SCRYPTmail virus-encode ransomware (help2015@scryptmail)

Discussion in 'SCRYPTmail' started by popowich, Aug 5, 2015.

  1. MisterFister

    MisterFister Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    16
    Likes Received:
    1
    Well.....
    Kaspersky just finished ist work and said that it failed to recover a password. This is bad News...
    @MadDancer I hope you get a better result. If you can brake the encryption, it would be nice if you can post, what exactly you did, what file type you used etc.
     


  2. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,000
    Likes Received:
    144

  3. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,000
    Likes Received:
    144
    A purchase worth considering is online backups for your computer. Online backups can protect you from lost files, computer viruses, etc.

    Connected devices such as external hard drives and thumb drives can be infected too, and if not stored in a separate location, they could be stolen or lost with your computer if there is a fire.
     
  4. MisterFister

    MisterFister Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    16
    Likes Received:
    1
    @popowich
    Nice advise...but it doesn't get the victims of the attack any further.
    I was able to restore most of the infected files on my Computer using shadow copies. Seems we are lucky and this Version of the Virus Encoder does not delete the shadow volume copies. The Problem is the NAS which was mapped as a drive. There is no shodow copy available.

    @MadDancer
    Anything new from your decryption attempt with the kaspersky tool?
     
  5. compleo

    compleo Valued Member

    Joined:
    Jul 11, 2015
    Messages:
    320
    Likes Received:
    61
    Exactly,the low life who did wrong is the guilty party.
     
    popowich likes this.
  6. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,000
    Likes Received:
    144
    The account help2015@scryptmail.com has been suspended.

    For anyone who is following and is interested in the technical "how it works" behind the scenes:

    There is a limitation of the mail system that currently results in any new email being sent to that account getting silently discarded instead of bouncing with a 5xx error message.

    The encrypted data for the account will remain in the system. The account has not been deleted.

    There is no mechanism, even with the suspend process, that allows SCRYPTmail or anyone else to gain access to the old or new mailboxes.

    After SCRYPTmail begins offering premium accounts, this account may be subject to free account inactivity limits and eventually deleted for that reason.

    SCRYPTmail accounts that are deleted remain in backups for 7 days before the data is permanently lost.
     
  7. compleo

    compleo Valued Member

    Joined:
    Jul 11, 2015
    Messages:
    320
    Likes Received:
    61
    Does this apply to those who were not infected?
     
  8. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,000
    Likes Received:
    144
    The account of the criminal has been suspended.

    They can no longer use that SCRYPTmail address as a way to communicate and request payment from victims.
     
  9. MadDancer

    MadDancer Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    15
    Likes Received:
    1
    Hi Popowich - too bad news from you !!!!! - because Kaspersky utility does NOT WORK !!!!! and I need to contact the criminals, because company of my client lost all data on the network server and backup machine is broken, so we cannot recovery data from backup. Working mailbox HELP2015@SCRYPTMAIL.COM is our ONLY CHANCE to get the data back. I don't understand why you suspend that mailbox, when you wrote previously that you will not do it ???!!!!!!
     
    Last edited: Aug 12, 2015
  10. MadDancer

    MadDancer Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    15
    Likes Received:
    1
    I can't believe that you suspend that mailbox. Now anyone who will get infected will lost their files without any chance to recovery :(((((( You cannot think it seriously !!!! You cannot stop spreading of this virus and you did such thing!!!! Please open that mailbox for couple of next days, so the people can make their own decission to pay or not to pay. And for example, some people may pay bitcoins to criminals and now they cannot receive decrypt instructions. So they lost data and money too, because you suspend that account :(
     
    Last edited: Aug 12, 2015
  11. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,000
    Likes Received:
    144
    There are alternate email addresses in their notification such as help2015@tuta.io that AFAIK are still active and can be used to make contact.
     
  12. MadDancer

    MadDancer Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    15
    Likes Received:
    1
    Yes, you right, but how can you know that it's real contact mail to real publishers of the virus ? (Nothing against MisterFister) These alternate addresses are published only in this forum at this moment. So I will try to send an sample of encrypted file to these addresses to decode to prove authenticity of right recipient.
     
