Morning!
I just wrote a post ion the english user Forum on the kaspersky Website, where someone started a threat about this Virus at the end of july. Perhaps there will be any reply from the kaspersky Support. I mentioned that their tool was capable of decrypting the files in some cases. So...
It seems, we have two cases of successfull decryption. At least this means, that the algorithm used by the criminal is known. Now the question is, why it works in some cases and why it doesn't in other cases. I can only imagine, that the Kaspersky tool doesn't cover the whole key range used by...
@hrenki
No oshit file on my machine. I guess this Evolution of the Encoder does not nuse the oshit file. It's well documented on the web, that the left behind oshit file made decryption in older Versions easy. So i guess, the criminals changed the code i a way, that it works without the file...
Morning Folks!
I tried to decrypt one of hrenkis files on my machine. It worked immediately. Password could be recovered. This means, that it is not depending on the Computer running in safe mode.
I opened one of the encrypred files with TinyHexer. It's got the same known signature at the...
@MadDancer
I can confirm your Analysis. I inspected the files with tinyHexer. Exactly 30000 Bytes are encrypted, if the file is lagrer than 30000 Bytes. First two Bytes contain the size of the encrypred block, next two Bytes are zero. In my case the size of the file was changed. After the first...
@hrenki
Thanks for the advise! I tried a docx file. I let the kaspersky tool run through the complete range, but it could not find any key. Did you have the decrypted Version in the same directory? I don't exactly know if the decrypted Version would help to find the key.
I could rebuild most of...
@MadDancer
The alternative address i posted was from the email, i received from the criminal. I can Forward this mail directly to you, if you are interested. The criminals also left an alternative email address in their message (the Bitmap with the two eyes which is left on the infected...
@popowich
Nice advise...but it doesn't get the victims of the attack any further.
I was able to restore most of the infected files on my Computer using shadow copies. Seems we are lucky and this Version of the Virus Encoder does not delete the shadow volume copies. The Problem is the NAS which...
Well.....
Kaspersky just finished ist work and said that it failed to recover a password. This is bad News...
@MadDancer I hope you get a better result. If you can brake the encryption, it would be nice if you can post, what exactly you did, what file type you used etc.
@compleo
In my case the decission was the result of a long Internet Research. This new infection is not well documented on the net yet. I just tried to find infections with similar symptoms to get a clou, what kind of ransomeware could cause the observed effects.
@daso
I had the same effect, siting in Germany too. I don't know where it came from. You will not get an email until you email the terrorists yourself, like i did. Kaspersky is still running, trying to brake the encryption. I'll Keep you up to date, if there is a chance to get your files back.
I yesterday took the chance to send an encryptetd file to the Terrorist(s) to let them or him or her proof the ability of decrypting it. After several hours i got back the decrypted file. I compared it to the original one bytewise and it was exactly the same. This means, they at least have the...
hrenki, great News!
Thanks for this Information. Rhanki Decryptor is now running for about 17 hours. I was not sure, if this tool is able to crack the encryption, but now there's hope!
MadDancer, this Version of the Virus encryptor does not leave any files on the Computer, which could be used...
Are you serious?!
You waant to do user education?!
Well I don't exactly know, how the infection took place, since the ransomeware obviously destroys itself after encrypting the filesystem, there was not a trace of it.
But this is not the point. This is an it security issue in my Business, i have...