Sign in to follow this  
Alan Standerwick

Infected with nmcrypt

Recommended Posts

3 hours ago, GT500 said:

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

https://id-ransomware.malwarehunterteam.com/identify.php?case=79a34d9411a40fe31f4c64483cc12c032062e022

Thanks Arthur!

 

Al

Share this post


Link to post
Share on other sites
Guest

Unfortunately, there still is no known method to decrypt files encrypted by NMoreiran ransomware. If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time.

since emsisoft uses bitdefender malware signature database also, bitdefender also have developed ransomware recognition tool. You can double check the ransomware type by downloading bitdefender ransomware recognition tool from bitdefender website.

https://labs.bitdefender.com/2017/09/bitdefender-ransomware-recognition-tool/

Regards

Share this post


Link to post
Share on other sites

Based on what I'm seeing, the ransomware appears to be secure. That means the only way to recover the files is to get the private key from the criminals who made/distributed the ransomware.

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Share this post


Link to post
Share on other sites
11 hours ago, pupbuster said:

Unfortunately, there still is no known method to decrypt files encrypted by NMoreiran ransomware. If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time.

since emsisoft uses bitdefender malware signature database also, bitdefender also have developed ransomware recognition tool. You can double check the ransomware type by downloading bitdefender ransomware recognition tool from bitdefender website.

https://labs.bitdefender.com/2017/09/bitdefender-ransomware-recognition-tool/

Regards

Appreciate the information.

Thanks!

Al

Share this post


Link to post
Share on other sites
On 4/18/2018 at 4:22 PM, GT500 said:

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Thanks Arthur!

 

Al

Share this post


Link to post
Share on other sites
7 hours ago, GT500 said:

Based on what I'm seeing, the ransomware appears to be secure. That means the only way to recover the files is to get the private key from the criminals who made/distributed the ransomware.

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Noted.

 

Al

Share this post


Link to post
Share on other sites

I am looking for some help.. I have been hit by NM4 and paid the BTC to get the tool and key.  They proved they can decrypt on their end but the tool and key doesn't work for me.  I believe the key is valid is there a tool that I can test the key in to manually decrypt or anything I can try .. 

Additionally, I do have the tool the supposed key and files if anyone is interested in using them to help find vulnerabilities or create a tool.

-Mike

 

ransomnote_url: https://lylh3uqyzay3lhrd.onion.to

 

Edited by GT500
Moved ransom note URL to code block so the forums won't turn it into a clickable link.

Share this post


Link to post
Share on other sites

Can you ZIP the decryption tool, and send it to me in a private message (along with any instructions they gave you for running it)?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.