  13. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,000
    Likes Received:
    144
    You are correct, can't be sure.

    Keep your programs and anti-virus up to date, and have good backups for important data. :hammer:
     
  14. MadDancer

    MadDancer Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    15
    Likes Received:
    1
    Thank you for advice, but more bad things happen at same time - backup machine got broken few days before they got a virus :(

    At the moment of virus attack (tuesday morning), no antivirus was able to dectect that file. I test it again at tuesday evening through virustotal.com and only two antivirus sw from 55 detect it. Today 9 from 55, still very low detection rate.
     
  15. SCRYPTmail

    SCRYPTmail Email Service Provider

    Joined:
    May 6, 2015
    Messages:
    167
    Likes Received:
    37
    I think we can resume that account, if kaspersky is not working and there is no solid solution to the problem, we feel responsible to give people chance to recover information.

    Please let me know if some of you were able to successfully recover files, otherwise if we hear that its only used to steal money it will be shut down permanently.
     
  16. MisterFister

    MisterFister Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    16
    Likes Received:
    1
    @MadDancer
    The alternative address i posted was from the email, i received from the criminal. I can Forward this mail directly to you, if you are interested. The criminals also left an alternative email address in their message (the Bitmap with the two eyes which is left on the infected System), this is help2015@inbox.lv. I didn't try this one myself. It's pain in the ass that kaspersky doesn't work. Too bad that renkhi could not supply any detailed Information about what he did to brake the encryption. I still hope there will come some updated tool from one of the big av labs. It is of course hard to loose data, especialy, if a Business ist hit by the attack as in my case. On the other hand I think just like our great former chancelor Helmut Schmidt. I will not negotiate with any kind of terrorists. And terrorists is, what these People are in my opinion.
     
  17. hrenki

    hrenki Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    13
    Likes Received:
    3

    What file you gave the decryptor to test pass? i did it with doc or xls... i remember that in log file was some range of testings and password was found at 110000-150000 range so you can try run rakhni via cmd with that range to get results faster... if you did not used office files for decryption, try them
     
  18. MisterFister

    MisterFister Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    16
    Likes Received:
    1
    @hrenki
    Thanks for the advise! I tried a docx file. I let the kaspersky tool run through the complete range, but it could not find any key. Did you have the decrypted Version in the same directory? I don't exactly know if the decrypted Version would help to find the key.
    I could rebuild most of the files on my System using shadow volume copies. So i have plenty of files in both, the plain and the encrypted Version. The Problem is the NAS, there is no shadow volume copy available.
    Does anybody know if there are tools that can regain the key from the plain and encrypted file pairs? As far as i know, RSA 2048 is immune against known plain text attacks but somehow i doubt, that this Version of Virus Encoder implemented it correctly. My Internet researches leed to some indications, that this Version of Virus encryptor uses some algorithms or code which is well known from previous ransomeware.
    I also found an unknown certificate on my System which actually is an RSA-2048 key and in ist properties it tells me, that there is a matching private key available on my System. I guess it's worth to try the decryption with this key. Does anybody have an idea or advice how to do so? I must confess i'm not an expert in cryptographics.
     
  19. MadDancer

    MadDancer Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    15
    Likes Received:
    1
    Hi, I can confirm that alternate addresses are working and the people behind are able to decrypt encrypted files. I sent one file to test them, they decrypted it to it's original state. They add another one alternate email address to communication with them - filehelp@lycos.com. I try some research with comparing original and encrypted file, but now I have no time to try indentify used encryption technique. Everything I now is that virus encrypt just first 30000bytes and add 4 bytes header, first two bytes are length of encrypted block, when the lengtht of file is less than 30000bytes, otherwise is fixed to 30000 - $7530 in hexa , third and fourth byte are both $00. Used enctryption does no affect length of file.
     
  20. MadDancer

    MadDancer Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    15
    Likes Received:
    1
    @hrenki
    Firts I try to run Kaspersky tool on ZIP file (32kB filesize), then on .cer b64 encoded certificate file (1.5kB filesize). Both with no result.
     

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...