Raúl

Problem with decrypt_ChernoLocker / File not supported

Recommended Posts

Hi, 
 
I'm having an issue, I cannot decrypt the files through  "decrypt_ChernoLocker", it says "file not supported"
 
The infected file has been deleted with GridinSoft Anti-Malware
 
Please help.
 
Thanks in advance.
 
thumb_show.php?i=gb29fkmw
 

We have identified "ChernoLocker". This ransomware is decryptable!

Identified by:

Click here for more information about ChernoLocker.

Case number: 2987a1b471b993938d85e38b2cefa859046b431a1579578919

Share this post


Link to post
Share on other sites

Please help, 

What can be happening that I got that message, the extension of the files is .CH) 

Why the software says that the file type is not supported? 

Please help!!!!!

 

Share this post


Link to post
Share on other sites

It may be a newer version of ChernoLocker that our decrypter doesn't support yet. I'll ask our malware analysts to be certain.

Share this post


Link to post
Share on other sites

It is a newer variant of ChernoLocker. Would it be possible to attach the logs from GridinSoft Anti-Malware to a reply? We need a copy of the ransomware that was removed from your computer, and I was told that GridinSoft Anti-Malware's logs will contain hashes that will allow us to find it.

Once we get a copy of the ransomware, we should be able to update our decrypter.

Share this post


Link to post
Share on other sites

Hello @Raúl

Regardless of GT500's request...

To update the identification and description of ChernoLocker Ransomware, I would like to receive a note file from ransomware and several encrypted files.
Put all it in the archive without a password and attach to your new message.

Share this post


Link to post
Share on other sites

@Amigo-A

All variants of ChernoLocker do not leave a ransom note. It is a Python compiled script that just displays a message box when done, and opens a URL in the browser.

url = f.decrypt('gAAAAABd5uHecSzXalJbhS48cQlhKynkcDotLAv8c3TD0jBkUvDQb-Z5snS7XgONHXqiNd5Czd94vCQix280kyHSjNnAwzgl66vYj_-YyTtPnNxTN3YjP-tZdQtd1bqe1WyRwrD-2m0xvruurd37CbHVSf2cTy-yCDCTN-MadttLITlVisEFMcKstpwHOUi-KV6YZ-7MmWcz2aaB1WmgSDNs_SN2buoKTg==')
# url = 'https://platinumdatasolutionsltd.co.ke/wp-content/uploads/2018/11/landing-screenshot-img-9-768.jpg'
webbrowser.open_new_tab(url)
win32ui.MessageBox("All Your Files have now been encrypted with the strongest encryption\nYou need to purchase the encryption key otherwise\nyou won't recover your files\nRead the Browser tab on ways to recover your files\nMake Sure you dont loose this Email as you it will be loosing it will be fatal \nWrite it in a notepad and keep it safe \nEmail: [email protected]", 'YOUR FILES HAVE BEEN ENCRYPTED')

@Raúl

Try re-downloading the decryptor for v1.0.0.2 now. I've added support for your variant. :)

  • Thanks 2

Share this post


Link to post
Share on other sites

Dear all.

Thanks for your help it is too much appreciated.

Please find attached 2 logs from GridinSoft Anti-Malware.

Please also find attached 3 encrypted files (wav, pdf, jpg)

 

About the decryptor for v1.0.0.2 , I have downloaded it, now it accept the encrypted files but when I try the decryption process it results in a fail with the following message :

 

File: C:\langpacks\recup\Recoverit 2019-12-12 at 05.27.28\D(NTFS)\Dropbox\Dropbox\13 (1)_- Raul Constantino Compartido\Raúl Constantino Gardeazábal Assgs\Nueva carpeta\PO_4500494714 Ruhrpumpen.pdf.([email protected])
Error: StartIndex no puede ser inferior a cero.
Nombre del parámetro: startIndex

 

Please find attached also de Decryption log from Emsisoft, no file has been recovered yet.

 

Please help.

Thanks in advance.

