Jump to content

File encryption

Augustine Martin
 Share Followers 1

Recommended Posts

H6T9

H6T9 0

Posted
Posted

hi everyone

my system was attacked by some encrypting ransomware and all of my files are encrypted right now and I don't have any access to them . yesterday I format my C drive and installed a new windows (8.1) again.

my C drive is ok right now and non of the new files that I have downloaded in past 2 days didn't got encrypted anymore. and I can download things and install any softwares I download.

BUT yet I don't know what to do for my encrypted files. all of the files in all of my drives now have (.CRABSLKT) extension in their end.

The top note of ransom text is like this;


Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC.

Link to post
Share on other sites
GT500

GT500 872

Posted
Posted
1 hour ago, H6T9 said:

yesterday I format my C drive and installed a new windows (8.1) again.

Just so that you know, when dealing with ransomware it can be bad to format the drive. While this isn't the case most of the time, there are ransomwares that leave information on the computer necessary to decrypt files, and reformatting the drive or even clearing TEMP files could lead to the loss of this information.

 

1 hour ago, H6T9 said:

BUT yet I don't know what to do for my encrypted files. all of the files in all of my drives now have (.CRABSLKT) extension in their end.

First we have to determine what ransomware it is. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Link to post
Share on other sites
H6T9

H6T9 0

Posted
Posted
12 hours ago, GT500 said:

Just so that you know, when dealing with ransomware it can be bad to format the drive. While this isn't the case most of the time, there are ransomwares that leave information on the computer necessary to decrypt files, and reformatting the drive or even clearing TEMP files could lead to the loss of this information.

 

First we have to determine what ransomware it is. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

hi. thank you for answering

first of all. I was not sure what was happening to my PC , and I thought that it has something whit my unactivated windows, so I just restarted my PC and changed the windows.

 

right now I just did what you recommended me and uploaded my ransom  note and one of the encrypted files in (id-ransomware.malwarehunterteam.com) and this are the replies to those actions:

 

Scarab

This ransomware may be decryptable under certain circumstances

 

Hermes 2.1

This ransomware has no known way of decrypting data at this time.

the result link:

https://id-ransomware.malwarehunterteam.com/identify.php?case=9eb9665748694e58d27432eff86e2b1cb93eda1c

 

PLS help me if you can. my 4.5 TB of information are now out of access and I really need them.  

    

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

H6T9

In this case, the identify ID Ransomware may be wrong, because extortionists specially selected similar items.
Give me a note (here or in PM), I will immediately tell you who it was.

Use the www.sendspace.com service to download the file and give us a link.

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

Hello. 
I asked you to send to me a ransom note (text file) left by the extortionists in each folder with encrypted files... :) 

There is not enough of the fifth element to add his to the puzzle.

Link to post
Share on other sites
balumka13

balumka13 0

Posted
Posted
On 4/12/2019 at 11:42 PM, H6T9 said:

hi everyone

my system was attacked by some encrypting ransomware and all of my files are encrypted right now and I don't have any access to them . yesterday I format my C drive and installed a new windows (8.1) again.

my C drive is ok right now and non of the new files that I have downloaded in past 2 days didn't got encrypted anymore. and I can download things and install any softwares I download.

BUT yet I don't know what to do for my encrypted files. all of the files in all of my drives now have (.CRABSLKT) extension in their end.

The top note of ransom text is like this;


Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC.

I have the same issue .CRABSLKT

Link to post
Share on other sites
balumka13

balumka13 0

Posted
Posted (edited)
On 4/12/2019 at 11:42 PM, H6T9 said:

hi everyone

my system was attacked by some encrypting ransomware and all of my files are encrypted right now and I don't have any access to them . yesterday I format my C drive and installed a new windows (8.1) again.

my C drive is ok right now and non of the new files that I have downloaded in past 2 days didn't got encrypted anymore. and I can download things and install any softwares I download.

BUT yet I don't know what to do for my encrypted files. all of the files in all of my drives now have (.CRABSLKT) extension in their end.

The top note of ransom text is like this;


Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC.

I have the same issue with encrypted files to .CRABSLKT

 

help us please!!! 

