Recommended Posts

hello there ,

as the title my files are encrypted with the extinction of .COPAN and i search and tried a lot of tools still nothing

but the bright thing here is that somehow i got the file that hacker downloaded to my PC in this link : https://transfiles.ru/vqi08

note : it's expires soon please try to download it and check if you can at least give me some information about him.

this is his Msg in attached files.

 

thank you EMSI Team ,

HOW TO DECRYPT FILES.txt

Share this post


Link to post
Share on other sites

One more case here.
Files encrypted over last weekend - .COPAN extension added and as far as I can see no single trace of ransomware software left except ransom notes.
Attached ransom notes and two encrypted files.

Best regards and thank you.

TEHNIČKA PODRŠKA.xlsx.COPAN Tehnički zadatak.docx.COPAN HOW TO DECRYPT FILES.hta HOW TO DECRYPT FILES.txt

  • Upvote 1

Share this post


Link to post
Share on other sites
3 minutes ago, Bojan Atanasijevic said:

One more case here.
Files encrypted over last weekend - .COPAN extension added and as far as I can see no single trace of ransomware software left except ransom notes.
Attached ransom notes and two encrypted files.

Best regards and thank you.

TEHNIČKA PODRŠKA.xlsx.COPANUnavailable Tehnički zadatak.docx.COPANUnavailable HOW TO DECRYPT FILES.htaUnavailable HOW TO DECRYPT FILES.txtUnavailable

so you face the same ransomware ?

is the email he used is : [email protected]

thank you.

Share this post


Link to post
Share on other sites

Yes .

Following is exact .txt version of ransom note:

Hello, dear friend.
All your files are encrypted with a unique key.
Are you sure you want to recover all your files ?
Write us an email: [email protected]
Enter your unique ID in the message: xxxxxxxxxxx

Edited by Bojan Atanasijevic
Typing error.

Share this post


Link to post
Share on other sites

@AdMiRaL

@Bojan Atanasijevic

The usual recommendation on the forum is to upload a note and an encrypted file to the service ID Ransomware.
Did you do it?

Upload 1 note HOW TO DECRYPT FILES.txt + 1 encrypted file.
Then 1 note HOW TO DECRYPT FILES.hta + 1 encrypted file.

---

I already did this using the files you uploaded, but I want you to do this and see for yourself.
And then copy the links to the results and paste here.

Share this post


Link to post
Share on other sites
10 minutes ago, Amigo-A said:

@AdMiRaL

@Bojan Atanasijevic

The usual recommendation on the forum is to upload a note and an encrypted file to the service ID Ransomware.
Did you do it?

i tried and i got this : http://prntscr.com/o3erae

 

but after i already deleted all my encrypted files because i thought it's all infected with the ransomware :(

 

is it real that this program may be work and decrypt the encrypted files ?

Share this post


Link to post
Share on other sites

 

6 minutes ago, AdMiRaL said:

Realistically. But the Xorist identification is incorrect. Reality needs to be clarified to the end.

Extortionists use the name of the note from Xorist to deceive identification. This is a well-known technique. Service is not to blame.

Share this post


Link to post
Share on other sites

Bojan Atanasijevic gave us two scrap files:

HOW TO DECRYPT FILES.txt + HOW TO DECRYPT FILES.hta

With upload txt- and tha-notes there will be two results. One will point to the Xorist, and the other to Dharma. 

https://id-ransomware.malwarehunterteam.com/identify.php?case=03ab5d464383972db0e5e170d2d4bc2082ab003d 
https://id-ransomware.malwarehunterteam.com/identify.php?case=7391784c146c9cb877fffcc1b7eb9e07f993d3ab 

Both do not reflect the accuracy, because the extortionists use the names that are characteristic of these two Ransomware to deceive the identification service. 
This is DCRTR-WDM Ransomware .
In the service, it is identified as DCRTR Ransomware (as general item DCRTR Family)
No free decryptor. 

Share this post


Link to post
Share on other sites
11 minutes ago, Amigo-A said:

Bojan Atanasijevic gave us two scrap files:

HOW TO DECRYPT FILES.txt + HOW TO DECRYPT FILES.hta

With upload txt- and tha-notes there will be two results. One will point to the Xorist, and the other to Dharma. 

https://id-ransomware.malwarehunterteam.com/identify.php?case=03ab5d464383972db0e5e170d2d4bc2082ab003d 
https://id-ransomware.malwarehunterteam.com/identify.php?case=7391784c146c9cb877fffcc1b7eb9e07f993d3ab 

Both do not reflect the accuracy, because the extortionists use the names that are characteristic of these two Ransomware to deceive the identification service. 
This is DCRTR-WDM Ransomware .
In the service, it is identified as DCRTR Ransomware (as general item DCRTR Family)
No free decryptor. 

is there any paid decryptor ?

Share this post


Link to post
Share on other sites

Sorry, I was distracted by an urgent call and I did not have time to finish the message.

Wait a moment, I write details. 

 

Share this post


Link to post
Share on other sites

@AdMiRaL

@ Bojan Atanasijevic

The files after DCRTR-WDM Ransomware's attack can be decrypted by Dr.Web specialists. 

DrWeb classification it as Trojan.Encoder.26981, Trojan.Encoder.27259 and others.

Dr.Web specialists perform the decryption itself for free, but to get the decryption key and decrypt all files, you need to get a Rescue Pack (rescue package), which includes Dr.Web Security Space's licensed anti-virus protection for 2 years.
For users from Russia, the package price is 5299 rubles, and for foreigners - 150 € (euro). 
This service without the rescue package of Dr.Web is not available.

