AdMiRaL 0 Posted June 17, 2019 Report Share Posted June 17, 2019 hello there , as the title my files are encrypted with the extinction of .COPAN and i search and tried a lot of tools still nothing but the bright thing here is that somehow i got the file that hacker downloaded to my PC in this link : https://transfiles.ru/vqi08 note : it's expires soon please try to download it and check if you can at least give me some information about him. this is his Msg in attached files. thank you EMSI Team , HOW TO DECRYPT FILES.txt Quote Link to post Share on other sites
Kevin Zoll 309 Posted June 17, 2019 Report Share Posted June 17, 2019 Hello, Can you please send me a copy of one of the encrypted files. Quote Link to post Share on other sites
AdMiRaL 0 Posted June 18, 2019 Author Report Share Posted June 18, 2019 yes ofcurse here is one of them and it's original file before it's encrypted too. it's a small video before and after encrypted. thank you. vipfree key.wmv vipfree key.wmv.COPAN Quote Link to post Share on other sites
Bojan Atanasijevic 1 Posted June 18, 2019 Report Share Posted June 18, 2019 One more case here. Files encrypted over last weekend - .COPAN extension added and as far as I can see no single trace of ransomware software left except ransom notes. Attached ransom notes and two encrypted files. Best regards and thank you. TEHNIČKA PODRŠKA.xlsx.COPAN Tehnički zadatak.docx.COPAN HOW TO DECRYPT FILES.hta HOW TO DECRYPT FILES.txt 1 Quote Link to post Share on other sites
AdMiRaL 0 Posted June 18, 2019 Author Report Share Posted June 18, 2019 3 minutes ago, Bojan Atanasijevic said: One more case here. Files encrypted over last weekend - .COPAN extension added and as far as I can see no single trace of ransomware software left except ransom notes. Attached ransom notes and two encrypted files. Best regards and thank you. TEHNIČKA PODRŠKA.xlsx.COPANUnavailable Tehnički zadatak.docx.COPANUnavailable HOW TO DECRYPT FILES.htaUnavailable HOW TO DECRYPT FILES.txtUnavailable so you face the same ransomware ? is the email he used is : [email protected] thank you. Quote Link to post Share on other sites
Bojan Atanasijevic 1 Posted June 18, 2019 Report Share Posted June 18, 2019 (edited) Yes . Following is exact .txt version of ransom note: Hello, dear friend. All your files are encrypted with a unique key. Are you sure you want to recover all your files ? Write us an email: [email protected] Enter your unique ID in the message: xxxxxxxxxxx Edited June 18, 2019 by Bojan Atanasijevic Typing error. Quote Link to post Share on other sites
Amigo-A 136 Posted June 18, 2019 Report Share Posted June 18, 2019 @AdMiRaL @Bojan Atanasijevic The usual recommendation on the forum is to upload a note and an encrypted file to the service ID Ransomware. Did you do it? Upload 1 note HOW TO DECRYPT FILES.txt + 1 encrypted file. Then 1 note HOW TO DECRYPT FILES.hta + 1 encrypted file. --- I already did this using the files you uploaded, but I want you to do this and see for yourself. And then copy the links to the results and paste here. Quote Link to post Share on other sites
AdMiRaL 0 Posted June 18, 2019 Author Report Share Posted June 18, 2019 10 minutes ago, Amigo-A said: @AdMiRaL @Bojan Atanasijevic The usual recommendation on the forum is to upload a note and an encrypted file to the service ID Ransomware. Did you do it? i tried and i got this : http://prntscr.com/o3erae but after i already deleted all my encrypted files because i thought it's all infected with the ransomware is it real that this program may be work and decrypt the encrypted files ? Quote Link to post Share on other sites
Amigo-A 136 Posted June 18, 2019 Report Share Posted June 18, 2019 6 minutes ago, AdMiRaL said: http://prntscr.com/o3erae Realistically. But the Xorist identification is incorrect. Reality needs to be clarified to the end. Extortionists use the name of the note from Xorist to deceive identification. This is a well-known technique. Service is not to blame. Quote Link to post Share on other sites
AdMiRaL 0 Posted June 18, 2019 Author Report Share Posted June 18, 2019 1 minute ago, Amigo-A said: Realistically. But the Xorist identification is incorrect. so it will not work ? Quote Link to post Share on other sites
Amigo-A 136 Posted June 18, 2019 Report Share Posted June 18, 2019 Bojan Atanasijevic gave us two scrap files: HOW TO DECRYPT FILES.txt + HOW TO DECRYPT FILES.hta With upload txt- and tha-notes there will be two results. One will point to the Xorist, and the other to Dharma. https://id-ransomware.malwarehunterteam.com/identify.php?case=03ab5d464383972db0e5e170d2d4bc2082ab003d https://id-ransomware.malwarehunterteam.com/identify.php?case=7391784c146c9cb877fffcc1b7eb9e07f993d3ab Both do not reflect the accuracy, because the extortionists use the names that are characteristic of these two Ransomware to deceive the identification service. This is DCRTR-WDM Ransomware . In the service, it is identified as DCRTR Ransomware (as general item DCRTR Family) No free decryptor. Quote Link to post Share on other sites
