Recommended Posts

Pinned posts

As a followup to everyone who read about the Dr.Web affiliate selling decryption services, they have confirmed that Dr.Web is not capable of decrypting files that have been encrypted by this ransomware. Currently the only known way to decrypt the files is to obtain the private key from the criminals who made the ransomware. Obviously our recommendation is to make a backup copy of the encrypted files, and store them somewhere safe. Sometimes law enforcement is able to work with Anti-Virus software companies and other security analysis companies to gain access to the servers used by such criminals and obtain their database of private keys, allowing for the creation of a free decryption tool (and hopefully also leading to the prosecution of the miscreants responsible making/distributing the ransomware).

Please also note that it has been confirmed that CryptON is being spread by attackers who compromise remote access software (usually Microsoft Remote Desktop, often referred to as "RDP") to directly log in to victims' computers and manually infect them with the ransomware. It is absolutely vital that you take steps to prevent this sort of security breach moving forward. Here's a link to an explanation of what I'm talking about, and some basic recommendations for how to deal with it:
https://blog.emsisoft.com/en/28622/rdp-brute-force-attack/

I'll also paste some steps for getting started securing your network below so that it's more difficult for something like this to happen again:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites
UnPinned posts

Hi All,

I think i managed to delete all the malware on my computer, however how do i decrypt my files? 

Below is the example of [email protected] HTML, and also attached 4 (2 original, 2 encrypted file) if anyone needed it.

any suggestion or idea how do i decrypt it?

thank you

image.png.5ea46229fa5ea025891f53c123bd3c37.pngimage.thumb.png.9ae8a3a429ef0d1cd06e7cd225e81c53.png
Download Image 
Download Image

[email protected]

210617.png
Download Image

[email protected]

210617.pptx

Share this post


Link to post
Share on other sites

This is Cry36:
https://id-ransomware.malwarehunterteam.com/identify.php?case=652ce296e0e57ed037c162cae210d9e45c485ce1

There is no known way to decrypt Cry36 for free. In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Share this post


Link to post
Share on other sites

Either they've changed the name to confuse people, or more than one ransomware has infected the system. Was there more than one kind of ransom note left behind? Would it be possible for you to attach the ransom note to a reply so that I can take a look at it?

Share this post


Link to post
Share on other sites

Hi, I've got the same infection yesterday. I've made a new copy of windows, but in my external HDD all of my files are encrypted.  Can I use USBport safely to access to that storage to help you with uploading some files? I don't want to install windows again... :)

Share this post


Link to post
Share on other sites

Hi All,

The same case with me. My system is also infected by [email protected] yesterday and my Laptop and the external HDD which was also connected to the laptop is fully infected. So i have formatted my laptop and installed a fresh copy of the windows. i want to recover my data in the external HDD can some one help me on this.

Share this post


Link to post
Share on other sites
20 hours ago, Edward said:

attached as requested

That looks like a screenshot of the ransom note. Was there an actual file in the folders with your encrypted files named something like "HOWTODECRYPTFILES"?

 

6 hours ago, Janek said:

Hi, I've got the same infection yesterday. I've made a new copy of windows, but in my external HDD all of my files are encrypted.  Can I use USBport safely to access to that storage to help you with uploading some files? I don't want to install windows again... :)

Most ransomwares will automatically delete themselves after they finish encrypting files in order to make analysis more difficult. If you want to make sure the computer is clean, then you can follow these instructions to post logs in our "Help, my PC is infected!" section, and one of our malware removal experts will be able to assist you.

As for a USB flash drive or hard drive, unless you have turned on Autorun on your Windows computers, then it should be safe to transfer files via a some sort of USB media.

 

50 minutes ago, Sampa said:

The same case with me. My system is also infected by [email protected] yesterday and my Laptop and the external HDD which was also connected to the laptop is fully infected. So i have formatted my laptop and installed a fresh copy of the windows. i want to recover my data in the external HDD can some one help me on this.

We recommend never reinstalling Windows when dealing with a ransomware infection. As I told Janek, they generally delete themselves to make analysis more difficult, so after your files are encrypted the infection is usually gone. There are also a number of ransomwares that leave important information behind on the computer required to decrypt your files, and if you reinstall Windows or attempt to remove the ransomware then it could wipe out that information.

It is vital to identify the ransomware first, and then determine what your decryption options are before you take any further action. The best way to identify the ransomware is to upload a copy of the ransom note and an encrypted file to ID Ransomware, and see what it says:
https://id-ransomware.malwarehunterteam.com/

Keep in mind that many ransomwares share the same e-mail address (usually because they are made or distributed by the same criminals), so the e-mail address doesn't always help identify exactly which ransomware you are dealing with.

Share this post


Link to post
Share on other sites
17 hours ago, GT500 said:

That looks like a screenshot of the ransom note. Was there an actual file in the folders with your encrypted files named something like "HOWTODECRYPTFILES"?

