Borgdrone

Nemucod .crypted failed, need help to decrypt

Recommended Posts

Most of my files have been encrypted with the .crypted extension added to them, I tried the Emsisoft decryptor and it didnt work,

before you ask yes I did drop the two files on it at the same time. The instructions said I should give you the 3 txt logs so i did.

Please let me know what we can do next.

Thank you

Jim

Addition.txt

FRST.txt

scan_170509-114751.txt

Share this post


Link to post
Share on other sites

Hi Borgdrone,

Please upload some encrypted files here and the ransom note.

Also, please run a scan with Emsisoft Emergency Kit again and then delete what you find as it looks like you're infected with malware.

Regards,

Sarah

Share this post


Link to post
Share on other sites

Hi Jim,

Sorry about the delay.

The nemucod decrypter was able to find a key for me. What error did you get when you tried it?

Regards,

Sarah

Share this post


Link to post
Share on other sites

It said it could not find a key for this system, did you use the files I provided? If you got a key can I use

it and plug it into the decryptor to fix all my files? Is there a better way of doing this, like slaving the drive 

in another system or???.

Thank you for your help.

Jim

Share this post


Link to post
Share on other sites

Normal users can't download your files, so I can't try it myself.  But if Sarah got it work, there should be a way for you to get it to work to.  You're prolly really excited I know, but be patient.  They're really busy so it may take her a while to get back to you.

In the meantime, I would just use the picture file you provided and try again.  I guess make sure you're using the decryptor here .  The "detailed usage guide" says the files need to be at least 4kB of so.  You shouldn't have to do anything special with your system config.  Though, if you wanted to, you could run Windows Pocket Edition from a usb stick and run the decryptor from there.  Only if you think your computer is blocking the decryptor for some reason.

But first, I would right click the Nemucod Decryptor....go to properties and check the "Run as Administrator" box just in case your system is blocking it from running.

There's also a discussion on this at bleepingcomputer here .  From the info there, if your files are the same size, the decryptor should work.  But if there is a big difference in file sizes, it might be a new "7zip" variant of Nemucod that is not currently decryptable.  You might want to post there too and let them take a look at your files.  Good Luck.

Share this post


Link to post
Share on other sites

I was able to get a key using the files you provided. Simply drag the encrypted and original of that clay figure picture onto the decrypter.

 

z6meK0m.png

b1b2tCc.png

lZodOmL.png

I was able to then open the resume document for Ed with no trouble.

Share this post


Link to post
Share on other sites

THANK YOU! Yes I'm yelling, so friggin happy. Thank you Sarah, thank you Demonslay, and ty Bruticus.

I got it to work finally, I think my antivirus was stopping something. Reinstalled windows 8.1 64, and it worked.

You guys saved my life, I had already given up when you said try it again. 

I cant thank you enough, CHEERS!

Jimmy

Share this post


Link to post
Share on other sites

Hi,

"decrypt_Nemucod.exe" version 1.0.0.26 tells me:

Zitat

"The decrypter could not determine a valid key for your system. Please drag and drop both an encrypted file as well as its unencrypted counterpart onto the decrypter to determine the correct key. Files need to be at least 4096 bytes long."

Sample files attached, crypted and original version for each.

What might be the cause? Different encryption algorithm?

130511962840070453.JPG
Download Image

130511962840070453.JPG.crypted

130511962840851783.JPG
Download Image

130511962840851783.JPG.crypted

(EEK did find a file containing "Trojan.Agent.JS.RB (B)" and "Trojan.JS.Downloader.HUQ (B))

Share this post


Link to post
Share on other sites

Is it Nemucod, or NemucodAES? I recommend checking with ID Ransomware to be certain of what version we're dealing with. You can paste the link to the results at ID Ransomware into a reply for me to take a look at as well.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.