.COPAN ransomware

[AdMiRaL 0]

hello there ,

as the title my files are encrypted with the extinction of .COPAN and i search and tried a lot of tools still nothing

but the bright thing here is that somehow i got the file that hacker downloaded to my PC in this link : https://transfiles.ru/vqi08

note : it's expires soon please try to download it and check if you can at least give me some information about him.

this is his Msg in attached files.

 

thank you EMSI Team ,

HOW TO DECRYPT FILES.txt

[Kevin Zoll 279]

Hello,

Can you please send me a copy of one of the encrypted files.

[AdMiRaL 0]

yes ofcurse here is one of them and it's original file before it's encrypted too.

it's a small video before and after encrypted.

thank you.

vipfree key.wmv.COPAN

[Bojan Atanasijevic 1]

One more case here.
Files encrypted over last weekend - .COPAN extension added and as far as I can see no single trace of ransomware software left except ransom notes.
Attached ransom notes and two encrypted files.

Best regards and thank you.

TEHNIČKA PODRŠKA.xlsx.COPAN Tehnički zadatak.docx.COPAN HOW TO DECRYPT FILES.hta HOW TO DECRYPT FILES.txt

[AdMiRaL 0]

3 minutes ago, Bojan Atanasijevic said:

One more case here.
Files encrypted over last weekend - .COPAN extension added and as far as I can see no single trace of ransomware software left except ransom notes.
Attached ransom notes and two encrypted files.

Best regards and thank you.

TEHNIČKA PODRŠKA.xlsx.COPANUnavailable Tehnički zadatak.docx.COPANUnavailable HOW TO DECRYPT FILES.htaUnavailable HOW TO DECRYPT FILES.txtUnavailable

so you face the same ransomware ?

is the email he used is : [email protected]

thank you.

[Bojan Atanasijevic 1]

Yes .

Following is exact .txt version of ransom note:

Hello, dear friend.
All your files are encrypted with a unique key.
Are you sure you want to recover all your files ?
Write us an email: [email protected]
Enter your unique ID in the message: xxxxxxxxxxx

Edited June 18 by Bojan Atanasijevic
Typing error.

[Amigo-A 32]

@AdMiRaL

@Bojan Atanasijevic

The usual recommendation on the forum is to upload a note and an encrypted file to the service ID Ransomware.
Did you do it?

Upload 1 note HOW TO DECRYPT FILES.txt + 1 encrypted file.
Then 1 note HOW TO DECRYPT FILES.hta + 1 encrypted file.

---

I already did this using the files you uploaded, but I want you to do this and see for yourself.
And then copy the links to the results and paste here.

[AdMiRaL 0]

10 minutes ago, Amigo-A said:

@AdMiRaL

@Bojan Atanasijevic

The usual recommendation on the forum is to upload a note and an encrypted file to the service ID Ransomware.
Did you do it?

i tried and i got this : http://prntscr.com/o3erae

 

but after i already deleted all my encrypted files because i thought it's all infected with the ransomware

 

is it real that this program may be work and decrypt the encrypted files ?

[Amigo-A 32]

 

6 minutes ago, AdMiRaL said:

http://prntscr.com/o3erae

Realistically. But the Xorist identification is incorrect. Reality needs to be clarified to the end.

Extortionists use the name of the note from Xorist to deceive identification. This is a well-known technique. Service is not to blame.

[AdMiRaL 0]

1 minute ago, Amigo-A said:

 

Realistically. But the Xorist identification is incorrect.

so it will not work ?

[Amigo-A 32]

Bojan Atanasijevic gave us two scrap files:

HOW TO DECRYPT FILES.txt + HOW TO DECRYPT FILES.hta

With upload txt- and tha-notes there will be two results. One will point to the Xorist, and the other to Dharma. 

https://id-ransomware.malwarehunterteam.com/identify.php?case=03ab5d464383972db0e5e170d2d4bc2082ab003d 
https://id-ransomware.malwarehunterteam.com/identify.php?case=7391784c146c9cb877fffcc1b7eb9e07f993d3ab 

Both do not reflect the accuracy, because the extortionists use the names that are characteristic of these two Ransomware to deceive the identification service. 
This is DCRTR-WDM Ransomware .
In the service, it is identified as DCRTR Ransomware (as general item DCRTR Family)
No free decryptor. 