ScanLog_2020-01-20 [19-06-13].log ScanLog_2020-01-20 [19-29-44].log RCG - IFE.pdf.([email protected]) Sobrino-Memo.jpg.([email protected]) Track 2_003.wav.([email protected]) decryp log 1.txt

Share this post


Link to post
Share on other sites
4 hours ago, Raúl said:

About the decryptor for v1.0.0.2 , I have downloaded it, now it accept the encrypted files but when I try the decryption process it results in a fail with the following message :

File: C:\langpacks\recup\Recoverit 2019-12-12 at 05.27.28\D(NTFS)\Dropbox\Dropbox\13 (1)_- Raul Constantino Compartido\Raúl Constantino Gardeazábal Assgs\Nueva carpeta\PO_4500494714 Ruhrpumpen.pdf.([email protected])
Error: StartIndex no puede ser inferior a cero.
Nombre del parámetro: startIndex

The encrypted files you attached are all fairly small. Did you try it on any larger files (for instance something a few megabytes in size)?

Share this post


Link to post
Share on other sites

Dear all.

Many thanks for the help!

I'm recovering my files now.

Just one thing, the decryptor asks for a route to decrypt.  I have my PC partitioned in "C" (operating system) and D (My Files).

When I choose C or D or a specific folder,  the decryption process chooses always C.

Could you please help with this bug?

Thanks again for all the support

 

decryp log 2.txt

Share this post


Link to post
Share on other sites

I don't quite understand what you are describing. Can you provide a screenshot of the main Decryptor tab after you've selected what to decrypt?

Share this post


Link to post
Share on other sites

I was not able to select an specific folder to decrypt, but now I find it out how.

An issue that I'm experiment is that some images are restored but with damage, same for some videos and some files. (attached an example)

Any idea about it?

Thanks again for the support

Screenshot_20180528-185529_WhatsApp.jpg
Download Image

Share this post


Link to post
Share on other sites

I'd need you to send me the actual encrypted files (before decryption) that are having issues for me to look at that any further. I cannot reproduce any issues with decryption using sample data I let the malware encrypt. I don't see any bugs in the malware that would cause data corruption either from what I can tell.

Share this post


Link to post
Share on other sites

Dear all, 

Almost the totallity of my files were decrypted with some corruption (mostly the ones with larger weight)

Please find attached the link (via WeTransfer) where I uplodaded several files, encrypted and decrypted with issues.

Thanks again for all the support.

Please help!

https://we.tl/t-Rb

Share this post


Link to post
Share on other sites

I've done extraneous testing with the malware and our decryptor, and cannot reproduce any issues with decrypting files of any size or contents; they always decrypt to the exact match of the original file I let it encrypt.

I can tell the files you provided are corrupted in some minor way, but it does not appear to be from the decryptor or the malware. I do not know the file formats enough to know exactly "where" the corruption is, but I can definitely tell the file that is output by the decryptor, is the exact file that was encrypted by the malware. The padding and size matches up.

The only corruption I can tell myself is with 20170914_135554.jpg - the file was truncated or had something appended to it. The very last 2 bytes would normally be 0xFFD9, but there are 98 bytes after it (removing these does not remove the corruption). The malware stores the "original" filesize at the beginning of the file, and that matches up with the decrypted size - so the file had already been truncated/appended by time the malware got to encrypting it.

The only thing I can think of at this point is that perhaps the exact malware that encrypted your files is altered from the sample I have. We would need the GridinSoft logs to confirm that, as @GT500 asked for earlier.

Share this post


Link to post
Share on other sites

I've reviewed the logs, and am not really seeing anything to do with ChernoLocker. Lots of PUPs and adware, and pirated software that likely landed you in this situation.

The "Ransom.FPL.Gandcrab.v1" detection seems to be an erroneous name from what I can tell - it is malware, but it's more of a backdoor Trojan and doesn't encrypt files.

I'm afraid I don't have any ideas at the moment as to why the files were corrupted - as far as I can tell, the decryptor is restoring the files exactly to the state the malware encrypted it from. I would recommend holding onto the encrypted files in case something changes in the future though.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.