I have some value and i think this can be a key to decryption: 

A420C83E49231EC3CF57E735B374D906

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A420C83E49231EC3CF57E735B374D906

https://www.sendspace.com/filegroup/0p%2BmRLKl1gpogblZclmwiCR6tPsxvh45l4c9aDxJq1C80s60lysKWnEgFMiVsCRI 

intro (1-st album).docx.CRABSLKT HOW TO RECOVER ENCRYPTED FILES.TXT

Edited by balumka13
Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

Ok. Thank to H6T9, balumka13

In short: your files were encrypted by Scarab-Gefest Ransomware, from the Scarab family.
No free decoder. You can get the private decryption that DrWeb and ESET do if they have an encoder file.

Request for decryption

1) DrWeb makes a free test-decryption, used only encrypted files, registry files  and a ransom note file. Link.
If they can decrypt, then they offer to first buy a 'Rescue Package' with DrWeb Security Space for 2 years, then give a decoder for the encrypted files. And user will under their protection for 2 years.  For users from Russia, the package price is 5299 rubles, and for foreigners - 150 € (euro). The service without the rescue package of Dr.Web is not available. 
2) ESET first offers to buy their commercial antivirus, and then make a test-decryption. Link. Recently I told how to make a request in ESET, if you're interested, see the link on the BleepingComputer forum. Starting with post # 554.

I have nothing to do with them and can’t influence their prices. I also believe that it was possible to make this service cheaper, if the user gets support for the first time. Later he would still buy protection if she would provide real security for a year.

If details Ransomware are interesting:
What is this Scarab, I realized immediately when I carefully looked at the results of ID-Ransomware.
But extortionists often confuse traces: they take the name of someone else's note, the text of the ransom, imitate the ID and so on.
I talked about the fifth element, in fact there are more of them and they came together before I saw the note itself.
It was also clear to me exactly which version of the Scarab and which group is currently engaged in this variant.
The hint is the BM-address from the note. Previously, the same people spread Hermes, then another and Scarab. Then Hermes was sold and the actors went to other projects. When the basic encryptor of Scarab was updated last year, many extortionists switched to using it. I wrote about some, who switched to the Scarab and came from other projects. 
The Scarab Ransomware-project employs many groups from different countries, they work in groups and individually.

  • Like 1
Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

balumka13

If you will apply for decryption in DrWeb or ESET, then you can provide them with all these files, information and a link that you published here. It is possible that this will help.
Please tell us about the results.

Quote

A420C83E49231EC3CF57E735B374D906

This code is very short, usually there are more than 100 characters. But inside the file itself there may be more information. Do not change anything there.

 

Link to post
Share on other sites
H6T9

H6T9 0

Posted
Posted
On ‎4‎/‎15‎/‎2019 at 1:28 AM, Amigo-A said:

Ok. Thank to H6T9, balumka13

In short: your files were encrypted by Scarab-Gefest Ransomware, from the Scarab family.
No free decoder. You can get the private decryption that DrWeb and ESET do if they have an encoder file.

Request for decryption

1) DrWeb makes a free test-decryption, used only encrypted files, registry files  and a ransom note file. Link.
If they can decrypt, then they offer to first buy a 'Rescue Package' with DrWeb Security Space for 2 years, then give a decoder for the encrypted files. And user will under their protection for 2 years.  For users from Russia, the package price is 5299 rubles, and for foreigners - 150 € (euro). The service without the rescue package of Dr.Web is not available. 
2) ESET first offers to buy their commercial antivirus, and then make a test-decryption. Link. Recently I told how to make a request in ESET, if you're interested, see the link on the BleepingComputer forum. Starting with post # 554.

I have nothing to do with them and can’t influence their prices. I also believe that it was possible to make this service cheaper, if the user gets support for the first time. Later he would still buy protection if she would provide real security for a year.

If details Ransomware are interesting:
What is this Scarab, I realized immediately when I carefully looked at the results of ID-Ransomware.
But extortionists often confuse traces: they take the name of someone else's note, the text of the ransom, imitate the ID and so on.
I talked about the fifth element, in fact there are more of them and they came together before I saw the note itself.
It was also clear to me exactly which version of the Scarab and which group is currently engaged in this variant.
The hint is the BM-address from the note. Previously, the same people spread Hermes, then another and Scarab. Then Hermes was sold and the actors went to other projects. When the basic encryptor of Scarab was updated last year, many extortionists switched to using it. I wrote about some, who switched to the Scarab and came from other projects. 
The Scarab Ransomware-project employs many groups from different countries, they work in groups and individually.

TNX for this information Amigo

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Followers 1
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2021 Emsisoft - 02/25/2021 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...