JimmyJAPA

Cry128 - Need HELP!!!!! Q_Q

35 posts in this topic

Dear Emsisoft Staff,
 
  I felt helpless after I came home today, finding all my files in my computer encrypted.
  I didn't even touch it today, and I didn't know how the virus got in my Win7.
  In fact, I disabled the RDP (remote desktop services) long ago.
 
  After my system was infected with the virus, I tried to search for a solution.
  However, everything seemed to be in vain.
 
  I read your instructions in emsisoft_howto_cry128.pdf and did as told.
  Unfortunatedly, decrypt_Cry128.exe told me it couldn't find the key to decrypting my files.
 
  What should I do?
  The following are some files for your reference.
  Hope I can hear good news from you soon, or I will have to pay the ransom... Weeping...
 
  Please Help!!!  A million thanks for everything!

 

Sincerely,
Jimmy

Everything.lng

Everything.lng.id_1025931295_gebdp3k7bolalnd4.onion._

setup.exe

setup.exe.id_1025931295_gebdp3k7bolalnd4.onion._

IMAG1556.jpg
Download Image

IMAG1556.jpg.id_1025931295_gebdp3k7bolalnd4.onion._

_DECRYPT_MY_FILES.txt

0

Share this post


Link to post
Share on other sites

You could try and see if you have any System Restore Points left on your computer.  Or if you have some kind of backup that you do, you could try to restore it.  I used a restore point to revert my windows, then use EaseUS Data Recovery to get my C files back.

If you can't do any of that, segregate or backup all the encrypted files you want to save somewhere off your computer.  Then format and do a new Windows.  It will at least get you going and you can wait for a decryptor some time in the future.  Emsisoft is working on different Cry128 decryptors I think.  We will just have to be patient and wait and see.

Paying cyber terrorists is up to you.  You can file a complaint with the FBI on their IC3 site.  They sent out a public service announcement here, encouraging victims to report the crime to their IC3 site.

The most important thing right now is to stop anything else from being compromised.  Any of your PC/financial/site passwords could have been compromised.  Get the infection quarantines, affected files away from your system, and get a clean system restored.  Then look into changing your passwords and financial info.

 

btw, all of us Cry128 victims are already posting here in this forum. 

0

Share this post


Link to post
Share on other sites

Dear Bruticus,

  Thanks for your comfort as well as advice.

  Paying the ransom would be the last resort for me to retrieve my precious data.

  I was really furious about the virus makers!  How could they destroy others' things for sake of money!

  I know it is no use blaming them here, but I believe every victim feels the same thing!

  We victims' only hope lies on you technological supermen and superwomen!

  I will keep checking on the new releases of the decryption tools!

  Let's all get informed if any new hope comes up!

 

  Hope everything will turn out to be fine!  (With fingers crossed!)

0

Share this post


Link to post
Share on other sites

Excuse me.  May I ask if Emsisoft is working on this new variant of Cry128 - gebdp3k7bolalnd4?

I keeping checking on the decryptor page every now and then.

Is there any way I can do to recover my data?

Thanks a lot!

0

Share this post


Link to post
Share on other sites

Hi Jimmy,

We are currently still looking into seeing whether the ransomware is decryptable or not. We will let you know if we find out whether it is or not.

I saw that mentioned you disabled RDP, mind checking whether it's still disabled as we believe that is how the criminals enter the system? Do you have all updates?

There may be a coin miner on the system (-a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 48Nk7Q5oB5gEVLabrgo3KhLbaTSDKvZNHBECoHyZcxWNDMgfDnHA8Ue2Skp7A6z2ZGG93wmLxxrKa1j4QR7kmi866AP1G8t -p x), so if you want to check whether the system is clean then you can use our product; Emsisoft Anti-MalwareIf you like our product and it is of help then please consider buying it (the price is discounted and we protect against ransomware such as this one).

Some other advice is that investing in a good backup procedure is very important and well worth it. I would suggest having two or more backups, at least one disconnected. 

Regards,

Sarah

0

Share this post


Link to post
Share on other sites

Dear Sarah, Emsisoft,

  You wouldn't know how glad I was when reading your reply.

 

  Since we are at the topic.  Here is the deal.

  I myself run the FBWF (File-Based Write Filter) on my Win7, and when I reboot, everything changed in Drive C: would be erased.

  Last week when I sat at my desk, I found all the icons on the desktop changed to "unidentified items."

