SCRYPTmail virus-encode ransomware (help2015@scryptmail)

MisterFister

Valued Member
Well.....
Kaspersky just finished ist work and said that it failed to recover a password. This is bad News...
@MadDancer I hope you get a better result. If you can brake the encryption, it would be nice if you can post, what exactly you did, what file type you used etc.
 

EQ Admin

EQ Forum Admin
Staff member
A purchase worth considering is online backups for your computer. Online backups can protect you from lost files, computer viruses, etc.

Connected devices such as external hard drives and thumb drives can be infected too, and if not stored in a separate location, they could be stolen or lost with your computer if there is a fire.
 

MisterFister

Valued Member
@popowich
Nice advise...but it doesn't get the victims of the attack any further.
I was able to restore most of the infected files on my Computer using shadow copies. Seems we are lucky and this Version of the Virus Encoder does not delete the shadow volume copies. The Problem is the NAS which was mapped as a drive. There is no shodow copy available.

@MadDancer
Anything new from your decryption attempt with the kaspersky tool?
 

EQ Admin

EQ Forum Admin
Staff member
At this time, SCRYPTmail does not intend to shut down the account because that would leave those who are infected with no mechanism to get back their files.

The account help2015@scryptmail.com has been suspended.

For anyone who is following and is interested in the technical "how it works" behind the scenes:

There is a limitation of the mail system that currently results in any new email being sent to that account getting silently discarded instead of bouncing with a 5xx error message.

The encrypted data for the account will remain in the system. The account has not been deleted.

There is no mechanism, even with the suspend process, that allows SCRYPTmail or anyone else to gain access to the old or new mailboxes.

After SCRYPTmail begins offering premium accounts, this account may be subject to free account inactivity limits and eventually deleted for that reason.

SCRYPTmail accounts that are deleted remain in backups for 7 days before the data is permanently lost.
 

compleo

Valued Member
The account help2015@scryptmail.com has been suspended.

For anyone who is following and is interested in the technical "how it works" behind the scenes:

There is a limitation of the mail system that currently results in any new email being sent to that account getting silently discarded instead of bouncing with a 5xx error message.

The encrypted data for the account will remain in the system. The account has not been deleted.

There is no mechanism, even with the suspend process, that allows SCRYPTmaiis apply to those l or anyone else to gain access to the old or new mailboxes.

After SCRYPTmail begins offering premium accounts, this account may be subject to free account inactivity limits and eventually deleted for that reason.

SCRYPTmail accounts that are deleted remain in backups for 7 days before the data is permanently lost.

Does this apply to those who were not infected?
 

MadDancer

Valued Member
The account of the criminal has been suspended.

They can no longer use that SCRYPTmail address as a way to communicate and request payment from victims.

Hi Popowich - too bad news from you !!!!! - because Kaspersky utility does NOT WORK !!!!! and I need to contact the criminals, because company of my client lost all data on the network server and backup machine is broken, so we cannot recovery data from backup. Working mailbox HELP2015@SCRYPTMAIL.COM is our ONLY CHANCE to get the data back. I don't understand why you suspend that mailbox, when you wrote previously that you will not do it ???!!!!!!
 
Last edited:

MadDancer

Valued Member
I can't believe that you suspend that mailbox. Now anyone who will get infected will lost their files without any chance to recovery :(((((( You cannot think it seriously !!!! You cannot stop spreading of this virus and you did such thing!!!! Please open that mailbox for couple of next days, so the people can make their own decission to pay or not to pay. And for example, some people may pay bitcoins to criminals and now they cannot receive decrypt instructions. So they lost data and money too, because you suspend that account :(
 
Last edited:

MadDancer

Valued Member
Yes, you right, but how can you know that it's real contact mail to real publishers of the virus ? (Nothing against MisterFister) These alternate addresses are published only in this forum at this moment. So I will try to send an sample of encrypted file to these addresses to decode to prove authenticity of right recipient.
 

EQ Admin

EQ Forum Admin
Staff member
Yes, you right, but how can you know that it's real contact mail to real publishers of the virus ?

You are correct, can't be sure.

