BJammin

.Sys Ransomware (DLL Cryptomix variant)

Recommended Posts

I have 200,000 files that are encrypted ending with .sys via compromised RDP.  The attackers were malicious and deleted a lot of files. 

It looks like it's a variant of the DLL Cryptomix ransomware:
https://blog.watchpointdata.com/dll-cryptomix-exposes-ransomware-infection-method

I reluctantly paid the ransom and they sent me a decryptor tool but it's not working.  It worked on some files that were less than 2 GB then suddenly stopped working on everything.  

The criminals sent us a message demanding more ransom to decrypt anything over 2 GB.  

Since I have the decryptor tool they sent me and it worked for a little while on some files, is there any way to reverse engineer it to work with everything else?  

Ransom note:

Hello!

Attention! All Your data was encrypted!

For specific informartion, please send us an email with Your ID number:

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

Please send Your email to our all email addresses! We will help You immediately! As faster You will contact us as cheaper will be the recovery price!

IMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!


DECRYPT-ID-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX number  - I removed the ID number just in case.  

Any feedback or ideas would be much appreciated, I'm lost on what to do next.  

Share this post


Link to post
Share on other sites

@BJammin

Hello
When (date) did the files encryption happen?

Attach to the message or send me in PM the original file of the ransom note and two encrypted files.

Do not change or edit anything.

Share this post


Link to post
Share on other sites

We identify all new variants under the CryptoMix-Revenge Ransomware group.

Last year there was already one variant with the extension of the .SYS, but with other contacts.
I did not make a separate article then, and added it below after the article to a section for appendices.

Name within the family: CryptoMix-SYS Ransomware

If it will be distributed more, I will make a separate description. But there is no free decryptor for this variant.

Share this post


Link to post
Share on other sites

Since we paid the ransom to get the decryption tool, and the decryption tool worked for a brief moment, why would it suddenly stop working?  I don't see any rhyme or reason to why it works then it doesn't.  Now it doesn't work at all.

Share this post


Link to post
Share on other sites

If a remote server of extortioners is used at the time of decryption, then this may be the explanation of the reason. It could be disconnected from the source of electricity or blocked. Try with another group of files when the Internet is connected.

Share this post


Link to post
Share on other sites

To ZIP files simply right-click on them, go to Send to, and select Compressed (zipped) folder.

Share this post


Link to post
Share on other sites

I just got his by this [email protected] ramsomware! Out of curiosity, how much did the guy want for the ransom? I lost about 18 days worth of transaction data that I'm almost certain I won't get back. I tried the avast decrypter but it wants the key, I'm not paying for the key so I'm not sure how much use that is. The workstations were all online so I'm almost certain the key in not going to be available. 

Share this post


Link to post
Share on other sites

Please don't contact the criminals yourself. If you need to negotiate with them, then I recommend having a third-party with experience negotiating with criminals like this handle it for you. There are some companies that offer this service, however the only one I tend to remember the name of is CoveWare.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.