SCRYPTmail virus-encode ransomware (help2015@scryptmail)

Discussion in 'SCRYPTmail' started by popowich, Aug 5, 2015.

  1. MisterFister

    MisterFister Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    16
    Likes Received:
    1
    Morning Folks!
    I tried to decrypt one of hrenkis files on my machine. It worked immediately. Password could be recovered. This means, that it is not depending on the Computer running in safe mode.
    I opened one of the encrypred files with TinyHexer. It's got the same known signature at the beginning. I don't think, that the criminal has changed the encryption algorithm. What i can imagine is, that the keys for the encryption might get longer or better over time. As machura mentioned, rhenki's id starts wirh a Zero. My Id starts with 2. Mayby the attacker changed the range or length of used keys for the encryption. or even worse, he maybe changed the hash algorithm for creating the keys. This could in worst case mean, that the kaspersky tool can't cover the key space used for higher id values. This would be verry bad News for some of us...
     


  2. hrenki

    hrenki Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    13
    Likes Received:
    3
    did you found what the password is? have kaspersky left oshit file on your device? encrypted password is a connection between id and crypted files so we could try to get other passwords by id
     

  3. MisterFister

    MisterFister Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    16
    Likes Received:
    1
    @hrenki
    No oshit file on my machine. I guess this Evolution of the Encoder does not nuse the oshit file. It's well documented on the web, that the left behind oshit file made decryption in older Versions easy. So i guess, the criminals changed the code i a way, that it works without the file. There surely is a link between the id and the Password. Kaspersky did not tell the Password in the logfile. If it was possible to see the Password, it might be possible to find this link. But i think this is a weak Chance. If i was the criminal i had implemented the key creation by random numbers and would simply safe the link between the random key and the id in a database. But i guess we should take any chanve we get, no matter how weak it appears. Is anyone in contact with kaspersky Support?
     
  4. hrenki

    hrenki Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    13
    Likes Received:
    3
    hmm it is a bit risky to get connection from infected machine to some server... i mean if it is we could easily found that server and brute forced it or something to get all passwords... i didn't contact kaspersky... it would be great if they join this thread and help
     
    popowich likes this.
  5. machura

    machura New Email

    Joined:
    Aug 13, 2015
    Messages:
    6
    Likes Received:
    0
    payd:(, ... data are back.

    Note: make backup of crypted files before decrypting, because all files opened in time, when virus crypted - was renamed but not crypted, because virus had not access for this files. After recovery will be this files crypted => You must find it and take it from backuped crypted files and rename it only...

    bye
     
  6. hrenki

    hrenki Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    13
    Likes Received:
    3
    @machura - can you post decryption tool or something you get from them?
     
  7. maspe

    maspe New Email

    Joined:
    Aug 17, 2015
    Messages:
    1
    Likes Received:
    0
    Hi, I've the same problem... @machura, if I send a file can you try to decode it, please?
     
  8. sfreeatt

    sfreeatt New Email

    Joined:
    Aug 26, 2015
    Messages:
    2
    Likes Received:
    1
    Hi everyone! I just wanted you to know that rakhnidecryptor did the job. It recovered around 95% percent of all encrypted files. Around 5% it couldn't decrypt and I don't know the reason but hey atleast it saved me the ransome money.
     
  9. MisterFister

    MisterFister Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    16
    Likes Received:
    1
    It seems, we have two cases of successfull decryption. At least this means, that the algorithm used by the criminal is known. Now the question is, why it works in some cases and why it doesn't in other cases. I can only imagine, that the Kaspersky tool doesn't cover the whole key range used by the criminal. I still have hope that there will be an update of the tool available soon. I just checked the Kaspersky download site. Currently there is version 1.14.0.0 available which is the same as two weeks ago. This version didn't work in my case.
     
  10. MisterFister

    MisterFister Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    16
    Likes Received:
    1
    Morning!

