datom

decrypt my .RAD files pls.

Recommended Posts

Files on my PC in different folders are entcrypted and infected. In every entcrypted folder is a blackmail letter. 

blackmail letter:

#_#RAD_README#_#.rtf

RAD-files: 

[[email protected]].5a6kYvoZ-JO895COb.RAD 

 

Thank you for your ideas and help to restore my data. 

Share this post


Link to post
Share on other sites

Hello

I think I know, which Ransomware worked here.
Attach the file #_#RAD_README#_#.rtf to the message

Share this post


Link to post
Share on other sites

Hello community, I want to share my latest experience. I tried to extract the files with 7-Zip and it worked surprisingly ...
step by step: 

I have a loads of infected and big data - this is only one folder to test the "7-zip" method.  

My open questions: 
1. what did the Matrix Ransomware have done with my data? 

2. are the infected data and the result data in the same folder or dispersed on the hole drive? 

 

STEP 0: Infected data with  readme

image.png.8227153c514312a328508ff82aed0bce.png
Download Image

Step 1: 7-Zip 

image.png.cbe4c2b1c0693047f9fa6c1823d05685.png
Download Image

Step 2: Overwriting Yes or No ? -> i seletcted Auto Rename

image.png.5ff206986d2794bed87d0c8396a1b595.png
Download Image

Step 3: Message of 7-Zip 

image.png.1d051644592462d344b640d3d4343e37.png
Download Image

Step 4: Result - > folder with xl and word data is created 

image.png.9ed9a0fc6ccc798e3ec2f5153b1ddef3.png
Download Image

Result: folder with word Data 

image.png.d42090399034602137aab657f25050f4.pngimage.png.372ad74898a1bd9242660706fecfca11.png 
Download Image
Download Image

Result folder with xl Data:

image.png.8a752f05caa4473038d8c8ca6279309a.png
Download Image

 

End. 

Cheers, Tom

 

 

Share this post


Link to post
Share on other sites
12 hours ago, datom said:

1. what did the Matrix Ransomware have done with my data? 

It's possible that it tried to use WinRAR, 7-Zip, or another program with a command-line tool that can create archives to compress your files with a password and simply got the syntax wrong or forgot the password. We can't really say for certain unless you attach a few of the encrypted files to a reply for us to take a look at, or unless you have a copy of the malicious program somewhere that we can take a look at (which is the preferred option since we can analyze the encryption algorithm it uses).

 

12 hours ago, datom said:

2. are the infected data and the result data in the same folder or dispersed on the hole drive? 

It depends on the ransomware. Most will try to encrypt data in the most common places for people to save files, and some will just take the "shotgun" approach and encrypt everything on the entire drive as long as it file extensions are on its list of files to encrypt. Then there are the "dumb" ransomwares that just encrypt everything except a few critical system files, and break almost everything on the system.

We really can't know how sophisticated the ransomware is without being able to analyze it.

Share this post


Link to post
Share on other sites

Scratch all of the above. From the screenshots you posted, it looks like you extracted the contents of the ransom note, and not the contents of the encrypted files.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.