Augustine Martin 0 Report post Posted April 6 I write to you as per the above subject. My files are Encrypted with extension .crabslkt. My PC was infected by Ransonmware and i managed to contain it. The problem is all my files are Encrypted with that extension. (.crabslkt) Kindly assist. Quote Share this post Link to post Share on other sites
stapp 124 Report post Posted April 7 I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like one of our experts to review them. Quote Share this post Link to post Share on other sites
H6T9 0 Report post Posted April 12 hi everyone my system was attacked by some encrypting ransomware and all of my files are encrypted right now and I don't have any access to them . yesterday I format my C drive and installed a new windows (8.1) again. my C drive is ok right now and non of the new files that I have downloaded in past 2 days didn't got encrypted anymore. and I can download things and install any softwares I download. BUT yet I don't know what to do for my encrypted files. all of the files in all of my drives now have (.CRABSLKT) extension in their end. The top note of ransom text is like this; Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC. Quote Share this post Link to post Share on other sites
GT500 559 Report post Posted April 12 1 hour ago, H6T9 said: yesterday I format my C drive and installed a new windows (8.1) again. Just so that you know, when dealing with ransomware it can be bad to format the drive. While this isn't the case most of the time, there are ransomwares that leave information on the computer necessary to decrypt files, and reformatting the drive or even clearing TEMP files could lead to the loss of this information. 1 hour ago, H6T9 said: BUT yet I don't know what to do for my encrypted files. all of the files in all of my drives now have (.CRABSLKT) extension in their end. First we have to determine what ransomware it is. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them. Quote Share this post Link to post Share on other sites
H6T9 0 Report post Posted April 13 12 hours ago, GT500 said: Just so that you know, when dealing with ransomware it can be bad to format the drive. While this isn't the case most of the time, there are ransomwares that leave information on the computer necessary to decrypt files, and reformatting the drive or even clearing TEMP files could lead to the loss of this information. First we have to determine what ransomware it is. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them. hi. thank you for answering first of all. I was not sure what was happening to my PC , and I thought that it has something whit my unactivated windows, so I just restarted my PC and changed the windows. right now I just did what you recommended me and uploaded my ransom note and one of the encrypted files in (id-ransomware.malwarehunterteam.com) and this are the replies to those actions: Scarab This ransomware may be decryptable under certain circumstances Hermes 2.1 This ransomware has no known way of decrypting data at this time. the result link: https://id-ransomware.malwarehunterteam.com/identify.php?case=9eb9665748694e58d27432eff86e2b1cb93eda1c PLS help me if you can. my 4.5 TB of information are now out of access and I really need them. Quote Share this post Link to post Share on other sites
Amigo-A 11 Report post Posted April 13 H6T9 In this case, the identify ID Ransomware may be wrong, because extortionists specially selected similar items. Give me a note (here or in PM), I will immediately tell you who it was. Use the www.sendspace.com service to download the file and give us a link. Quote Share this post Link to post Share on other sites
H6T9 0 Report post Posted April 14 hi Amigo TNX for answering I did as you told me to do and this is the Download link to my uploaded file on (sendspace.com) in blow: https://www.sendspace.com/file/fqezzc I also attached the same uploaded file which is a picture right here 1.jpg.CRABSLKT Quote Share this post Link to post Share on other sites
Amigo-A 11 Report post Posted April 14 Hello. I asked you to send to me a ransom note (text file) left by the extortionists in each folder with encrypted files... There is not enough of the fifth element to add his to the puzzle. Quote Share this post Link to post Share on other sites
H6T9 0 Report post Posted April 14 5 hours ago, Amigo-A said: Hello. I asked you to send to me a ransom note (text file) left by the extortionists in each folder with encrypted files... There is not enough of the fifth element to add his to the puzzle. hi. ow ok. sorry I forgot to attach the ransom note here it is ; HOW TO RECOVER ENCRYPTED FILES.TXT Quote Share this post Link to post Share on other sites
Amigo-A 11 Report post Posted April 14 No. Please use the www.sendspace.com service to download the file and give us a link. Forum settings do not allow me to download attachments. Quote Share this post Link to post Share on other sites
H6T9 0 Report post Posted April 14 sorry buddy I was confused here is the link to download my ransom note https://www.sendspace.com/file/1j1p9a Quote Share this post Link to post Share on other sites
balumka13 0 Report post Posted April 15 On 4/12/2019 at 11:42 PM, H6T9 said: hi everyone my system was attacked by some encrypting ransomware and all of my files are encrypted right now and I don't have any access to them . yesterday I format my C drive and installed a new windows (8.1) again. my C drive is ok right now and non of the new files that I have downloaded in past 2 days didn't got encrypted anymore. and I can download things and install any softwares I download. BUT yet I don't know what to do for my encrypted files. all of the files in all of my drives now have (.CRABSLKT) extension in their end. The top note of ransom text is like this; Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC. I have the same issue .CRABSLKT Quote Share this post Link to post Share on other sites