  It seemed that almost everything in my computer was encrypted, so I then started searching for a solution, which led me to your site.

  After one reboot, I got my C: back intact and clean.  However, all the other files in other drives were not so lucky.

  So I started reading information about this virus, and I also tried your Cry128 1.0.0.54, finding it infeasible to brute force the key.

  It might mean the virus that my computer was infected with was a variant.

  Since I could not solve the problem, I left it on hold, waiting for your breakthrough for this.

 

  The next day, something unbelievable happened --- my computer was infected with the same virus!!!  AGAIN!!!  For the SECOND time!!!

  Now, I have two layers of encryption on my files.  Maybe no one on earth is as unfortunate as I am.  Q_Q

  Hence, I began to look into what might have caused the two infections, and the following are my conditions.

  1. I was using PPPOE connection for ADSL and have a real IP instead of a virtual one (192.168.xxx.xxx).

  2. I didn't have the system updates after 2016.06.

    (All the other computers in my place, not updated either, using NAT, have not been infected with this virus.  Only mine was attacked.)

  What I think is that I didn't get the virus because of the fake flash player update like others but because of a Win7 security problem.

  Now, I have updated most of the Win7 updates, changed from PPPOE to NAT, and closed DMZ function.

  Everything seems to work fine except for the encrypted files, so I am still waiting.

  Enclosed are the infected and twice-infected files.  Hope they can be of help.

 

  Also, hope the genius that is working on this virus is getting better.  It was said that he or she was a little bit under the weather last week.

  Please send my regards to him or her.  Thanks!

 

  Best regards,

  Jimmy from Taiwan

gebdp3k7bolalnd4.onion.zip

0

Share this post


Link to post
Share on other sites

Hi Jimmy,

Closing those security holes is very important, so I'm glad you did so. I forgot to mention this before, you can try file recovery tools in the meantime as some users have had success with them.

Regards,

Sarah

0

Share this post


Link to post
Share on other sites

Hi, Sarah,

  You meant some users recovered files using decrypt_Cry128.exe?

  Actually, I have tried at least 5 different pairs of files, but none worked out...

  If it is true, I will keep on trying different files.

Sincerely,

Jimmy

0

Share this post


Link to post
Share on other sites

No Jim, she meant recovery tools like EaseUS Data Recovery and such.  They scan a hard drive for deleted and older versions of files if they still exist.  If they find anything, you can see if you can recover them.  Tools like this basically scan every byte of your hard drive and shows you what files are still there.  You can try it and see if any of your old non-encrypted files show up.

0

Share this post


Link to post
Share on other sites

Dear people,

I have a big problem with my server, Yes We are infected with new variant. My files has exact 36 bytes difference but tool didnt work anymore. See in attach. Anybody has any suggestion? Thank´s so much.

 

DecryptEMSISoft.png
Download Image

 

Cry128NewVariant.png
Download Image

0

Share this post


Link to post
Share on other sites
18 hours ago, bruticus0 said:

No Jim, she meant recovery tools like EaseUS Data Recovery and such.  They scan a hard drive for deleted and older versions of files if they still exist.  If they find anything, you can see if you can recover them.  Tools like this basically scan every byte of your hard drive and shows you what files are still there.  You can try it and see if any of your old non-encrypted files show up.

Dear bruticus0,

  Thanks for your explanation.  I took it in the wrong way...

  I will try your way, but I think it would be very complicated. Q_Q

  Good luck to myself!

----- update -----

  I just tried to use Data Recovery Tools to see if there is any luck.

  Just so you know, it turned out to be in vain. Q___Q

0

Share this post


Link to post
Share on other sites

@rpotalara - All of us Cry 36 byte variant victims are here .  Just keep checking the thread for any updates.

@Jimmy, sorry to hear that.   Some file types can be renamed and still work.  .iso and .zip files will mostly work if renamed.  Very rarely I get a .rar file that will work.  If you have any really important files of those types you could try renaming them to recover.  Also, I think a lot of us had Remote Desktop open.  They could have gotten in that way.  Might want to turn Remote Desktop and Remote Assistance off for now on all your computers.  There was a big security update for windows this year in April I think.  So having the updates is important too.  Try to get all your other PCs protected with anti malware.   Malwarebytes and Cybereason offer free anti ransomware tools also that might help.  They're free, so might as well use them.

 

0

Share this post


Link to post
Share on other sites

@bruticus0

  I tried the link you provided, but it deals with the 68 bytes file size difference (in my case the difference is 36 bytes).  Thanks, anyway.

