Jump to content

Recommended Posts

HI hoping I can get some help here, Sons been using my laptop for the past few weeks and has come to me today saying he cannot get into my laptop properly !. Ive just tried myself and found that all my personal files, documents, pictures, the lot are all in accessible and all of the shortcuts on my desktop will not open either !.

Most of the folders with my files in are still there with their original names but have a string of numbers added to the end of the filename (526047338) and all seem to have a README.txt file in that says this ....


Hello! Your files have been automatically protected using RSA-2048 to prevent any possible
  case of identity theft, this is for your own security. RSA is a cryptosystem for public-key
  encryption, and is widely used for securing sensitive data, particularly when being sent over
  an insecure network such us the Internet. To resolve this issue kindly contact us on by email:
  [email protected]  or  [email protected]
  With your ID number attached. 

Please contact me by e-mail:
[email protected]  or  [email protected]

UserID: 526047338

Also all windows backgrounds on my laptop and destop images have changed along with Windows notification sounds !.

Any ideas ?? not to fussed if I have to format the laptop to recover Windows from this but desperately need my files back !. Some of the pics on here are irreplaceable ones of my kids growing up etc !!.

have read the initial post and run both EEK and FRST... Log reports for both are attached to this thread ... many thanks for your help :)


Addition_12-06-2017 17.10.03.txt

FRST_12-06-2017 17.10.03.txt

Link to post
Share on other sites

I am helping a friend with this same infection.  Her computer was infected sometime on or before 0345 MDT today (6/13).  I am interested in hearing from anyone who either removed this infection, recovered the encryption key or actually paid the ransom.  We emailed both the email addresses at about 1700 MDT today, but as of this post, have not received a response.  Attached is a screenshot of the desktop background listing the ransomware information.


Link to post
Share on other sites


Thanks for the hot tip on the ransomeware ID tool.  The result is:


 This ransomware is decryptable!

Identified by

  • sample_extension: .<id>
  • sample_bytes: [0xDC00 - 0xDC43] 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000036E97EC0


Click here for more information about Cry9

Link to post
Share on other sites

Great news!  The decrypt_cry9.exe process worked!  My friend has her files back!!! I can't tell you how happy she is to have her 10 years of photos recovered.  Let me know where we can send the beer money as a token of thanks.  I will sing your praises on social media.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...