PiotrM 0 Posted December 2, 2019 Report Share Posted December 2, 2019 Hello My disk is encrypted and every file has "id[48DD8B75-2415].[[email protected]].Caley" extension. I have removed infected files and viruses by AV software, but I can't decrypt files. They are unusable. Could You help me, how I have to do it? Maybe suggest me some kind of software? It is very important. I am waiting for Your advice. greetings Piotr Quote Link to post Share on other sites
GT500 854 Posted December 3, 2019 Report Share Posted December 3, 2019 I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them. Quote Link to post Share on other sites
Amigo-A 136 Posted December 3, 2019 Report Share Posted December 3, 2019 Quote id[48DD8B75-2415].[[email protected]].Caley" extension This is the result of an attack and format of encrypted file of Phobos Ransomware You need to upload the ransom note and the encrypted file so that the identification on Ransomware ID service is successful. Quote Link to post Share on other sites
PiotrM 0 Posted December 4, 2019 Author Report Share Posted December 4, 2019 On 12/3/2019 at 4:44 PM, Amigo-A said: This is the result of an attack and format of encrypted file of Phobos Ransomware You need to upload the ransom note and the encrypted file so that the identification on Ransomware ID service is successful. Thanks for Your help, but it is not rcognized. I am still trying find something to decrypt files. First message is: Phobos This ransomware has no known way of decrypting data at this time. It is recommended to backup your encrypted files, and hope for a solution in the future. Identified by sample_bytes: [0xB20EA - 0xB20F2] 0x000041444D343135 Click here for more information about Phobos Second info: Rapid This ransomware has no known way of decrypting data at this time. It is recommended to backup your encrypted files, and hope for a solution in the future. Identified by ransomnote_filename: How Recovery Files.txt Click here for more information about Rapid Piotr Quote Link to post Share on other sites
GT500 854 Posted December 5, 2019 Report Share Posted December 5, 2019 5 hours ago, PiotrM said: Thanks for Your help, but it is not rcognized. I am still trying find something to decrypt files. I took a look at one of the files you uploaded to ID Ransomware: Beznazwy-12.pdf.id[48DD8B75-2415].[[email protected]].Caley.no_more_ransom How Recovery Files.txt The extension .no_more_ransom and the ransom note appear to be from the Rapid ransomware, however the rest of the changes to the file name look like Phobos. It looks like your files were encrypted by more than one ransomware. It's not possible to decrypt files that have been encrypted by this version of Rapid, and as far as I am aware there's still no way to decrypt files that were encrypted by Phobos. Quote Link to post Share on other sites
Amigo-A 136 Posted December 5, 2019 Report Share Posted December 5, 2019 First, your files were encrypted by Phobos Ransomware and received the extension .id[48DD8B75-2415].[[email protected]].Caley Then your files were encrypted by Rapid Ransomware and got the extension .no_more_ransom Quote Link to post Share on other sites
Amigo-A 136 Posted December 5, 2019 Report Share Posted December 5, 2019 In May of this year there was already a case with the same Rapid variant. --- You can to create a decryption request in DrWeb and provide Rapid-encrypted files and a ransom note file How Recovery Files.txt. http://legal.drweb.com/encoder/?lng=enhttp://legal.drweb.ru/encoder/?lng=ru For request of test-decryption, you do not need to make an advance payment. It's free. But in practice there is no hope of decrypting files after double encryption and after Phobos in particular. Quote Link to post Share on other sites
PiotrM 0 Posted December 6, 2019 Author Report Share Posted December 6, 2019 19 hours ago, GT500 said: I took a look at one of the files you uploaded to ID Ransomware: Beznazwy-12.pdf.id[48DD8B75-2415].[[email protected]].Caley.no_more_ransomUnavailable How Recovery Files.txtUnavailable The extension .no_more_ransom and the ransom note appear to be from the Rapid ransomware, however the rest of the changes to the file name look like Phobos. It looks like your files were encrypted by more than one ransomware. It's not possible to decrypt files that have been encrypted by this version of Rapid, and as far as I am aware there's still no way to decrypt files that were encrypted by Phobos. 19 hours ago, GT500 said: I took a look at one of the files you uploaded to ID Ransomware: Beznazwy-12.pdf.id[48DD8B75-2415].[[email protected]].Caley.no_more_ransomUnavailable How Recovery Files.txtUnavailable The extension .no_more_ransom and the ransom note appear to be from the Rapid ransomware, however the rest of the changes to the file name look like Phobos. It looks like your files were encrypted by more than one ransomware. It's not possible to decrypt files that have been encrypted by this version of Rapid, and as far as I am aware there's still no way to decrypt files that were encrypted by Phobos. Hello Thank You All for Your time and answers. I think I will wait and maybe in the future decoding will be possible, but I have no hope now . I am still trying find the way for my infected data recovery. Good news is, that I have a copy, but not all files. It is very strange for me, that NOD32 AV didn't recognize viruses before infection. After infection AV recognized problem and removed viruses, but how it is possible to agree with encoding files? So, thanks again for Your cooperation and have a nice day :)) If You will have some suggestions I will be very glad and happy, to hear something about it in the future. Greetings Piotr Quote Link to post Share on other sites
GT500 854 Posted December 6, 2019 Report Share Posted December 6, 2019 My recommendations right now are first to make a backup of your encrypted files, and also to file a report with your country's national law enforcement:https://www.nomoreransom.org/en/report-a-crime.html Quote Link to post Share on other sites
PiotrM 0 Posted December 6, 2019 Author Report Share Posted December 6, 2019 Of course I have made it on the first day of infection. I do not ever pay thieves my money. Thank You for suggestions. Every help is very valuable for me. Piotr Quote Link to post Share on other sites
GT500 854 Posted December 7, 2019 Report Share Posted December 7, 2019 You're welcome. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.