[AdMiRaL 0]

11 minutes ago, Amigo-A said:

Bojan Atanasijevic gave us two scrap files:

HOW TO DECRYPT FILES.txt + HOW TO DECRYPT FILES.hta

With upload txt- and tha-notes there will be two results. One will point to the Xorist, and the other to Dharma. 

https://id-ransomware.malwarehunterteam.com/identify.php?case=03ab5d464383972db0e5e170d2d4bc2082ab003d 
https://id-ransomware.malwarehunterteam.com/identify.php?case=7391784c146c9cb877fffcc1b7eb9e07f993d3ab 

Both do not reflect the accuracy, because the extortionists use the names that are characteristic of these two Ransomware to deceive the identification service. 
This is DCRTR-WDM Ransomware .
In the service, it is identified as DCRTR Ransomware (as general item DCRTR Family)
No free decryptor. 

is there any paid decryptor ?

[Amigo-A 32]

Sorry, I was distracted by an urgent call and I did not have time to finish the message.

Wait a moment, I write details. 

 

[Amigo-A 32]

@AdMiRaL

@ Bojan Atanasijevic

The files after DCRTR-WDM Ransomware's attack can be decrypted by Dr.Web specialists. 

DrWeb classification it as Trojan.Encoder.26981, Trojan.Encoder.27259 and others.

Dr.Web specialists perform the decryption itself for free, but to get the decryption key and decrypt all files, you need to get a Rescue Pack (rescue package), which includes Dr.Web Security Space's licensed anti-virus protection for 2 years.
For users from Russia, the package price is 5299 rubles, and for foreigners - 150 € (euro). 
This service without the rescue package of Dr.Web is not available.

Offecial English link: https://legal.drweb.com/encoder/?lng=en

There is also support for other languages.

Test decrypt be done for free. It is necessary to send both notes about the ransom and encrypted files of different formats. You must this be done independently, without intermediaries. 

I know that over the past 6 months there have been several happy occasions. 

Can be decrypt your files?

I dont know. Extortionists could change the encryption so that it was impossible to determine the decryption key. It is always expected.

[Amigo-A 32]

@AdMiRaL

@ Bojan Atanasijevic

No need to pay anything in advance!

They will report in an open you ticket if the files can be decrypted and give instructions for payment and so on.

In contrast, in ESET company, which also provides paid file decryption, they offer to buy a license first, and later try to decrypt files. 

---

These are anti-virus companies known worldwide. After purchasing a package with a licensed program, the buyer becomes a legal user and customer of the company.

DrWeb and ESET decrypt files for their clients free and without any problems, if the protection they purchased was already on the PC and was active, i.e. did not expired and not be turned off at the time of the attack.

I have nothing to do with them and I is no user from their programs now. 

---

Do not use the services of various intermediaries and companies that declare about decryption on the Internet! This is a 99% deception and change in the value of the ransom.
In many countries of the world by law, the one who (a group of persons, an intermediary, a person, a company) conspires with the criminals, is a co-member of the crime and is also prosecuted. This does not apply to victims, of course...

[AdMiRaL 0]

21 minutes ago, Amigo-A said:

@AdMiRaL

@ Bojan Atanasijevic

No need to pay anything in advance!

They will report in an open you ticket if the files can be decrypted and give instructions for payment and so on.

In contrast, in ESET company, which also provides paid file decryption, they offer to buy a license first, and later try to decrypt files. 

---

DrWeb and ESET decrypt files for their clients free and without any problems, if the protection they purchased was already on the PC and was active, i.e. did not expired and not be turned off at the time of the attack.

---

Do not use the services of various intermediaries and companies that declare about decryption on the Internet! This is a 99% deception and change in the value of the ransom.
In many countries of the world by law, the one who (a group of persons, an intermediary, a person, a company) conspires with the criminals, is a co-member of the crime and is also prosecuted. This does not apply to victims, of course...

thank you a lot for your reply's and ofcaurse i will not pay until i am sure they can decrypt it first.