Offecial English link: https://legal.drweb.com/encoder/?lng=en

There is also support for other languages.

Test decrypt be done for free. It is necessary to send both notes about the ransom and encrypted files of different formats. You must this be done independently, without intermediaries. 

I know that over the past 6 months there have been several happy occasions. 

Can be decrypt your files?

I dont know. Extortionists could change the encryption so that it was impossible to determine the decryption key. It is always expected.

Share this post


Link to post
Share on other sites

@AdMiRaL

@ Bojan Atanasijevic

No need to pay anything in advance!

They will report in an open you ticket if the files can be decrypted and give instructions for payment and so on.

In contrast, in ESET company, which also provides paid file decryption, they offer to buy a license first, and later try to decrypt files. 

---

These are anti-virus companies known worldwide. After purchasing a package with a licensed program, the buyer becomes a legal user and customer of the company.

DrWeb and ESET decrypt files for their clients free and without any problems, if the protection they purchased was already on the PC and was active, i.e. did not expired and not be turned off at the time of the attack.

I have nothing to do with them and I is no user from their programs now. 

---

Do not use the services of various intermediaries and companies that declare about decryption on the Internet! This is a 99% deception and change in the value of the ransom.
In many countries of the world by law, the one who (a group of persons, an intermediary, a person, a company) conspires with the criminals, is a co-member of the crime and is also prosecuted. This does not apply to victims, of course...

Share this post


Link to post
Share on other sites
21 minutes ago, Amigo-A said:

@AdMiRaL

@ Bojan Atanasijevic

No need to pay anything in advance!

They will report in an open you ticket if the files can be decrypted and give instructions for payment and so on.

In contrast, in ESET company, which also provides paid file decryption, they offer to buy a license first, and later try to decrypt files. 

---

DrWeb and ESET decrypt files for their clients free and without any problems, if the protection they purchased was already on the PC and was active, i.e. did not expired and not be turned off at the time of the attack.

---

Do not use the services of various intermediaries and companies that declare about decryption on the Internet! This is a 99% deception and change in the value of the ransom.
In many countries of the world by law, the one who (a group of persons, an intermediary, a person, a company) conspires with the criminals, is a co-member of the crime and is also prosecuted. This does not apply to victims, of course...

thank you a lot for your reply's and ofcaurse i will not pay until i am sure they can decrypt it first.

Share this post


Link to post
Share on other sites

 

1 minute ago, AdMiRaL said:

thank you a lot for your reply's and ofcaurse i will not pay until i am sure they can decrypt it first.

Yes of course. They do not require it. This is a new version and... 

27 minutes ago, Amigo-A said:

Extortionists could change the encryption so that it was impossible to determine the decryption key. It is always expected.

Share this post


Link to post
Share on other sites

@AdMiRaL

Also look for a note HOW TO DECRYPT FILES.hta. It usually looks like an icon in a blue frame.

hta.png.51815ca7716f92e518f2b31a1a30a8a1.png
Download Image

He should be on your desktop also. Some antiviruses fear and delete this type of note in Quarantine.

Share this post


Link to post
Share on other sites
7 hours ago, AdMiRaL said:

i already deleted all files with name of : HOW TO DECRYPT FILES

so all notes and .hta files deleted successfully

Deleting the ransom note can lead to problems identifying the ransomware and/or decrypting your files later on. It is recommended to leave the ransom notes alone, and allow them to remain alongside the encrypted files.

Share this post


Link to post
Share on other sites
7 hours ago, Bojan Atanasijevic said:

Bad news, DrWeb says:

Hello!
A case of Trojan.Encoder.26657
Decryption is not feasible.
 

i know it that's why i deleted all my encrypted files :( 

Share this post


Link to post
Share on other sites
3 hours ago, AdMiRaL said:

Trojan.Encoder.26657

It is a pity, I said above, that every time these extortionists change something. Very changeable Ransomware. The previous versions they could decipher. 
It was also with Scarab Ransomware, decrypted easily, then it became difficult, and later decrypt could not feasible. 

Impossible now - maybe in the future. No need to delete files if they are valuable to you. 

Share this post


Link to post
Share on other sites

Hello. 

Рrovide us with an output of dir C:\ /a/s command taken from affected system. 

for example : 
cmd /c dir C:\ /a/s > "%userprofile%\dirc.log" 

dir output will be saved in "%userprofile%\dirc.log" file 

Best regards, Marina Larionova, 
technical support department, Doctor Web, Ltd.

 

this is the last reply from Dr.Web anyone still not format his PC do it and send to me the log file so i can attach it for them to try to decrypt this ransomware 

Share this post


Link to post
Share on other sites
12 hours ago, AdMiRaL said:

this is the last reply from Dr.Web anyone still not format his PC do it and send to me the log file so i can attach it for them to try to decrypt this ransomware

I would recommend that everyone contact Dr.Web themselves.

General rule of thumb, don't send information to someone you don't know on the Internet. ;)

Share this post


Link to post
Share on other sites
On 6/23/2019 at 2:47 PM, Bojan Atanasijevic said:

Just sent them file list log files to DrWeb. I'll report here when they respond.

waiting for the reply

Share this post


Link to post
Share on other sites
On 6/23/2019 at 2:47 PM, Bojan Atanasijevic said:

Just sent them file list log files to DrWeb. I'll report here when they respond.

any news ?

Share this post


Link to post
Share on other sites

I want to say that the calculation of the key or the selection of the method can take up to several weeks. Every time in the encryption of this extortionist, something changes. Those variants of DCRTR-WDM Ransomware that was successfully deciphered, already in the past.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.