Jump to content

Recommended Posts

As far as I know, it isn't possible to decrypt files encrypted by newer versions of this ransomware. More information can be found here:

I will ask Michael if what he said in that post is still the case.

Link to post
Share on other sites

One of our malware analysts told me that this isn't Vortex. The guy who made/distributed Vortex was arrested months ago:

This appears to be something new that has similarities to Vortex which caused ID Ransomware to flag it as Vortex. We'll need a copy of the ransomware (the malicious file that encrypted your files) in order to know more.

If you have a copy of the ransomware then you can upload it to VirusTotal and post a link to the analysis here for us to look at. If you have a link to where the ransomware was downloaded from, then you can run the link through VirusTotal and then post a link to the analysis here (that way we don't have live links to dangerous files on our forums).

If you don't have a copy of the ransomware or a link to where to download it, then we can try getting a log from FRST, and see if it shows any signs of the ransomware on your computer. You can find instructions for downloading and running FRST at the following link:

Link to post
Share on other sites
29 minutes ago, unkaleong said:

Thanks. I've been in contact with cert.pl, they requested a copy of the encrypted file and ransom note which I duly provided.  They have just got back to me and they are saying it's RSA2048Pro ransomware. I've run FRST and am attaching the logs as required.



I've managed to login to the infected server via safe mode and found the malicious file. I've run the file through the link you have sent me earlier. Please find the results below:-


Link to post
Share on other sites
10 hours ago, unkaleong said:

They have just got back to me and they are saying it's RSA2048Pro ransomware.

That's what our malware analysts are telling me as well. They've also taken a look at the VirusTotal link you provided, and they said it was RSA2048Pro.

They let me know that ID Ransomware has been updated to correctly detect this ransomware, rather than mistakenly flagging it as Vortex.

Note that there is very little public information about this ransomware. I would believe it was originally discovered by MalwareHunterTeam:

The only publicly available analysis appears to have been written by Andrew Ivanov (a Russian malware analyst):

There is no information about decryption of files, however considering the type of encryption used and the way the keys are handled I expect that decryption is not possible without obtaining the private key from the criminals who made/distributed the ransomware. Just to be certain, I have asked our malware analysts for confirmation.

Link to post
Share on other sites

It's been confirmed that the ransomware is secure, and we won't be able to help with decryption of the files.

I've also been told that only the e-mail address was added to ID Ransomware, so the file extension will still be detected as Vortex.

Link to post
Share on other sites

OK. I doubt the following will be helpful, and if you've searched around here a bit then you've probably also seen it, but feel free to show it to whoever will be assisting you in case they want to try it:

Ransomware like this usually deletes Volume Shadow Copies, so a tool like ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with.

Here's a link to a list of file recovery tools at Wikipedia:

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...