Jump to content

Nemesis : Infected data on .vhdx file from 2012 Server


Recommended Posts

Hi. Some help would be much appreciated. I have mounted the .vhdx file on a Windows 10 PC. I have some untouched original data and the corresponding infected file. It seems to be a Nemesis malware or derivative. File extensions are :

Infected file : Copy files 2008.bat.id_2824135525_[[email protected]].nemesis

Uninfected file : Copy files 2008.bat

I have tried several of the CryptON decrypters to no avail.

Is there a decrypter available that can handle these file ? The Cry128 EXE ran to completion but didn't crack it.

Here's some text it left behind.

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: [email protected]

Reserve contact for communication (online chat):
http://jz3sncvmveprhihk.onion (need Tor-browser)
https://jz3sncvmveprhihk.onion.rip , https://jz3sncvmveprhihk.onion.cab , https://jz3sncvmveprhihk.hiddenservice.net (not need Tor-browser)

 

Output from ID Ransomeware:

Cry36

 This ransomware has no known way of decrypting data at this time.
It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • sample_bytes: [0x6AC - 0x6CF] 0x00000000000000000000000000000000000000000000000000000000000000C345F20E

 

Not enough information is public about Cry36. Please check back later.

Any help would be gratefully received.

Regards,

Chippy.

Copy files 2008.bat

Copy files 2008.bat.id_2824135525_[[email protected]].nemesis

Link to post
Share on other sites
On 2/11/2018 at 9:53 AM, Chippy2112 said:

I have tried several of the CryptON decrypters to no avail.

Is there a decrypter available that can handle these file ? The Cry128 EXE ran to completion but didn't crack it.

Files encrypted by Cry36 can't be decrypted for free. That particular ransomware uses a secure encryption method that can't be broken in a reasonable amount of time.

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...