TekGai

nemesis cry36

Recommended Posts

I've been hit with a NEMESIS CRY36 variant ransomware. Backups were not available and from what I've been reading in the forums there are no decryptors yet. We ended up paying the ransom instead of going back to our last full backup (2 - 3 months prior), but the unlock.exe program that was given says that "the file or directory is corrupted and unreadable". They did provide me with a key, would anyone have the program associated with unlocking the files?

EDIT: They did respond back to me and provide me a working executable. I was very concerned I would have been screwed over.

Just some additional info for you all for the variant I experienced:

file extension: .id_#########_[[email protected]].4x82n

QZ8HTCP.jpg

 

3lj4Fj6.jpg

Share this post


Link to post
Share on other sites

In cases where restoring from back up is not a viable option and there is no free decryption tool, the only other alternative to paying the ransom is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.

Law enforcement authorities have had some success arresting cyber-criminals, seizing C2 servers and releasing private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time. Several of them have done that here at Bleeping Computer.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.

Share this post


Link to post
Share on other sites

Hi I have been hit by the same virus. I got infected with 2 different virus. If anyone one have any solution then please let me know.

Variant 1: NEMESIS
Variant 2: Aleta

Share this post


Link to post
Share on other sites

You most likely are dealing with a dual ransomware infection. .aleta is based on the latest AES-256 version of the BTCWare Ransomware family which uses a different RSA-1024 key and is not decryptable.

Share this post


Link to post
Share on other sites

hi guys, 

do you know if there are a solution for this? I think that we are with the same ransomware...  the result in id ransomware is Cry36

The txt that we found says:

 

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: [email protected]

Reserve contact for communication (online chat):
http://tptbibuegry2nvuh.onion (need Tor-browser)
https://tptbibuegry2nvuh.onion.to , https://tptbibuegry2nvuh.onion.cab , https://tptbibuegry2nvuh.hiddenservice.net (not need Tor-browser)


Your personal ID:xxxxxx

 

I spoke with the guy via online chat and told me to send an email.. i sent an email but after a few emails, i sent him a file to recover and he didnt answer again.

this is a very small company in Argentina... the money requested is too much for us... we offer less money but we haven't answer yet...

Did anyone pay for it? did it work?

 

Thanks for your help

 

Share this post


Link to post
Share on other sites

yes... I think in the same way... but they want to recover the files... btw after a few emails he stop answering.. I saw that the ip address is from Russia . I was trying with all the decryptor tools and nothing works....

:(

 

 

Share this post


Link to post
Share on other sites

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.