Jerica Schvolter

Files Encrypted With 2 Different Extensions

Recommended Posts

I'm having the same unfortune here.
I have 2 extension types, and I know for sure that they're both different.
This ransomware deleted all of my disk's shadow copy's, all of my Windows restore points, and its even capable to encrypt the files in all $RECYCLE folders of all disks, so it leaves no way to get the files back.
I contacted the hacker by the email that he os she provided, manifesting my intention to pay.
He answerd me, and asked me to send him the unique ID (findable on .HTML or .TXT files) and some encrypted files so he can proof successfully decrypt. 
In my reply to him, i've attached a file with [[email protected]].HRM extension and another with the .GEFEST extension, and provided the .HTML file that he left on every fkng folder of every disk partition. Then he sent the  [[email protected]].HRM file decrypted and asked me to look for another info (or openable .txt) files left on my computer with some kind of keys in it. That means 2 different encription types as they need 2 different unique keys.
I'm not sharing publicly my files, nor my real identity or any personal info about me, just because (although I think I've kept my anonymity while talking to the hacker) he could probably trace me or something. I have my computer cleaned and offline, my files are backed up (THE ENCRYPTED ONES) and i'm getting a new network card.
I really hope (and patiently wait) for a quick solution to this new Ransomware.
And if there's anyone with encription knowlage reading this post, who think that it's possible to somehow catch the encription secrets with the 2 files I have (encrypted and decrypted version of the same file) please contact email address to avoid member being spammed.

Share this post

Link to post
Share on other sites

I suspect that the answer will be the same as the one I gave at this link, however I still recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:

You can paste a link to the results into a reply if you would like for me to review them.

Note that in your case you may have two ransom notes since your computer was more than likely infected by more than one ransomware. If you're not sure which one to upload to VirusTotal, then just attach both to a reply here along with an encrypted file, and I'll take a look at them for you.

Share this post

Link to post
Share on other sites

Thanks for your reply. I've already tried the ransomware identification page.
For the .HRM extension i got HERMES 2.1, with no decrypt method at this time. For .GEFEST I got Scarab.
The infected computer is at the office right now, I can only access it on Monday. Right now i have the 2 different extension files encrypted and just one note (i suppose the note is for the .HRM extension). I'll leave it here for you to analyse, if and when you can.
I think i don't have any alternatives right now. And after long reading hours, i guess i'll have no lucky for the future with the HERMES 2.1...
Best regards


Aviso Recibo.pdf[[email protected]].HRM


Share this post

Link to post
Share on other sites

I think you're dealing with three ransomwares here. It looks like the .pdf variant of STOP encrypted your files, and then two other ransomwares encrypted the files that were encrypted by STOP. Either that or both encrypted files were originally PDF files.

I don't think there's anything that can be done about the files encrypted by Hermes 2.1, at least not at the moment. As for Scarab it may be possible for Dr.Web to assist with decryption, however please note that they do not do this for free. They require you to have a license for their business Anti-Virus software before they will assist you. One of Dr.Web's resellers (Emmanuel) offers assistance on the BleepingComputer forums with contacting them to find out if your files can be decrypted. You can find more information at the following link:

Note: Being a reseller, Emmanuel will make at least some money selling you the license you will need to purchase before Dr.Web will decrypt your files (assuming they can of course).

Do you have a file somewhere called "_openme"? If so, attach that to a reply, and I will take a look at it.

Share this post

Link to post
Share on other sites

That's the ransom note from Scarab. It more than likely encrypted the ransom notes from the other ransomwares.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.