Keep your programs and anti-virus up to date, and have good backups for important data. :hammer:
 

MadDancer

Valued Member
You are correct, can't be sure.

Keep your programs and anti-virus up to date, and have good backups for important data. :hammer:

Thank you for advice, but more bad things happen at same time - backup machine got broken few days before they got a virus :(

At the moment of virus attack (tuesday morning), no antivirus was able to dectect that file. I test it again at tuesday evening through virustotal.com and only two antivirus sw from 55 detect it. Today 9 from 55, still very low detection rate.
 

SCRYPTmail

Email Service Provider
I think we can resume that account, if kaspersky is not working and there is no solid solution to the problem, we feel responsible to give people chance to recover information.

Please let me know if some of you were able to successfully recover files, otherwise if we hear that its only used to steal money it will be shut down permanently.
 

MisterFister

Valued Member
@MadDancer
The alternative address i posted was from the email, i received from the criminal. I can Forward this mail directly to you, if you are interested. The criminals also left an alternative email address in their message (the Bitmap with the two eyes which is left on the infected System), this is help2015@inbox.lv. I didn't try this one myself. It's pain in the ass that kaspersky doesn't work. Too bad that renkhi could not supply any detailed Information about what he did to brake the encryption. I still hope there will come some updated tool from one of the big av labs. It is of course hard to loose data, especialy, if a Business ist hit by the attack as in my case. On the other hand I think just like our great former chancelor Helmut Schmidt. I will not negotiate with any kind of terrorists. And terrorists is, what these People are in my opinion.
 

hrenki

Valued Member
Hi Popowich - too bad news from you !!!!! - because Kaspersky utility does NOT WORK !!!!! and I need to contact the criminals, because company of my client lost all data on the network server and backup machine is broken, so we cannot recovery data from backup. Working mailbox HELP2015@SCRYPTMAIL.COM is our ONLY CHANCE to get the data back. I don't understand why you suspend that mailbox, when you wrote previously that you will not do it ???!!!!!!


What file you gave the decryptor to test pass? i did it with doc or xls... i remember that in log file was some range of testings and password was found at 110000-150000 range so you can try run rakhni via cmd with that range to get results faster... if you did not used office files for decryption, try them
 

MisterFister

Valued Member
@hrenki
Thanks for the advise! I tried a docx file. I let the kaspersky tool run through the complete range, but it could not find any key. Did you have the decrypted Version in the same directory? I don't exactly know if the decrypted Version would help to find the key.
I could rebuild most of the files on my System using shadow volume copies. So i have plenty of files in both, the plain and the encrypted Version. The Problem is the NAS, there is no shadow volume copy available.
Does anybody know if there are tools that can regain the key from the plain and encrypted file pairs? As far as i know, RSA 2048 is immune against known plain text attacks but somehow i doubt, that this Version of Virus Encoder implemented it correctly. My Internet researches leed to some indications, that this Version of Virus encryptor uses some algorithms or code which is well known from previous ransomeware.
I also found an unknown certificate on my System which actually is an RSA-2048 key and in ist properties it tells me, that there is a matching private key available on my System. I guess it's worth to try the decryption with this key. Does anybody have an idea or advice how to do so? I must confess i'm not an expert in cryptographics.
 

MadDancer

Valued Member
Hi, I can confirm that alternate addresses are working and the people behind are able to decrypt encrypted files. I sent one file to test them, they decrypted it to it's original state. They add another one alternate email address to communication with them - filehelp@lycos.com. I try some research with comparing original and encrypted file, but now I have no time to try indentify used encryption technique. Everything I now is that virus encrypt just first 30000bytes and add 4 bytes header, first two bytes are length of encrypted block, when the lengtht of file is less than 30000bytes, otherwise is fixed to 30000 - $7530 in hexa , third and fourth byte are both $00. Used enctryption does no affect length of file.
 

MadDancer

Valued Member
@hrenki
Firts I try to run Kaspersky tool on ZIP file (32kB filesize), then on .cer b64 encoded certificate file (1.5kB filesize). Both with no result.
 
Top