 

Most ransomwares will automatically delete themselves after they finish encrypting files in order to make analysis more difficult. If you want to make sure the computer is clean, then you can follow these instructions to post logs in our "Help, my PC is infected!" section, and one of our malware removal experts will be able to assist you.

As for a USB flash drive or hard drive, unless you have turned on Autorun on your Windows computers, then it should be safe to transfer files via a some sort of USB media.

 

We recommend never reinstalling Windows when dealing with a ransomware infection. As I told Janek, they generally delete themselves to make analysis more difficult, so after your files are encrypted the infection is usually gone. There are also a number of ransomwares that leave important information behind on the computer required to decrypt your files, and if you reinstall Windows or attempt to remove the ransomware then it could wipe out that information.

It is vital to identify the ransomware first, and then determine what your decryption options are before you take any further action. The best way to identify the ransomware is to upload a copy of the ransom note and an encrypted file to ID Ransomware, and see what it says:
https://id-ransomware.malwarehunterteam.com/

Keep in mind that many ransomwares share the same e-mail address (usually because they are made or distributed by the same criminals), so the e-mail address doesn't always help identify exactly which ransomware you are dealing with.

I installed windows because of i didn't have any data on my OP. I store/stored all of my data in external storages. 

Uploaded the result of the identifying. I have some files both encrypted and original, because of redundant storing :) , and i have 2 other HDD but most of my data was on my infected external storage. :( So I can upload files if you need (just send a link). I want my files back... :S

HOWTODECRYPTFILES.html 

2018-05-17_2046.png
Download Image

Share this post


Link to post
Share on other sites
4 hours ago, Janek said:

I installed windows because of i didn't have any data on my OP. I store/stored all of my data in external storages. 

In some cases it doesn't matter where the encrypted data was stored, but rather what system the ransomware infected. For instance, there was a specific ransomware that would save information necessary for decryption in the TEMP folder of the infected computer, and reinstalling Windows (or deleting TEMP files) would destroy the data needed to decrypt the files.

 

4 hours ago, Janek said:

Uploaded the result of the identifying. I have some files both encrypted and original, because of redundant storing :) , and i have 2 other HDD but most of my data was on my infected external storage. :( So I can upload files if you need (just send a link). I want my files back... :S

This is definitely Cry36. Identification based on sample bytes should be 100% accurate for Cry36, so the results from ID Ransomware should be accurate.

Was the external storage some sort of USB or Firewire device, or was it something like a NAS or SAN?

Share this post


Link to post
Share on other sites
19 hours ago, Edward said:

Hi GT500, thank you for actively trying to help. Yes, the link shows as below  (its a screen shot)

All I can say for certain is that from the name it does appear to be Cry36.

Share this post


Link to post
Share on other sites

Hi thank you!

seems like there is no way to decrypt it? Do you think anyone will comeout with a decrypter? Else i would wipe off my data.

Share this post


Link to post
Share on other sites

I have the same ransomware by [email protected]
There is a any chance to descrypt it in near future? Anyone working on decryptor?
I'll kill myself, that files was everything for me, i worked for years...
Please give me some hope Emsisoft..  I am heartbroken and close to killing myself.

Share this post


Link to post
Share on other sites
On 5/17/2018 at 7:59 PM, Edward said:

seems like there is no way to decrypt it?

Correct. Cry36 uses secure encryption, which uses a "public key" to encrypt the data and a "private key" to decrypt it. The ransomware generates a new private key for every infected computer, and the private keys are stored on a server operated by the criminals.

 

On 5/17/2018 at 7:59 PM, Edward said:

Do you think anyone will comeout with a decrypter?

It is theoretically possible. Such things have happened before, usually when law enforcement and security analysis or anti-virus software companies have collaborated to gain access to a server operated by criminals who made/distributed a particular ransomware so that they could "liberate" the database of private keys. Sadly it doesn't happen as often as we'd like, or as quickly, but it is still worth keeping a backup of the encrypted files in the hopes that someone will be able to make a decryter for them at some point in the future.

 

13 hours ago, Surtry said:

There is a any chance to descrypt it in near future? Anyone working on decryptor?

We're not aware of anyone actively working on a decrypter. As I said above, it usually happens when law enforcement and security analysis companies manage to gain access to server operated by the criminals who make the ransomware, allowing them access to the database of private keys to use for decryption. Considering the amount of different ransomwares and the time it takes to compromise a reasonably secured server, this process is usually rather slow.

My best recommendation is to make a backup of your encrypted files and wait and see if someone releases a decrypter for Cry36 in the future.

