Sign in to follow this  
ICrusaderI

[email protected] ransomware

Recommended Posts

Hi there, i have the following Big problem :

 

my friend got this ransowmare i believe a variant of YYto , the help file displays at startup to mail to [email protected],  the files encrypted are m5m5 extensions. The server victim is Windows 2003.

 

I need help to decript the files...

 

i used wireshark with batch at the startup, isolated the server as much as i could  and recorded the following pcap :

<link removed>

Edited by GT500
Removed link to pcap.

Share this post


Link to post
Share on other sites

I've removed the link to the pcap from your post and forwarded it to our malware analysts in case they want to look at it, although from what Michael Gillespi said the link appears to not be working.

To my knowledge there is no way to decrypt files that have been encrypted by this particular ransomware, at least not without the private key, which would normally need to be obtained from the criminals who made the ransomware.

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.