balumka13 0 Report post Posted April 15 (edited) On 4/12/2019 at 11:42 PM, H6T9 said: hi everyone my system was attacked by some encrypting ransomware and all of my files are encrypted right now and I don't have any access to them . yesterday I format my C drive and installed a new windows (8.1) again. my C drive is ok right now and non of the new files that I have downloaded in past 2 days didn't got encrypted anymore. and I can download things and install any softwares I download. BUT yet I don't know what to do for my encrypted files. all of the files in all of my drives now have (.CRABSLKT) extension in their end. The top note of ransom text is like this; Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC. I have the same issue with encrypted files to .CRABSLKT help us please!!! I have some value and i think this can be a key to decryption: A420C83E49231EC3CF57E735B374D906 C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A420C83E49231EC3CF57E735B374D906 https://www.sendspace.com/filegroup/0p%2BmRLKl1gpogblZclmwiCR6tPsxvh45l4c9aDxJq1C80s60lysKWnEgFMiVsCRI intro (1-st album).docx.CRABSLKT HOW TO RECOVER ENCRYPTED FILES.TXT Edited April 15 by balumka13 Quote Share this post Link to post Share on other sites
balumka13 0 Report post Posted April 15 On 4/13/2019 at 1:46 PM, H6T9 said: PLS help me if you can. my 4.5 TB of information are now out of access and I really need them. Plus my 3+ TB of information( Quote Share this post Link to post Share on other sites
Amigo-A 11 Report post Posted April 15 Ok. Thank to H6T9, balumka13 In short: your files were encrypted by Scarab-Gefest Ransomware, from the Scarab family.No free decoder. You can get the private decryption that DrWeb and ESET do if they have an encoder file. Request for decryption 1) DrWeb makes a free test-decryption, used only encrypted files, registry files and a ransom note file. Link. If they can decrypt, then they offer to first buy a 'Rescue Package' with DrWeb Security Space for 2 years, then give a decoder for the encrypted files. And user will under their protection for 2 years. For users from Russia, the package price is 5299 rubles, and for foreigners - 150 € (euro). The service without the rescue package of Dr.Web is not available. 2) ESET first offers to buy their commercial antivirus, and then make a test-decryption. Link. Recently I told how to make a request in ESET, if you're interested, see the link on the BleepingComputer forum. Starting with post # 554. I have nothing to do with them and can’t influence their prices. I also believe that it was possible to make this service cheaper, if the user gets support for the first time. Later he would still buy protection if she would provide real security for a year. If details Ransomware are interesting: What is this Scarab, I realized immediately when I carefully looked at the results of ID-Ransomware. But extortionists often confuse traces: they take the name of someone else's note, the text of the ransom, imitate the ID and so on. I talked about the fifth element, in fact there are more of them and they came together before I saw the note itself. It was also clear to me exactly which version of the Scarab and which group is currently engaged in this variant. The hint is the BM-address from the note. Previously, the same people spread Hermes, then another and Scarab. Then Hermes was sold and the actors went to other projects. When the basic encryptor of Scarab was updated last year, many extortionists switched to using it. I wrote about some, who switched to the Scarab and came from other projects. The Scarab Ransomware-project employs many groups from different countries, they work in groups and individually. 1 Quote Share this post Link to post Share on other sites
Amigo-A 11 Report post Posted April 15 balumka13 If you will apply for decryption in DrWeb or ESET, then you can provide them with all these files, information and a link that you published here. It is possible that this will help. Please tell us about the results. Quote A420C83E49231EC3CF57E735B374D906 This code is very short, usually there are more than 100 characters. But inside the file itself there may be more information. Do not change anything there. Quote Share this post Link to post Share on other sites
H6T9 0 Report post Posted April 18 On 4/15/2019 at 1:28 AM, Amigo-A said: Ok. Thank to H6T9, balumka13 In short: your files were encrypted by Scarab-Gefest Ransomware, from the Scarab family.No free decoder. You can get the private decryption that DrWeb and ESET do if they have an encoder file. Request for decryption 1) DrWeb makes a free test-decryption, used only encrypted files, registry files and a ransom note file. Link. If they can decrypt, then they offer to first buy a 'Rescue Package' with DrWeb Security Space for 2 years, then give a decoder for the encrypted files. And user will under their protection for 2 years. For users from Russia, the package price is 5299 rubles, and for foreigners - 150 € (euro). The service without the rescue package of Dr.Web is not available. 2) ESET first offers to buy their commercial antivirus, and then make a test-decryption. Link. Recently I told how to make a request in ESET, if you're interested, see the link on the BleepingComputer forum. Starting with post # 554. I have nothing to do with them and can’t influence their prices. I also believe that it was possible to make this service cheaper, if the user gets support for the first time. Later he would still buy protection if she would provide real security for a year. If details Ransomware are interesting: What is this Scarab, I realized immediately when I carefully looked at the results of ID-Ransomware. But extortionists often confuse traces: they take the name of someone else's note, the text of the ransom, imitate the ID and so on. I talked about the fifth element, in fact there are more of them and they came together before I saw the note itself. It was also clear to me exactly which version of the Scarab and which group is currently engaged in this variant. The hint is the BM-address from the note. Previously, the same people spread Hermes, then another and Scarab. Then Hermes was sold and the actors went to other projects. When the basic encryptor of Scarab was updated last year, many extortionists switched to using it. I wrote about some, who switched to the Scarab and came from other projects. The Scarab Ransomware-project employs many groups from different countries, they work in groups and individually. TNX for this information Amigo Quote Share this post Link to post Share on other sites