If you need more hope than that, then while the odds are very low, you may want to consider the following (or ask a computer technician with the appropriate skill level to consider the following):

You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Share this post


Link to post
Share on other sites

In addition to the above, with any files that you don't want to lose that have yet to be encrypted by ransomware, I highly recommend making copies of those files on some sort of removable media (USB flash drives or USB hard drives for instance), and then leaving them disconnected from your computer. Most ransomware will look for files on every connected hard drive, and many will also check network drives and network shares, so it is absolutely critical that backup media not remain connected to a computer after making a backup.

Share this post


Link to post
Share on other sites

FYI: This does appear to be a new variant of the Nemesis ransomware, which Cry36 is a variant of as well. An affiliate/reseller for Dr.Web is claiming that Dr.Web is capable of decrypting the files (or at least figuring out the private key to use to decrypt them), and selling the service on BleepingComputer's forums. Note that Dr.Web will provide this service for free to anyone who has a license for their business Anti-Virus software. They have a form to request this service available at this link.

Edit: Please see the note in the post at this link about Dr.Web not being able to decryt this ransomware, and your current options for recovering files.

 

  • Like 1

Share this post


Link to post
Share on other sites
On 2018. 05. 18. at 1:35 AM, GT500 said:

In some cases it doesn't matter where the encrypted data was stored, but rather what system the ransomware infected. For instance, there was a specific ransomware that would save information necessary for decryption in the TEMP folder of the infected computer, and reinstalling Windows (or deleting TEMP files) would destroy the data needed to decrypt the files.

 

This is definitely Cry36. Identification based on sample bytes should be 100% accurate for Cry36, so the results from ID Ransomware should be accurate.

Was the external storage some sort of USB or Firewire device, or was it something like a NAS or SAN?

Hi, GT500, It was an USB device specially a WD My Book Essential HDD, and there was an SD card connected to my laptop.

Share this post


Link to post
Share on other sites
10 hours ago, GT500 said:

FYI: This does appear to be a new variant of the Nemesis ransomware, which Cry36 is a variant of as well. An affiliate/reseller for Dr.Web is claiming that Dr.Web is capable of decrypting the files (or at least figuring out the private key to use to decrypt them), and selling the service on BleepingComputer's forums. Note that Dr.Web will provide this service for free to anyone who has a license for their business Anti-Virus software. They have a form to request this service available at this link.

 

 

I think it is a big business for antivirus companies and the hackers too... And I have confidence that those fcking hackers working for antivirus companies... 

 

Share this post


Link to post
Share on other sites

Guys lets just calm our selves and wait Until 1 Hero saves our Files and Computer... Lets hope 1 day God will bring our True hero  That will Give us the Solution to This Ransomware And Hope this wont Happen Again to the World #NoMoreRansomCriminals

Share this post


Link to post
Share on other sites
On 5/19/2018 at 8:52 AM, Janek said:

I think it is a big business for antivirus companies and the hackers too... And I have confidence that those fcking hackers working for antivirus companies... 

Everyone I know who works in the Anti-Virus industry considers making malware unacceptable. We believe it's criminal and immoral to intentionally do harm to others or their property.

Anti-Virus software companies exist for the same reason that private security companies and police forces exist. Sadly there are people in this world who feel justified in causing harm to others (usually for their own personal gain). There can be considerable profit in ransomware, and if done right it can be rather difficult to track down the criminals who make and distribute it, so there are plenty of people who seem far too eager to abuse it (and their victims) to make money. From what I've seen, many of the people who do this seem to think of themselves as some sort "Robin Hood", stealing from the rich to give to "poor" (aka. themselves), completely ignoring the fact that they are harming innocent people and that they are in reality nothing more than greedy miscreants. There have also been some cases where people have made ransomware as a "proof of concept", or even just to prove that they can.

Share this post


Link to post
Share on other sites
7 hours ago, ayman ibrahim said:

 i need to delete all the malware on my computer, however how do i decrypt my files

While I don't know about the odds of being able to recover your data, please see the following:

On 5/18/2018 at 10:27 PM, GT500 said:

An affiliate/reseller for Dr.Web is claiming that Dr.Web is capable of decrypting the files (or at least figuring out the private key to use to decrypt them), and selling the service on BleepingComputer's forums. Note that Dr.Web will provide this service for free to anyone who has a license for their business Anti-Virus software. They have a form to request this service available at this link.

 

Share this post


Link to post
Share on other sites
8 hours ago, hanificung said:

alright, let me ask this once again. Until now, there's no way to decrypt an encrypted files by [email protected]?

You are correct, there is no known way to decrypt files encrypted by this ransomware (CryptON/Cry36/Nemesis) without first obtaining the private key from the criminals who made/distributed the ransomware.

Share this post


Link to post
Share on other sites
13 hours ago, Acelooc said:

Im Sure Soon someone will Find a Way to Decrypt these

That is possible, however keep in mind that Cry36 has been around for some time without any real progress being made in decryption, so please note that it may take a little while for security researchers and/or law enforcement to finally get their hands on the private keys to decrypt your files.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.