PiotrM 0 Report post Posted December 2 Hello My disk is encrypted and every file has "id[48DD8B75-2415].[[email protected]].Caley" extension. I have removed infected files and viruses by AV software, but I can't decrypt files. They are unusable. Could You help me, how I have to do it? Maybe suggest me some kind of software? It is very important. I am waiting for Your advice. greetings Piotr Quote Share this post Link to post Share on other sites
GT500 594 Report post Posted December 3 I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them. Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted December 3 Quote id[48DD8B75-2415].[[email protected]].Caley" extension This is the result of an attack and format of encrypted file of Phobos Ransomware You need to upload the ransom note and the encrypted file so that the identification on Ransomware ID service is successful. Quote Share this post Link to post Share on other sites
PiotrM 0 Report post Posted December 4 On 12/3/2019 at 4:44 PM, Amigo-A said: This is the result of an attack and format of encrypted file of Phobos Ransomware You need to upload the ransom note and the encrypted file so that the identification on Ransomware ID service is successful. Thanks for Your help, but it is not rcognized. I am still trying find something to decrypt files. First message is: Phobos This ransomware has no known way of decrypting data at this time. It is recommended to backup your encrypted files, and hope for a solution in the future. Identified by sample_bytes: [0xB20EA - 0xB20F2] 0x000041444D343135 Click here for more information about Phobos Second info: Rapid This ransomware has no known way of decrypting data at this time. It is recommended to backup your encrypted files, and hope for a solution in the future. Identified by ransomnote_filename: How Recovery Files.txt Click here for more information about Rapid Piotr Quote Share this post Link to post Share on other sites
GT500 594 Report post Posted December 5 5 hours ago, PiotrM said: Thanks for Your help, but it is not rcognized. I am still trying find something to decrypt files. I took a look at one of the files you uploaded to ID Ransomware: Beznazwy-12.pdf.id[48DD8B75-2415].[[email protected]].Caley.no_more_ransom How Recovery Files.txt The extension .no_more_ransom and the ransom note appear to be from the Rapid ransomware, however the rest of the changes to the file name look like Phobos. It looks like your files were encrypted by more than one ransomware. It's not possible to decrypt files that have been encrypted by this version of Rapid, and as far as I am aware there's still no way to decrypt files that were encrypted by Phobos. Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted December 5 First, your files were encrypted by Phobos Ransomware and received the extension .id[48DD8B75-2415].[[email protected]].Caley Then your files were encrypted by Rapid Ransomware and got the extension .no_more_ransom Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted December 5 In May of this year there was already a case with the same Rapid variant. --- You can to create a decryption request in DrWeb and provide Rapid-encrypted files and a ransom note file How Recovery Files.txt. http://legal.drweb.com/encoder/?lng=enhttp://legal.drweb.ru/encoder/?lng=ru For request of test-decryption, you do not need to make an advance payment. It's free. But in practice there is no hope of decrypting files after double encryption and after Phobos in particular. Quote Share this post Link to post Share on other sites
PiotrM 0 Report post Posted December 6 19 hours ago, GT500 said: I took a look at one of the files you uploaded to ID Ransomware: Beznazwy-12.pdf.id[48DD8B75-2415].[[email protected]].Caley.no_more_ransomUnavailable How Recovery Files.txtUnavailable The extension .no_more_ransom and the ransom note appear to be from the Rapid ransomware, however the rest of the changes to the file name look like Phobos. It looks like your files were encrypted by more than one ransomware. It's not possible to decrypt files that have been encrypted by this version of Rapid, and as far as I am aware there's still no way to decrypt files that were encrypted by Phobos. 19 hours ago, GT500 said: I took a look at one of the files you uploaded to ID Ransomware: Beznazwy-12.pdf.id[48DD8B75-2415].[[email protected]].Caley.no_more_ransomUnavailable How Recovery Files.txtUnavailable The extension .no_more_ransom and the ransom note appear to be from the Rapid ransomware, however the rest of the changes to the file name look like Phobos. It looks like your files were encrypted by more than one ransomware. It's not possible to decrypt files that have been encrypted by this version of Rapid, and as far as I am aware there's still no way to decrypt files that were encrypted by Phobos. Hello Thank You All for Your time and answers. I think I will wait and maybe in the future decoding will be possible, but I have no hope now . I am still trying find the way for my infected data recovery. Good news is, that I have a copy, but not all files. It is very strange for me, that NOD32 AV didn't recognize viruses before infection. After infection AV recognized problem and removed viruses, but how it is possible to agree with encoding files? So, thanks again for Your cooperation and have a nice day :)) If You will have some suggestions I will be very glad and happy, to hear something about it in the future. Greetings Piotr Quote Share this post Link to post Share on other sites
GT500 594 Report post Posted December 6 My recommendations right now are first to make a backup of your encrypted files, and also to file a report with your country's national law enforcement:https://www.nomoreransom.org/en/report-a-crime.html Quote Share this post Link to post Share on other sites
PiotrM 0 Report post Posted December 6 Of course I have made it on the first day of infection. I do not ever pay thieves my money. Thank You for suggestions. Every help is very valuable for me. Piotr Quote Share this post Link to post Share on other sites
GT500 594 Report post Posted December 7 You're welcome. Quote Share this post Link to post Share on other sites