  Regarding this virus, I don't think most Anti-Virus software are workable because it attacks the security holes directly, just like "Blaster Worm Virus" in 2003.  Re-installing and patching the security holes are, I think, the top priority.  Thank you!

0

Share this post


Link to post
Share on other sites

After reading all the information and trying every means currently known, I feel helpless and am close to giving in to the culprits...

Wish us luck!  Q_Q

0

Share this post


Link to post
Share on other sites

@JimmyJAPA just so you know paying didn't help us, they just moved the balance out of the Bitcoin wallet

0

Share this post


Link to post
Share on other sites

@rpotalara If you are trying to recover a MS SQL database that has been affected in most cases you can use some recovery tools to recover your database, as this 36byte variant only encrypts the first 10KB of your file and add an extra 36bytes to the end of your file, many MS SQL recovery tools will be able to pickup your data from the rest of your data file that is still valid.

we used this tool and it recovered a filestore we had in a SQL server database.

https://www.systoolsgroup.com/

0

Share this post


Link to post
Share on other sites
7 hours ago, izuran said:

@JimmyJAPA just so you know paying didn't help us, they just moved the balance out of the Bitcoin wallet

Well, if the decryptor cannot be made, I will have no choice but to pay, for the data are too precious to me.

However, in the depth of my heart, I do curse these culprits who build happiness and wealth on others' suffering!

How can they destroy others' data of the whole life time just to make money!!!

God damn them!!!  Q_Q

0

Share this post


Link to post
Share on other sites

Hey Jim.  Any updates we have are always on this thread here.  Remember I mentioned it before? :P  

Anyway, take a look at AL's post at the bottom.  He mentions a data recovery place that might be able to help if your files are that important.  I went to the site and it's free to open up a case and have'em look at what you got.  Don't have to pay anything if they can't do anything.  Wouldn't hurt to try as a last resort.  

They also mention that they act as a go between for ransom transactions if you need them to.  Don't know if I like the sound of that or not.  There will never be any guarantee you will actually get a working decryptor, no matter who brokers the deal.  Especially in your case of having a second encryption on your files.  Some people report paying and have decryptor fail, then charge you again to try another one.  

So the data recovery place could be at least one more option for you.  Be sure to let us know how it turns out.  Good Luck.

 

Oh and be sure that no matter what you do, report this crime to the IC3 here.  Ransomware is a cyber crime/terrorism and it needs to be reported so authorities are made aware of just how bad the problem is.

 

0

Share this post


Link to post
Share on other sites

@bruticus0

Hello!  Thanks for reminding me.  I check the related threads almost every day, hoping to get the latest information.

Well, I tried the solution at the beginning of the infection, but data recovery is of no use for me, for I regularly defragment my hard disk to keep it clean.

I will just wait for a little longer for the geniuses in Emsisoft to see if they can come up with something.

If anything good happens, I would definitely donate to them for appreciation.

Finally, the IC3 forms are too complicated to me, a non-American, but I would consider filling in them someday.

Thanks for everything!

Sincerely,

Jimmy from Taiwan

0

Share this post


Link to post
Share on other sites
1 hour ago, JimmyJAPA said:

@bruticus0

Hello!  Thanks for reminding me.  I check the related threads almost every day, hoping to get the latest information.

Well, I tried the solution at the beginning of the infection, but data recovery is of no use for me, for I regularly defragment my hard disk to keep it clean.

I will just wait for a little longer for the geniuses in Emsisoft to see if they can come up with something.

If anything good happens, I would definitely donate to them for appreciation.

Finally, the IC3 forms are too complicated to me, a non-American, but I would consider filling in them someday.

Thanks for everything!

Sincerely,

Jimmy from Taiwan

jimmy if u pay the criminals they will just take your money and give u nothing. if i ever become infected i will lose my files before i pay these bastards. im just to stubborn and then paying a crimnal that u dont even know for sure will even give u the code. in your case u will have to pay them 2 times since ur doubled encrypted on a hope that they will do the right thing and give u the decrypter. in the future if u care so much about ur data then always have a back up in the cloud and one on a usb drive and keep everything updated. i use emsisoft internet security along with zemana and ive never had a virus,malware or ransomware..Also do u really trust that after paying the people that are scamming u in the first place to trust them that they will give u the code?

