? (id_*********_fgb45ft3pqamyji7.onion) Quote Link to post Share on other sites
Kestukas 1 Posted August 8, 2017 Report Share Posted August 8, 2017 yeah, my is exactly same encrypotion with same ending, when i logged in tor network on my id it said nemesis encryption id_2809157423_fgb45ft3pqamyji7.onion Quote Link to post Share on other sites
Fabian Wosar 390 Posted August 11, 2017 Report Share Posted August 11, 2017 Avast was looking into Cry36 as well but ultimately came to the same conclusion that we did, that decryption is infeasible. Quote Link to post Share on other sites
a1fa 0 Posted October 1, 2017 Report Share Posted October 1, 2017 any good news about cry36? maybe someone released keys or decrypter? Quote Link to post Share on other sites
GT500 860 Posted October 4, 2017 Report Share Posted October 4, 2017 To my knowledge, there has been no news about a free cry36 decryption tool. In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).http://www.shadowexplorer.com/ In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it. Here's a link to a list of file recovery tools at Wikipedia:https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery 1 Quote Link to post Share on other sites
anto19900 0 Posted October 22, 2018 Report Share Posted October 22, 2018 Any news about cry36 ? how much would it cost (cry36 decrypter) ? Quote Link to post Share on other sites
GT500 860 Posted October 22, 2018 Report Share Posted October 22, 2018 5 hours ago, anto19900 said: Any news about cry36 ? how much would it cost (cry36 decrypter) ? I've already answered this via private message, however for anyone else who's curious there's still no known way to decrypt files encrypted by Cry36 without first obtaining the private key from the criminals who made/distributed the ransomware. Quote Link to post Share on other sites
Nova 2 Posted November 1, 2018 Report Share Posted November 1, 2018 On 10/23/2018 at 4:07 AM, GT500 said: I've already answered this via private message, however for anyone else who's curious there's still no known way to decrypt files encrypted by Cry36 without first obtaining the private key from the criminals who made/distributed the ransomware. However, cry36 still exists, but cannot to contact the criminals even I wants to pay for it. Quote Link to post Share on other sites
GT500 860 Posted November 1, 2018 Report Share Posted November 1, 2018 3 hours ago, Nova said: However, cry36 still exists, but cannot to contact the criminals even I wants to pay for it. It's possible that at some point in the future someone will gain access to the database of private keys on the servers operated by the criminals who made/distributed Cry36, and be able to make a free decryption tool. Until then, it is recommended to keep a backup copy of encrypted files, that way you'll have them in a safe place if a free decrypter is released. Quote Link to post Share on other sites
a1fa 0 Posted September 22, 2020 Report Share Posted September 22, 2020 any good news on cry36? 🤞 Quote Link to post Share on other sites
GT500 860 Posted September 23, 2020 Report Share Posted September 23, 2020 8 hours ago, a1fa said: any good news on cry36? 🤞 No, unfortunately nothing new has been discovered about this ransomware. 1 Quote Link to post Share on other sites
a1fa 0 Posted January 10 Report Share Posted January 10 anyone still working on solution for cry36 or it's totally dead? :( Quote Link to post Share on other sites
GT500 860 Posted January 12 Report Share Posted January 12 On 1/10/2021 at 3:39 PM, a1fa said: anyone still working on solution for cry36 or it's totally dead? :( I doubt anyone has looked into it for at least a couple of years at this point. We know the kind of encryption it uses, and we know it isn't normally breakable. 1 Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.