Karel Szkandera

Results from Decrypter for Xorist are not valid?

Recommended Posts

Hi, 

our server was attacked by ransomware. 

Website https://id-ransomware.malwarehunterteam.com/identify.php? says, it should be Xorist. I tried your Emsisoft Decrypter for Xorist, but i think, the results is not correct.

It generated "decryption.key", but after decrypting of selected files, these files couldn't be open. In attachments is sample. Could you give me any advice?

 

attachments:

sample.zip

  • not attacked file "DocExcel - not attacked.png"
  • attacked file
  • result file from decrypter "DocExcel.png" - it could be open
  • notes from ransomware  (HOW TO DECRYPT FILES)
  • decryption_key

system Logs:

  • Emsisoft Emergency Kit log 
  • FRST.txt
  • Addition.txt

Thank you, Karel

sample.zip

FRST.txt

Addition.txt

scan_170613-170721.txt

Share this post


Link to post
Share on other sites

You got attacked by two different variants. The issue with that is, that you will have to run the decrypter twice. Once with the proper settings to remove the "[email protected]" layer and then to remove the "[email protected]" layer. The problem is finding the two different keys. You will have to find 2 file pairs where only one of the two extensions was appended. Then generate the decryption key based on those two individual file pairs and use them one after another.

Share this post


Link to post
Share on other sites

I think for the variant "[email protected]" I found a pair of files for decryptor, but for the second variant "[email protected]" I did not find a suitable pair. There are about 56 files that have been encrypted only by this variant, but they are mostly log files to which I do not have an unencrypted files. There are also several dll libraries, but libraries with the same name that I have on my computer have a different size.
Is there any other way to deal with it?

At attachment, there is list of files which was decrypt only by variant [email protected]

list of files_qq.csv

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.