    I just wrote a post ion the english user Forum on the kaspersky Website, where someone started a threat about this Virus at the end of july. Perhaps there will be any reply from the kaspersky Support. I mentioned that their tool was capable of decrypting the files in some cases. So they hopefully decide to work on an update of rakhnidecryptor.
     
    popowich likes this.
  11. sfreeatt

    sfreeatt New Email

    Joined:
    Aug 26, 2015
    Messages:
    2
    Likes Received:
    1
    Hi again!
    Seeing that I'm one of the lucky ones I thought I'd share whatever information I have about my case! As I mentioned in my previous post around 5% of my files were not decrypted. However, they are all located in a bunch of folders that I had previously deleted by mistake and had to recover them with "Pandora recovery" prior to the decryption process which might have caused some damage to them (which is to be expected). This being said some of these successfully decrypted files could not be opened and I don't know which of the two processes damaged them. Files in other folders were decrypted 100% and working.

    I am using windows 10 32 bit and my CPU is an old AMD Athlon 64 X2 5200+. The program ran for about 30 hours and the load bar was at about 30% when the software guessed (maybe not the proper term) the password. In my case rakhnidecryptor had to be the only running third party application otherwise it crashed after some time. It also saved a log file on my PC after it had done it's job (maybe there is some useful info in there).

    I should say that I am not very tech savvy and I'm just posting whatever info I have about the problem. I don't insist in any way that it could be used to solve other peoples problems with this virus.

    In my opinion if time is not a factor the right approach to the problem should be to wait until a software capable of decrypting your files is released. The people responsible for this virus should not be stimulated financially in any way.
     
    popowich likes this.
  12. killah78

    killah78 New Email

    Joined:
    Sep 7, 2015
    Messages:
    1
    Likes Received:
    0
    @sfreeatt: Which filetype did you take to run the recovery? And with which number does your id (part of the filename)start with? I also have this problem and run the recovery at the moment. With a jpg-file I got lots of false success-messages. I guess the recovery programme is looking to the file-header. In case of jpg-files only 2 bytes.
     
  13. Kai9456

    Kai9456 New Email

    Joined:
    Nov 4, 2019
    Messages:
    5
    Likes Received:
    0
    Hello, 4 years ago, in 2015, I was a user who had been infected by the SCRIPTmail ramsonware detected as a file encoder, I deleted the virus, but during these 4 years I have not discovered how to decrypt my personal files, they are photos and videos. I still have my encrypted files and Kasperky no longer works to decrypt them. I would be very grateful that I would like you to help me recover them.
    upload_2019-11-4_23-32-2.png




    upload_2019-11-4_23-31-51.png
     
  14. Kai9456

    Kai9456 New Email

    Joined:
    Nov 4, 2019
    Messages:
    5
    Likes Received:
    0

    Attached Files:

  15. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,996
    Likes Received:
    143
    Hi Kai,

    That address was used by a bad guy who I believe was running a Ransomware scam at the time. It might not be possible to recover those files anymore.
     
  16. Kai9456

    Kai9456 New Email

    Joined:
    Nov 4, 2019
    Messages:
    5
    Likes Received:
    0
    Thanks for answer me Popowich,

    Unfortunately, Kaspersky does not working for decrypt already. I arrived too late to solve this problem, I doubt that SCRYPTmail have some solution for this after of 4 years ago. :(
     
  17. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,996
    Likes Received:
    143
    I understand it's probably not a helpful answer, but that's like asking Google for a solution if a bad guy had registered and happened to use a gmail address for a few days. SCRYPTmail was an email hosting provider but didn't make it and is shutting down in a few months.
     
  18. Kai9456

    Kai9456 New Email

    Joined:
    Nov 4, 2019
    Messages:
    5
    Likes Received:
    0
    This was the only site where there people report about this topic, these ransomware just was executed using a account for SCRYPTmail a couple times during 2015, I will try using others decrypt programs.
     
  19. Kai9456

    Kai9456 New Email

    Joined:
    Nov 4, 2019
    Messages:
    5
    Likes Received:
    0
    Only in some versions of Karsperky can these files be decrypted but in others not, in my case it did not work, there has only been one user who managed to decrypt them with version 1.14.0.0, and I am not in the mood right now. I am tired of being constantly writting for resolv this problem, these photos and videos are more of 10 years old and they have a lot value for me. (Sorry if that sound like rude).
     

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...