0

Share this post


Link to post
Share on other sites

Jim, the company I mentioned is a data recovery company.  They work with the actual hard drive disc to recover your files.  Places like that usually have many tools and methods that cannot be used by regular users.  That's why they charge so much money sometimes.  I think some of them even have you send in your hard drive and they recover what they can and put it on a usb/external drive.  No matter what you do to your hard drive, professionals should be able to find something I would think.  Doing regular defragments might even help their chances at recovering data because your files existed in more than one place on your hard drive's history.  Anyway, just a thought.

0

Share this post


Link to post
Share on other sites

@kygiacomo @bruticus0

Hey men,

I don't think the data recovery company would help, but thanks, aka Plan Y.

Besides, I am prepared to pay the ransom twice, if necessary and if the first time succeeds.

Of course I will do some surveys before doing so, and it will be my last resort, aka Plan Z.

There are a few webpages that describe the process of transaction in detail, and I would peruse them a bunch of times to make sure everything goes right.

Still looking everywhere for a solution.  Wish me luck!

Let's give the guys working on this some cheers!

Sincerely,

Jimmy

0

Share this post


Link to post
Share on other sites

i wish u luck jimmy. but from what i have read on emsisoft blog this ransomware is nearly impossible to decrpty without the key. what version of windows was u running when u got infected? if u have to pay 2 times then its gonna cost u around $1,000 by time u get the cash to bitcoins converted 

0

Share this post


Link to post
Share on other sites

@kygiacomo

As I mentioned before, I use Win7 with a real IP connection, and the details are in my post on May 11, which is on the above.

Also, I didn't have the system updates after 2016.06.

So, I guess that the reason why I got infected was that I directly connected to the Internet with a real IP.

The other computers of mine using virtual IPs didn't get the virus.

Just for your reference.

0

Share this post


Link to post
Share on other sites

Here I am again.

After keeping searching on the Net, I finally found a ransom-paying photo.

Just for your reference.

BTW, could you please tell me if this Cry36 can be decrypted or not, Sarah or other staff?

If yes, are you currently working on Cry36 or other ransomwares?

If not, I still much appreciate your efforts as well as time devoted to this, and please tell me ASAP so that I can take time to accept it.

Thanks a lot!

5a96f6c4775230b4c5bf5089344d56db.JPG
Download Image

1

Share this post


Link to post
Share on other sites

@JimmyJAPA 

 

I'm also from TW, same victim of cry36.

Are you successfully paid and get the decryptor?

I'm still waiting for the decryptor tools. I hope I don't need to pay them.

 

0

Share this post


Link to post
Share on other sites
1 hour ago, Nova said:

@JimmyJAPA 

 

I'm also from TW, same victim of cry36.

Are you successfully paid and get the decryptor?

I'm still waiting for the decryptor tools. I hope I don't need to pay them.

 

My Boss payed the Hacker´s and receive decrypt key. We saved all files.

0

Share this post


Link to post
Share on other sites
On 25.05.2017 at 10:21 PM, rpotalara said:

My Boss payed the Hacker´s and receive decrypt key. We saved all files.

Please PM to me decryptor an your key. Thanks!

0

Share this post


Link to post
Share on other sites

OMG!  Today I use Tor to connect to http://gebdp3k7bolalnd4.onion to check out information.

It was shutdown and said,

"This resource more is not available.

You can find out the details decrypting files / buy decryptor + key / ask questions in the chat:
https://fgb45ft3pqamyji7.onion.to, https://fgb45ft3pqamyji7.onion.cab (not need Tor)
http://fgb45ft3pqamyji7.onion (need Tor)"

It means the resource is gone?

What should I do???!!!  Q___Q

0

Share this post


Link to post
Share on other sites

Dear all,

  I had no choice but to pay the ransom for cry36 yesterday and got almost all my files back.

  The negotiation was long and tiring, and the payment was made via BitCoin.

  I paid twice, for I was infected twice.

  Just for your reference.

  Thanks for all your attention and time.

  Case closed.

Sincerely,

[email protected]

0

Share this post


Link to post
Share on other sites

Hi jimmy,

 

i am also in same boat as you. dont worry we will get back the files once Kaspersky or other software folks create a decrypter for us

0

Share this post


Link to post
Share on other sites
On 27-5-2017 at 6:57 PM, GeorgeB said:

Please PM to me decryptor an your key. Thanks!

Can you please post the decryptor/key here to help others and get it available for general public?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.