help me plz my file are crypted by .xcrypt

[raziel]

hi need help please my file are crypted by .xcrypt

[GT500]

There might be more than one ransomware going by the name "XCrypt". Would it be possible to attach an encrypted file and a copy of the ransom note to a reply?

[raziel]

All the important files on your computer were encrypted. To decrypt the files you should send 0.26 BTC (~100euro) to Bitcoin address: 1D6FAZKhaURNM6V1eFVQEPx7Bv27PNvgwF and in the description field enter your email address. Then you will receive all necessary instructions.

zCamera-2031.zip.xcrypt

[raziel]

i noticed that the conversion btc eur and very old so i think it is not a new virus

[raziel]

7 hours ago, GT500 said:

There might be more than one ransomware going by the name "XCrypt". Would it be possible to attach an encrypted file and a copy of the ransom note to a reply?

any help?

[GT500]

I've asked one of our ransomware analysts for more information, however please note that I'm not finding any information on decryption so it may not be possible.

[raziel]

40 minutes ago, GT500 said:

J'ai demandé plus d'informations à l'un de nos analystes de ransomware, mais veuillez noter que je ne trouve aucune information sur le décryptage, donc ce n'est peut-être pas possible.

ok thanks i'm waiting to hear from you then. if you can give me the name of that ransomware,

[GT500]

This ransomware has been around since late 2016, however I don't think it was very common as even our ransomware analysts don't have much information on it. They'll need a copy of the ransomware itself to figure out if it's decryptable or not.

You wouldn't happen to know what malicious application encrypted your files, would you? If you do, then could you upload it to VirusTotal and send me a link to the analysis?

[raziel]

32 minutes ago, GT500 said:

Ce ransomware existe depuis fin 2016, mais je ne pense pas que ce soit très courant car même nos analystes de ransomwares n'ont pas beaucoup d'informations à ce sujet. Ils auront besoin d'une copie du ransomware lui-même pour savoir s'il est déchiffrable ou non.

Vous ne sauriez pas quelle application malveillante a chiffré vos fichiers, n'est-ce pas? Si c'est le cas, pouvez-vous le télécharger sur  VirusTotal et m'envoyer un lien vers l'analyse?

I don't think so but I will look

[raziel]

22 hours ago, raziel said:

I don't think so but I will look

https://mega.nz/file/JBkkkJza#WfJvhBzcS1C-2KCWVoxbrIudetAqC7vEALggcMdDJcU 

I think it's this file my son downloaded it

 

24/11/2020 11:19:59
Malware "Gen:Variant.MSILPerseus.196529 (B)" detected and blocked on behalf of chrome.exe

[GT500]

Thanks. I've forwarded the link to our ransomware analyst so he can look at it.

[GT500]

The file you shared with us isn't ransomware. It appears to swap cryptocurrency addresses in the clipboard (when copying and pasting) to redirect transactions.

[raziel]

8 hours ago, GT500 said:

The file you shared with us isn't ransomware. It appears to swap cryptocurrency addresses in the clipboard (when copying and pasting) to redirect transactions.

i see then you had no info or solution

[GT500]

On 11/26/2020 at 8:32 AM, raziel said:

i see then you had no info or solution

Without a copy of the actual ransomware, I don't think we will be able to determine whether or not your files will be decryptable.

[raziel]

any news for .xcrypt????

[GT500]

13 hours ago, raziel said:

any news for .xcrypt????

I don't think we ever received a sample to analyze.

[raziel]

i send it to you in pm sir

[GT500]

12 hours ago, raziel said:

i send it to you in pm sir

Those are just encrypted files. Without the ransomware itself we can't figure out how the encryption process works.

[Amigo-A]

@raziel

The easiest way to find out when files were encrypted is to look at the file's "Properties".

Usually, the encryption is its last change and this will be the correct date. 

Among the programs published in the Digest "Crypto-Ransomware", there are three ransomware that used the word "xcrypt", but only one of them used the .xcrypt extension in its pure form.

If the encryption date is closer than 2016, then it could be one of the other well-known ransomware that borrowed this extension.