AdMiRaL 0 Posted June 18, 2019 Author Report Share Posted June 18, 2019 11 minutes ago, Amigo-A said: Bojan Atanasijevic gave us two scrap files: HOW TO DECRYPT FILES.txt + HOW TO DECRYPT FILES.hta With upload txt- and tha-notes there will be two results. One will point to the Xorist, and the other to Dharma. https://id-ransomware.malwarehunterteam.com/identify.php?case=03ab5d464383972db0e5e170d2d4bc2082ab003d https://id-ransomware.malwarehunterteam.com/identify.php?case=7391784c146c9cb877fffcc1b7eb9e07f993d3ab Both do not reflect the accuracy, because the extortionists use the names that are characteristic of these two Ransomware to deceive the identification service. This is DCRTR-WDM Ransomware . In the service, it is identified as DCRTR Ransomware (as general item DCRTR Family) No free decryptor. is there any paid decryptor ? Quote Link to post Share on other sites
Amigo-A 136 Posted June 18, 2019 Report Share Posted June 18, 2019 Sorry, I was distracted by an urgent call and I did not have time to finish the message. Wait a moment, I write details. Quote Link to post Share on other sites
Amigo-A 136 Posted June 18, 2019 Report Share Posted June 18, 2019 @AdMiRaL @ Bojan Atanasijevic The files after DCRTR-WDM Ransomware's attack can be decrypted by Dr.Web specialists. DrWeb classification it as Trojan.Encoder.26981, Trojan.Encoder.27259 and others. Dr.Web specialists perform the decryption itself for free, but to get the decryption key and decrypt all files, you need to get a Rescue Pack (rescue package), which includes Dr.Web Security Space's licensed anti-virus protection for 2 years. For users from Russia, the package price is 5299 rubles, and for foreigners - 150 € (euro). This service without the rescue package of Dr.Web is not available. Offecial English link: https://legal.drweb.com/encoder/?lng=en There is also support for other languages. Test decrypt be done for free. It is necessary to send both notes about the ransom and encrypted files of different formats. You must this be done independently, without intermediaries. I know that over the past 6 months there have been several happy occasions. Can be decrypt your files? I dont know. Extortionists could change the encryption so that it was impossible to determine the decryption key. It is always expected. Quote Link to post Share on other sites
Amigo-A 136 Posted June 18, 2019 Report Share Posted June 18, 2019 @AdMiRaL @ Bojan Atanasijevic No need to pay anything in advance! They will report in an open you ticket if the files can be decrypted and give instructions for payment and so on. In contrast, in ESET company, which also provides paid file decryption, they offer to buy a license first, and later try to decrypt files. --- These are anti-virus companies known worldwide. After purchasing a package with a licensed program, the buyer becomes a legal user and customer of the company. DrWeb and ESET decrypt files for their clients free and without any problems, if the protection they purchased was already on the PC and was active, i.e. did not expired and not be turned off at the time of the attack. I have nothing to do with them and I is no user from their programs now. --- Do not use the services of various intermediaries and companies that declare about decryption on the Internet! This is a 99% deception and change in the value of the ransom. In many countries of the world by law, the one who (a group of persons, an intermediary, a person, a company) conspires with the criminals, is a co-member of the crime and is also prosecuted. This does not apply to victims, of course... Quote Link to post Share on other sites
AdMiRaL 0 Posted June 18, 2019 Author Report Share Posted June 18, 2019 21 minutes ago, Amigo-A said: @AdMiRaL @ Bojan Atanasijevic No need to pay anything in advance! They will report in an open you ticket if the files can be decrypted and give instructions for payment and so on. In contrast, in ESET company, which also provides paid file decryption, they offer to buy a license first, and later try to decrypt files. --- DrWeb and ESET decrypt files for their clients free and without any problems, if the protection they purchased was already on the PC and was active, i.e. did not expired and not be turned off at the time of the attack. --- Do not use the services of various intermediaries and companies that declare about decryption on the Internet! This is a 99% deception and change in the value of the ransom. In many countries of the world by law, the one who (a group of persons, an intermediary, a person, a company) conspires with the criminals, is a co-member of the crime and is also prosecuted. This does not apply to victims, of course... thank you a lot for your reply's and ofcaurse i will not pay until i am sure they can decrypt it first. Quote Link to post Share on other sites
Amigo-A 136 Posted June 18, 2019 Report Share Posted June 18, 2019 1 minute ago, AdMiRaL said: thank you a lot for your reply's and ofcaurse i will not pay until i am sure they can decrypt it first. Yes of course. They do not require it. This is a new version and... 27 minutes ago, Amigo-A said: Extortionists could change the encryption so that it was impossible to determine the decryption key. It is always expected. Quote Link to post Share on other sites
