Recommended Posts

Hello, @Mohsin

I know almost certainly, what kind of Ransomware (most likely it JSWorm Ransomware) has been encrypt your files, but I need to clarify some trivia.

Attach the original note here and 2-3 encrypted files or upload all to www.sendspace.com and paste here the link for download. 

There are several similar ransomware, we need to examine the files to say for sure. 

Share this post


Link to post
Share on other sites

I have the same thing but instead of a .txt file its a HTML Application (.hta)

here is the send space link https://www.sendspace.com/filegroup/sRHSwJySqZ3cXRFJlc5CJQ

here is a few more files if you need to look at them https://www.sendspace.com/filegroup/hxqKfEGN6R7TeHM5QosANw4RRiK2jD1hr%2BCvM9fMngsru26QlocERasGfm6BgXzr0wo1k6OBXuOKTginvVxsBA

  • Upvote 1

Share this post


Link to post
Share on other sites
6 hours ago, acesblackstar said:

I have the same thing but instead of a .txt file its a HTML Application (.hta)

here is the send space link https://www.sendspace.com/filegroup/sRHSwJySqZ3cXRFJlc5CJQ

here is a few more files if you need to look at them https://www.sendspace.com/filegroup/hxqKfEGN6R7TeHM5QosANw4RRiK2jD1hr%2BCvM9fMngsru26QlocERasGfm6BgXzr0wo1k6OBXuOKTginvVxsBA

That appears to be JSWorm 4:
https://id-ransomware.malwarehunterteam.com/identify.php?case=6161c21143a1baff056e6eeb9efcc42560687baf

We've yet to be able to update our decrypter for version 3 and 4 of JSWorm.

Share this post


Link to post
Share on other sites

I've seen our analysts working on it, however I haven't been told whether or not it will be possible for them to update the decrypter.

Share this post


Link to post
Share on other sites
10 hours ago, shouck said:

Here are some additional files to assist you guys with finding a possible solution. We have had three clients hit so far, one I cannot pull files from, so I have attached the two that I could pull from, and it includes 3 files and the ransom note.

I've let our malware analysts know about your files, and they'll take a look at them if they need to.

That being said, our malware analysts are already familiar with the encryption used by JSWorm 3 and JSWorm 4. In theory decryption of both should be possible. Keep an eye on our blog and BleepingComputer's news for the announcement:
https://blog.emsisoft.com/
https://www.bleepingcomputer.com/

Both also have RSS feeds available, if you'd like to be automatically notified about new articles:
https://blog.emsisoft.com/feed/
https://www.bleepingcomputer.com/feed/

  • Upvote 1

Share this post


Link to post
Share on other sites

i tried jsworm4 decryptor on  JSWORM 4.0.3 encrypted file. Its not working well, the end of the decrypted files is corrupt. I send sample of original file, encrypted file,  corrupted decrypted file and pair of encrypted / original files used to get decryption key.  

    https://www.sendspace.com/file/7bxerq

Share this post


Link to post
Share on other sites
33 minutes ago, acesblackstar said:

I Just downloaded the tool but its asking me to  "please select the original of the same file"  I don't have the original everything has been converted.

I use text file from openssl distributive to get original of encrypted file. Openssl folder on my pc was encrypted, so i download same version of installer, install it on another pc and take original file. I think, that you can do something like this. look to your encrypted files, find something that you can download and use it    

Share this post


Link to post
Share on other sites

Look at your file that I attached.

From personal experience, I use always folders with English words or numbers for decryption. Folders in other languages may not be supported.

This does not apply to decrypters from Emsisoft. This is just my experience.

@GT500 from Emsisoft or @Demonslay335 experts will tell you in more detail or fix this problem. Wait.
I recommend solving problems with decryption through PM, so developers and ransomware actors will not know the secret.

  • Like 1

Share this post


Link to post
Share on other sites

I cant download attached file. No permissions. After my try, i get readable file, but  last word in this file must be "platforms" but is "pl and some garbage". 

Share this post


Link to post
Share on other sites
30 minutes ago, acesblackstar said:

Can you help me out with this tool please?

How? Download, run, point to the original file and encrypted file. Decrypter will begin the process of calculating the key. It will take some time. Next you need to click the "Start" button and everything is simple.

Share this post


Link to post
Share on other sites
13 hours ago, acesblackstar said:

I Just downloaded the tool but its asking me to  "please select the original of the same file"  I don't have the original everything has been converted.

Do you have any encrypted files in the following location?

C:\Users\Public\Pictures\Sample Pictures

If yes, then let me know what version of Windows it is.

 

19 hours ago, broniusr said:

i tried jsworm4 decryptor on  JSWORM 4.0.3 encrypted file. Its not working well, the end of the decrypted files is corrupt. I send sample of original file, encrypted file,  corrupted decrypted file and pair of encrypted / original files used to get decryption key.  

    https://www.sendspace.com/file/7bxerq

Do you have another file pair you can try? Depending on exactly how the decrypter works, the file pair you're using may be to small.

I'll ask and see if there may be another reason.

Share this post


Link to post
Share on other sites

So its Monday, i am back to my pc and have some update

I do some research with this files. Files is partially encrypted. If file is big enough (> 160 kb), only first 160kb is encrypted. If file is smaller, then 2 last Bytes ( i think mod(filesize, 16) is used to calculate unencrypted part)  is not encrypted. I think,  if file is smaller then 160kb, decryptor is trying to decrypt full file, not only encrypted part, and result is corrupted 2 last Bytes of file. I attached picture with example. With files bigger then 160kb decryptor works correctly. 

jsworm403-small-file-last-bytes.PNG
Download Image

Share this post


Link to post
Share on other sites

@broniusr

You are correct, the malware encrypts up to 0x27100 bytes of the file, and I forgot to test bait files smaller than that limit. I'll post here once the decryptor has been updated to factor for that bug in the malware.

Every version of this malware family has had at least one such bug relating to the crypto, so annoying...

Share this post


Link to post
Share on other sites

@broniusr

The decryptor has been updated, please try downloading it again. :)

If you run it from the same directory as before, it should pickup the key file from the previous session, and you won't have to re-bruteforce it.

Thanks for reporting the bug.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.