[Amigo-A 32]

 

1 minute ago, AdMiRaL said:

thank you a lot for your reply's and ofcaurse i will not pay until i am sure they can decrypt it first.

Yes of course. They do not require it. This is a new version and... 

27 minutes ago, Amigo-A said:

Extortionists could change the encryption so that it was impossible to determine the decryption key. It is always expected.

[Amigo-A 32]

@AdMiRaL

Also look for a note HOW TO DECRYPT FILES.hta. It usually looks like an icon in a blue frame.

Download Image

He should be on your desktop also. Some antiviruses fear and delete this type of note in Quarantine.

[AdMiRaL 0]

i deleted it manually really  

[Amigo-A 32]

It may be in other folders with encrypted files.

[AdMiRaL 0]

i already deleted all files with name of : HOW TO DECRYPT FILES

so all notes and .hta files deleted successfully

[Amigo-A 32]

In the first post there is your a ransom note. 

[Bojan Atanasijevic 1]

@Amigo - Thank you! Finally some progress, at least we know what type it is.
Just sent a few samples to DrWeb. Will come back with info if they can help

[GT500 573]

7 hours ago, AdMiRaL said:

i already deleted all files with name of : HOW TO DECRYPT FILES

so all notes and .hta files deleted successfully

Deleting the ransom note can lead to problems identifying the ransomware and/or decrypting your files later on. It is recommended to leave the ransom notes alone, and allow them to remain alongside the encrypted files.

[Bojan Atanasijevic 1]

Bad news, DrWeb says:

Hello!
A case of Trojan.Encoder.26657
Decryption is not feasible.
 

Edited June 19 by Bojan Atanasijevic
Typing error.

[AdMiRaL 0]

7 hours ago, Bojan Atanasijevic said:

Bad news, DrWeb says:

Hello!
A case of Trojan.Encoder.26657
Decryption is not feasible.
 

i know it that's why i deleted all my encrypted files  

[Amigo-A 32]

3 hours ago, AdMiRaL said:

Trojan.Encoder.26657

It is a pity, I said above, that every time these extortionists change something. Very changeable Ransomware. The previous versions they could decipher. 
It was also with Scarab Ransomware, decrypted easily, then it became difficult, and later decrypt could not feasible. 

Impossible now - maybe in the future. No need to delete files if they are valuable to you. 

[AdMiRaL 0]

Hello. 

Рrovide us with an output of dir C:\ /a/s command taken from affected system. 

for example : 
cmd /c dir C:\ /a/s > "%userprofile%\dirc.log" 

dir output will be saved in "%userprofile%\dirc.log" file 

Best regards, Marina Larionova, 
technical support department, Doctor Web, Ltd.

 

this is the last reply from Dr.Web anyone still not format his PC do it and send to me the log file so i can attach it for them to try to decrypt this ransomware 

[GT500 573]

12 hours ago, AdMiRaL said:

this is the last reply from Dr.Web anyone still not format his PC do it and send to me the log file so i can attach it for them to try to decrypt this ransomware

I would recommend that everyone contact Dr.Web themselves.

General rule of thumb, don't send information to someone you don't know on the Internet.

[Bojan Atanasijevic 1]

Just sent them file list log files to DrWeb. I'll report here when they respond.

[AdMiRaL 0]

On 6/23/2019 at 2:47 PM, Bojan Atanasijevic said:

Just sent them file list log files to DrWeb. I'll report here when they respond.

waiting for the reply

[AdMiRaL 0]

On 6/23/2019 at 2:47 PM, Bojan Atanasijevic said:

Just sent them file list log files to DrWeb. I'll report here when they respond.

any news ?

[Amigo-A 32]

I want to say that the calculation of the key or the selection of the method can take up to several weeks. Every time in the encryption of this extortionist, something changes. Those variants of DCRTR-WDM Ransomware , that was successfully deciphered, already in the past.