Amigo-A 136 Posted June 18, 2019 Report Share Posted June 18, 2019 @AdMiRaL Also look for a note HOW TO DECRYPT FILES.hta. It usually looks like an icon in a blue frame. He should be on your desktop also. Some antiviruses fear and delete this type of note in Quarantine. Quote Link to post Share on other sites
AdMiRaL 0 Posted June 18, 2019 Author Report Share Posted June 18, 2019 i deleted it manually really Quote Link to post Share on other sites
Amigo-A 136 Posted June 18, 2019 Report Share Posted June 18, 2019 It may be in other folders with encrypted files. Quote Link to post Share on other sites
AdMiRaL 0 Posted June 18, 2019 Author Report Share Posted June 18, 2019 i already deleted all files with name of : HOW TO DECRYPT FILES so all notes and .hta files deleted successfully Quote Link to post Share on other sites
Amigo-A 136 Posted June 18, 2019 Report Share Posted June 18, 2019 In the first post there is your a ransom note. Quote Link to post Share on other sites
Bojan Atanasijevic 1 Posted June 18, 2019 Report Share Posted June 18, 2019 @Amigo - Thank you! Finally some progress, at least we know what type it is. Just sent a few samples to DrWeb. Will come back with info if they can help Quote Link to post Share on other sites
GT500 873 Posted June 18, 2019 Report Share Posted June 18, 2019 7 hours ago, AdMiRaL said: i already deleted all files with name of : HOW TO DECRYPT FILES so all notes and .hta files deleted successfully Deleting the ransom note can lead to problems identifying the ransomware and/or decrypting your files later on. It is recommended to leave the ransom notes alone, and allow them to remain alongside the encrypted files. Quote Link to post Share on other sites
Bojan Atanasijevic 1 Posted June 19, 2019 Report Share Posted June 19, 2019 (edited) Bad news, DrWeb says: Hello! A case of Trojan.Encoder.26657 Decryption is not feasible. Edited June 19, 2019 by Bojan Atanasijevic Typing error. Quote Link to post Share on other sites
AdMiRaL 0 Posted June 19, 2019 Author Report Share Posted June 19, 2019 7 hours ago, Bojan Atanasijevic said: Bad news, DrWeb says: Hello! A case of Trojan.Encoder.26657 Decryption is not feasible. i know it that's why i deleted all my encrypted files Quote Link to post Share on other sites
Amigo-A 136 Posted June 19, 2019 Report Share Posted June 19, 2019 3 hours ago, AdMiRaL said: Trojan.Encoder.26657 It is a pity, I said above, that every time these extortionists change something. Very changeable Ransomware. The previous versions they could decipher. It was also with Scarab Ransomware, decrypted easily, then it became difficult, and later decrypt could not feasible. Impossible now - maybe in the future. No need to delete files if they are valuable to you. Quote Link to post Share on other sites
AdMiRaL 0 Posted June 21, 2019 Author Report Share Posted June 21, 2019 Hello. Рrovide us with an output of dir C:\ /a/s command taken from affected system. for example : cmd /c dir C:\ /a/s > "%userprofile%\dirc.log" dir output will be saved in "%userprofile%\dirc.log" file Best regards, Marina Larionova, technical support department, Doctor Web, Ltd. this is the last reply from Dr.Web anyone still not format his PC do it and send to me the log file so i can attach it for them to try to decrypt this ransomware Quote Link to post Share on other sites
GT500 873 Posted June 21, 2019 Report Share Posted June 21, 2019 12 hours ago, AdMiRaL said: this is the last reply from Dr.Web anyone still not format his PC do it and send to me the log file so i can attach it for them to try to decrypt this ransomware I would recommend that everyone contact Dr.Web themselves. General rule of thumb, don't send information to someone you don't know on the Internet. Quote Link to post Share on other sites
Bojan Atanasijevic 1 Posted June 23, 2019 Report Share Posted June 23, 2019 Just sent them file list log files to DrWeb. I'll report here when they respond. Quote Link to post Share on other sites
AdMiRaL 0 Posted June 24, 2019 Author Report Share Posted June 24, 2019 On 6/23/2019 at 2:47 PM, Bojan Atanasijevic said: Just sent them file list log files to DrWeb. I'll report here when they respond. waiting for the reply Quote Link to post Share on other sites
AdMiRaL 0 Posted June 28, 2019 Author Report Share Posted June 28, 2019 On 6/23/2019 at 2:47 PM, Bojan Atanasijevic said: Just sent them file list log files to DrWeb. I'll report here when they respond. any news ? Quote Link to post Share on other sites
Amigo-A 136 Posted June 28, 2019 Report Share Posted June 28, 2019 I want to say that the calculation of the key or the selection of the method can take up to several weeks. Every time in the encryption of this extortionist, something changes. Those variants of DCRTR-WDM Ransomware , that was successfully deciphered, already in the past. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.