BJammin

.Sys Ransomware (DLL Cryptomix variant)

Recommended Posts

I have 200,000 files that are encrypted ending with .sys via compromised RDP.  The attackers were malicious and deleted a lot of files. 

It looks like it's a variant of the DLL Cryptomix ransomware:
https://blog.watchpointdata.com/dll-cryptomix-exposes-ransomware-infection-method

I reluctantly paid the ransom and they sent me a decryptor tool but it's not working.  It worked on some files that were less than 2 GB then suddenly stopped working on everything.  

The criminals sent us a message demanding more ransom to decrypt anything over 2 GB.  

Since I have the decryptor tool they sent me and it worked for a little while on some files, is there any way to reverse engineer it to work with everything else?  

Ransom note:

Hello!

Attention! All Your data was encrypted!

For specific informartion, please send us an email with Your ID number:

[email protected]

[email protected]

[email protected]com

[email protected]

[email protected]

[email protected]

[email protected]

Please send Your email to our all email addresses! We will help You immediately! As faster You will contact us as cheaper will be the recovery price!

IMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!


DECRYPT-ID-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX number  - I removed the ID number just in case.  

Any feedback or ideas would be much appreciated, I'm lost on what to do next.  

Share this post


Link to post
Share on other sites

@BJammin

Hello
When (date) did the files encryption happen?

Attach to the message or send me in PM the original file of the ransom note and two encrypted files.

Do not change or edit anything.

The primary source of information on CryptoMix-DLL Ransomware is my site.

I uploaded the malware samples to the analysis services and gave the link to the BleepingComputer representative. 

All other descriptions of this ransomware are secondary or info-theft if they do not provide a link to the primary source.

The Sys-variant of CryptoMix is described in the main topic as an update (section after the article).

 

Share this post


Link to post
Share on other sites

We identify all new variants under the CryptoMix-Revenge Ransomware group.

Last year there was already one variant with the extension of the .SYS, but with other contacts.
I did not make a separate article then, and added it below after the article to a section for appendices.

Name within the family: CryptoMix-SYS Ransomware

If it will be distributed more, I will make a separate description. But there is no free decryptor for this variant.

Share this post


Link to post
Share on other sites

Since we paid the ransom to get the decryption tool, and the decryption tool worked for a brief moment, why would it suddenly stop working?  I don't see any rhyme or reason to why it works then it doesn't.  Now it doesn't work at all.

Share this post


Link to post
Share on other sites

If a remote server of extortioners is used at the time of decryption, then this may be the explanation of the reason. It could be disconnected from the source of electricity or blocked. Try with another group of files when the Internet is connected.

Share this post


Link to post
Share on other sites

To ZIP files simply right-click on them, go to Send to, and select Compressed (zipped) folder.

Share this post


Link to post
Share on other sites

I just got his by this [email protected] ramsomware! Out of curiosity, how much did the guy want for the ransom? I lost about 18 days worth of transaction data that I'm almost certain I won't get back. I tried the avast decrypter but it wants the key, I'm not paying for the key so I'm not sure how much use that is. The workstations were all online so I'm almost certain the key in not going to be available. 

Share this post


Link to post
Share on other sites

Please don't contact the criminals yourself. If you need to negotiate with them, then I recommend having a third-party with experience negotiating with criminals like this handle it for you. There are some companies that offer this service, however the only one I tend to remember the name of is CoveWare.

Share this post


Link to post
Share on other sites

Hi, I had also a ransomware problem.

I have an encrypted file and the same file decrypted.

Can you have a look if you can find something out ?

Share this post


Link to post
Share on other sites
8 hours ago, BrunoG. said:

Can you have a look if you can find something out ?

I've asked our malware analysts if we still need information about this ransowmare.

Share this post


Link to post
Share on other sites
On 6/24/2019 at 3:44 PM, ppets said:

I just got his by this [email protected] ramsomware! Out of curiosity, how much did the guy want for the ransom? I lost about 18 days worth of transaction data that I'm almost certain I won't get back. I tried the avast decrypter but it wants the key, I'm not paying for the key so I'm not sure how much use that is. The workstations were all online so I'm almost certain the key in not going to be available. 

We paid 2 bitcoin to get the decryption tool but the tool wouldn't decrypt anything over 2 GB and only decrypted a small amount of the files under 2 GB.  

When communicating with the attackers, they demanded another bitcoin to give us a "plugin" to decrypt the rest.  

We were able to get a majority of the main files from the file allocation tables before the attack happened.  

This is the first ransomware attack I've seen where the ransom was paid and the attackers didn't follow through with their end of the deal and just asked for more money.  This is where we drew the line and didn't pay any more. Never paying ransom again!!!  

Also, I tried the Avast decrypter and it didn't do anything for me.  Nomoreransom.org and other sites don't currently have a decryption tool for this that I'm aware of.  

Share this post


Link to post
Share on other sites

@BJammin

If you asked us before paying the ransom, we would tell you what you said yourself now.  Never paying ransom!!!  

Avast decryptor can only decrypt files encrypted with offline keys.

Share this post


Link to post
Share on other sites
9 hours ago, BJammin said:

We paid 2 bitcoin to get the decryption tool but the tool wouldn't decrypt anything over 2 GB and only decrypted a small amount of the files under 2 GB.

There are a number of ransomwares that have flaws in regards to handling either very small files or very large files. The criminals who make these ransomwares care about only one thing; getting paid. If the decrypter they send you doesn't work, then they don't care.

BTW: If you look at our decrypter page, in the information below "Step 2", it says the following:

You paid the ransom but the decryptor doesn’t work as expected?
If you decide to pay the ransom, you should receive a decryptor from the ransomware authors. Unfortunately, these decryptors are often unable to correctly decrypt all of your files. In some cases, the decryptors are horribly slow and may take days or even weeks to decrypt your files, especially if you have large amounts of data.

If you need a high-quality decryptor, we can help. Our developers work with the experts at Coveware to provide super-fast solutions for your decryption problems. Please note that Coveware offers a third-party service and is not covered by the Emsisoft Privacy Policy.

Contact Coveware Incident Response Now

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.