PiotrM

Piotr

By PiotrM, in Help, my files are encrypted!

Recommended Posts

PiotrM    0

PiotrM
Posted

Hello

My disk is encrypted and every file has "id[48DD8B75-2415].[[email protected]].Caley" extension. I have removed infected files and viruses by AV software, but I can't decrypt files. They are unusable. Could You help me, how I have to do it? Maybe suggest me some kind of software? It is very important. I am waiting for Your advice.

greetings

Piotr

Share this post

Link to post
Share on other sites

GT500    594

GT500
Posted

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post

Link to post
Share on other sites

Amigo-A    44

Amigo-A
Posted
Quote

id[48DD8B75-2415].[[email protected]].Caley" extension

This is the result of an attack and format of encrypted file of Phobos Ransomware

You need to upload the ransom note and the encrypted file so that the identification on Ransomware ID service is successful.

Share this post

Link to post
Share on other sites

PiotrM    0

PiotrM
Posted
On 12/3/2019 at 4:44 PM, Amigo-A said:

This is the result of an attack and format of encrypted file of Phobos Ransomware

You need to upload the ransom note and the encrypted file so that the identification on Ransomware ID service is successful.

Thanks for Your help, but it is not rcognized. I am still trying find something to decrypt files.

First message is:

Phobos

This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • sample_bytes: [0xB20EA - 0xB20F2] 0x000041444D343135

 

Click here for more information about Phobos

Second info:

Rapid

This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • ransomnote_filename: How Recovery Files.txt

 

Click here for more information about Rapid

Piotr

Share this post

Link to post
Share on other sites

GT500    594

GT500
Posted
5 hours ago, PiotrM said:

Thanks for Your help, but it is not rcognized. I am still trying find something to decrypt files.

I took a look at one of the files you uploaded to ID Ransomware:

Beznazwy-12.pdf.id[48DD8B75-2415].[[email protected]].Caley.no_more_ransom How Recovery Files.txt

The extension .no_more_ransom and the ransom note appear to be from the Rapid ransomware, however the rest of the changes to the file name look like Phobos. It looks like your files were encrypted by more than one ransomware. It's not possible to decrypt files that have been encrypted by this version of Rapid, and as far as I am aware there's still no way to decrypt files that were encrypted by Phobos.

Share this post

Link to post
Share on other sites

Amigo-A    44

Amigo-A
Posted

In May of this year there was already a case with the same Rapid variant.

---

You can to create a decryption request in DrWeb and provide Rapid-encrypted files and a ransom note file How Recovery Files.txt

http://legal.drweb.com/encoder/?lng=en
http://legal.drweb.ru/encoder/?lng=ru

For request of test-decryption, you do not need to make an advance payment. It's free. 

But in practice there is no hope of decrypting files after double encryption and after Phobos in particular. 

Share this post

Link to post
Share on other sites

PiotrM    0

PiotrM
Posted
19 hours ago, GT500 said:

I took a look at one of the files you uploaded to ID Ransomware:

Beznazwy-12.pdf.id[48DD8B75-2415].[[email protected]].Caley.no_more_ransomUnavailable   How Recovery Files.txtUnavailable

The extension .no_more_ransom and the ransom note appear to be from the Rapid ransomware, however the rest of the changes to the file name look like Phobos. It looks like your files were encrypted by more than one ransomware. It's not possible to decrypt files that have been encrypted by this version of Rapid, and as far as I am aware there's still no way to decrypt files that were encrypted by Phobos.

19 hours ago, GT500 said:

I took a look at one of the files you uploaded to ID Ransomware:

Beznazwy-12.pdf.id[48DD8B75-2415].[[email protected]].Caley.no_more_ransomUnavailable   How Recovery Files.txtUnavailable

The extension .no_more_ransom and the ransom note appear to be from the Rapid ransomware, however the rest of the changes to the file name look like Phobos. It looks like your files were encrypted by more than one ransomware. It's not possible to decrypt files that have been encrypted by this version of Rapid, and as far as I am aware there's still no way to decrypt files that were encrypted by Phobos.

Hello

Thank You All  for Your time and answers. I think I will wait and maybe in the future decoding will be possible, but I have no hope now :( . I am still trying find the way for my infected data recovery. Good news is, that I have a copy, but not all files. It is very strange for me,  that NOD32 AV didn't recognize viruses before infection. After infection AV recognized  problem and removed viruses, but how it is possible to agree with encoding files? So, thanks again for Your cooperation and have a nice day :)) If You will have some suggestions I will be very glad and happy, to hear something about it in the future.

Greetings

Piotr

Share this post

Link to post
Share on other sites

PiotrM    0

PiotrM
Posted

Of course I have made it on the first day of infection. I do not ever pay thieves my money. Thank You for suggestions. Every help is very valuable for me.

Piotr

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.