cry36 attack, RDP logs intact

[svenzok 0]

Hi all,

my PC at work got hit by Nemesis Cry36 (as identified by ID Ransomware) on August 3rd, 9pm. Most likely via RDP, as that PC had only had a weak password (dumb, I know).
All files were renamed around that time, except for files and folders on the desktop. Ransom notes .txt files were put in every folder and they also changed desktop background.
I have already read that Cry36 is unfortunately not decryptable at this time (or ever?).
However, I found some suspicious IPs (Moscow, San José, Amsterdam) in the RDP logs, one around the above mentioned time, the others on the days prior.
Can this be of any help at all? The encrypted files were now saved to a backup disk (hoping for a miracle some day).

Is there anything else that might be of interest on the PC? Otherwise I'll erase/format everything to be on the safe side before setting up a new system.

Keep up the good work, guys!

[Fabian Wosar 390]

Those information are most important for law enforcement agencies if you decide to report this incident to the police (which you should!). So if you want to format/erase, make sure to create a disk image to hand in as evidence.

[Sven 0]

Hello, 

i have the same Problem, Cry 36 Nemesis, if you have a solution, please write it. 

The attached File is a Zip with 2 same files 1 original and 1 encrypted, the encrypted is 36 byte larger. 

I alredy try the decrypt_cry128 .exe, they calculate any time and sayd "no code"

Many thanks

Sven

2Files.zip

[GT500 873]

There is currently no way to decrypt Cry36 encrypted files.

[BrunoF 0]

Just to add: We detected that Cry36 encrypts about 25kBytes of the begining of each file. This is a lot of damage, but you might have a situtaion where your most important data is beyond this part of certain files.

[GT500 873]

That is technically possible, however keep in mind that a lot of files are essentially damaged beyond repair if certain meta data at the beginning of the file is damaged or unreadable.

[AhmedKeskin 0]

We are still waiting decryptor

[GT500 873]

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery