SCRYPTmail virus-encode ransomware (help2015@scryptmail)

EQ Admin

EQ Forum Admin
Staff member
Hello,

SCRYPTmail is receiving reports that a new virus, that appears to be ransomware detected as virus-encode, is asking people to contact an email address hosted by the encrypted email service SCRYPTmail.com.

There are a few points to make clear:
  • SCRYPTmail is not responsible for the creation of the virus
  • SCRYPTmail is not used to spread the infection
  • SCRYPTmail can not restore or decrypt the files on your computer
  • SCRYPTmail does not know the identity of the account holder
  • SCRYPTmail does not financially benefit from any ransom collected by the creator of the virus
At this time, SCRYPTmail does not intend to shut down the account because that would leave those who are infected with no mechanism to get back their files.

If subpoenaed by an authority with jurisdiction in the United States, SCRYPTmail will release the ENCRYPTED version of the mailbox to those authorities.

We understand why an encrypted email service such as SCRYPTmail may have been chosen as the email service provider by the creator of the virus because they will benefit from the increased privacy compared to an unencrypted free email service such as Gmail or Yahoo.

Please feel free to reply your questions and comments here.

Thank you.

Update! - Please try this decrypt tool to get back your files:

RakhniDecryptor utility for removing Trojan-Ransom.Win32.Rakhni malicious software (.oshit and others)
 
Last edited:

MisterFister

Valued Member
You wanted a reply from the criminals abusing Scryptmail....well here it is:


Hello If you wish to get all your files back, you need to pay 5 BTC. How to get bitcoins? 1. Check if there are any bitcoin ATMs in your area:http://coinatmradar.com
http://www.coindesk.com/bitcoin-atm-map/ 2. check out this site: https://localbitcoins.com
3. google: (buy) bitcoins your_country (your_city) [you can try in your own language] 4. if you need help - let me know. This is the only way to get your files back. There’s no way to decrypt them without the original key. The price is non-negotiable. After paying 5 BTC and emailing the confirmation of payment you will be provided with a decoder. If you don't trust me, you can email one of your files, I will decode it and send it back to you. However, if the file you're requesting to decode is valuable, I will send you either a quote from it or a screenshot. I apologise for any inconvenience caused. Let me know if you wa nt to proceed. Thank you for cooperation. -------------------------------------------------------------- NB! Alternative emails: help2015@tuta.io | help2015@inbox.lv | --------------------------------------------------------------


Nice to see, that you don't intend to do anything about this Problem!!!
 

EQ Admin

EQ Forum Admin
Staff member
Nice to see, that you don't intend to do anything about this Problem!!!

We can still do some user education. How is this ransomware spread?
  • opening an attachment in an email?
  • infected by a web site?
  • infected by a ad?
  • something else?
Can you let them know what they did wrong in the first place so they try not to do it again in the future?
 

MisterFister

Valued Member
Are you serious?!
You waant to do user education?!
Well I don't exactly know, how the infection took place, since the ransomeware obviously destroys itself after encrypting the filesystem, there was not a trace of it.
But this is not the point. This is an it security issue in my Business, i have to deal with.
The point is, that scryptmail.com knows about this abuse as was stated in the first post. And they do not intend to do anything about it. Offering privacy to People is a good thing. But protecting criminals is not! And this is what they just do. Instead of reporting such an issue to the authority, they claim to do nothing until they get forced by the authority. This is not only a poor Business policy, this is criminal behaviour.
 

EQ Admin

EQ Forum Admin
Staff member
That is great news!

I'm also interested in hearing about any stories involving payment that did not get back encrypted files.

If the account is stealing money without people getting their files back we'll shut down the account to help prevent the criminal from receiving additional payments.
 

SCRYPTmail

Email Service Provider
Are you serious?!
You waant to do user education?!
Well I don't exactly know, how the infection took place, since the ransomeware obviously destroys itself after encrypting the filesystem, there was not a trace of it.
But this is not the point. This is an it security issue in my Business, i have to deal with.
The point is, that scryptmail.com knows about this abuse as was stated in the first post. And they do not intend to do anything about it. Offering privacy to People is a good thing. But protecting criminals is not! And this is what they just do. Instead of reporting such an issue to the authority, they claim to do nothing until they get forced by the authority. This is not only a poor Business policy, this is criminal behaviour.

I think popowich was clear what we are trying to do, we keep this account open so people have chance to get their files back. Closing account at this stage is not going to do any good for anyone. If we learn, attacker not getting back to people with decryption key, sure we will close account, but it won't be able to stop an attacker just to open another one.

Blaming on service that did not cause any harm as only providing service for people, same as blaming SONY on making video cameras, that someone will use to shoot inappropriate films.
 

hrenki

Valued Member
Just bruteforce... i tried to get what was the pass but did not get it... unfortunately, already returned infected computer so i don't have any log file
 

MisterFister

Valued Member
hrenki, great News!
Thanks for this Information. Rhanki Decryptor is now running for about 17 hours. I was not sure, if this tool is able to crack the encryption, but now there's hope!
MadDancer, this Version of the Virus encryptor does not leave any files on the Computer, which could be used for Password reconstruction. It seems bruteforce is the only way.
 

daso

New Email
Yesterday noon I got the help2015@scyptmail infection! All pictures, all files, every mp3 got the ending: IMG.JPG.id help2015@scryptmail
I'm in Germany, but this is the only discussion about the virus/worm what ever. I don't know how I got infected! I was listening to a audiobook on YouTube and preparing pictures for a picturebook digital. I didn't receive any mail or opened a website.
I did not receive a mail for paying.
 

MisterFister

Valued Member
I yesterday took the chance to send an encryptetd file to the Terrorist(s) to let them or him or her proof the ability of decrypting it. After several hours i got back the decrypted file. I compared it to the original one bytewise and it was exactly the same. This means, they at least have the keys. So if cracking the encryption fails, payment might be an option allthough I doubt that they are seriously interested in anything else but getting the money and vanish in the darkness.
 

MisterFister

Valued Member
@daso
I had the same effect, siting in Germany too. I don't know where it came from. You will not get an email until you email the terrorists yourself, like i did. Kaspersky is still running, trying to brake the encryption. I'll Keep you up to date, if there is a chance to get your files back.
 

MadDancer

Valued Member
Thanx for answer, Hrenki.

Hi, MisterFister, thanx for your info about testing "terrorists".

Begining yesterday I trying to bruteforce decrypting encrypted files via Kaspersky utility. On my i7 CPU it will take about 17hours to try all the password combinations. It will end at 4P.M. so i will post result here.
 

MadDancer

Valued Member
P.S. my client got virus through security hole in flash player, i guess upon my investigation. Not from email or any downloaded file.
 

MisterFister

Valued Member
@compleo
In my case the decission was the result of a long Internet Research. This new infection is not well documented on the net yet. I just tried to find infections with similar symptoms to get a clou, what kind of ransomeware could cause the observed effects.
 

compleo

Valued Member
@compleo
In my case the decission was the result of a long Internet Research. This new infection is not well documented on the net yet. I just tried to find infections with similar symptoms to get a clou, what kind of ransomeware could cause the observed effects.

I never heard of ransomware for an e mail provider before.
 

EQ Admin

EQ Forum Admin
Staff member
I never heard of ransomware for an e mail provider before.

The ransomware is not spread by any of the encrypted email providers.

@MadDancer thinks maybe the ransomware was spread via a vulnerable flash player.

The criminal appears to be using SCRYPTmail, Tutanota, and possibly other services to help conceal their identity.

It's not much different than if they were using a Gmail contact address, except that using these services for communicating with infected users I'm assuming they hope for more privacy and difficulty in tracing their identity.
 
Top