Sign in to follow this  
unkaleong

.aes file extensions

Recommended Posts

As far as I know, it isn't possible to decrypt files encrypted by newer versions of this ransomware. More information can be found here:
https://www.bleepingcomputer.com/forums/t/642013/vortex-aes-ransomware-help-support-odzszyfruj-danetxt/page-2#entry4233247

I will ask Michael if what he said in that post is still the case.

Share this post


Link to post
Share on other sites

One of our malware analysts told me that this isn't Vortex. The guy who made/distributed Vortex was arrested months ago:
https://www.bleepingcomputer.com/news/security/author-of-polski-vortex-and-flotera-ransomware-families-arrested-in-poland/

This appears to be something new that has similarities to Vortex which caused ID Ransomware to flag it as Vortex. We'll need a copy of the ransomware (the malicious file that encrypted your files) in order to know more.

If you have a copy of the ransomware then you can upload it to VirusTotal and post a link to the analysis here for us to look at. If you have a link to where the ransomware was downloaded from, then you can run the link through VirusTotal and then post a link to the analysis here (that way we don't have live links to dangerous files on our forums).

If you don't have a copy of the ransomware or a link to where to download it, then we can try getting a log from FRST, and see if it shows any signs of the ransomware on your computer. You can find instructions for downloading and running FRST at the following link:
https://helpdesk.emsisoft.com/en-us/article/274-running-a-scan-with-frst

Share this post


Link to post
Share on other sites

Thanks. I've been in contact with cert.pl, they requested a copy of the encrypted file and ransom note which I duly provided.  They have just got back to me and they are saying it's RSA2048Pro ransomware. I've run FRST and am attaching the logs as required.

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites
29 minutes ago, unkaleong said:

Thanks. I've been in contact with cert.pl, they requested a copy of the encrypted file and ransom note which I duly provided.  They have just got back to me and they are saying it's RSA2048Pro ransomware. I've run FRST and am attaching the logs as required.

Addition.txt

FRST.txt

I've managed to login to the infected server via safe mode and found the malicious file. I've run the file through the link you have sent me earlier. Please find the results below:-

https://www.virustotal.com/#/file/e8fedb6e700d3676a7d38abfef791720cd4da13034a2c276783e76a91f5c356e/detection

Share this post


Link to post
Share on other sites
10 hours ago, unkaleong said:

They have just got back to me and they are saying it's RSA2048Pro ransomware.

That's what our malware analysts are telling me as well. They've also taken a look at the VirusTotal link you provided, and they said it was RSA2048Pro.

They let me know that ID Ransomware has been updated to correctly detect this ransomware, rather than mistakenly flagging it as Vortex.

Note that there is very little public information about this ransomware. I would believe it was originally discovered by MalwareHunterTeam:
https://twitter.com/malwrhunterteam/status/892369358214836230

The only publicly available analysis appears to have been written by Andrew Ivanov (a Russian malware analyst):
https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fid-ransomware.blogspot.com%2F2017%2F08%2Frsa2048pro-ransomware.html

There is no information about decryption of files, however considering the type of encryption used and the way the keys are handled I expect that decryption is not possible without obtaining the private key from the criminals who made/distributed the ransomware. Just to be certain, I have asked our malware analysts for confirmation.

Share this post


Link to post
Share on other sites

It's been confirmed that the ransomware is secure, and we won't be able to help with decryption of the files.

I've also been told that only the e-mail address was added to ID Ransomware, so the file extension will still be detected as Vortex.

Share this post


Link to post
Share on other sites

OK. I doubt the following will be helpful, and if you've searched around here a bit then you've probably also seen it, but feel free to show it to whoever will be assisting you in case they want to try it:

Ransomware like this usually deletes Volume Shadow Copies, so a tool like ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.