SCRYPTmail virus-encode ransomware (help2015@scryptmail)

MisterFister

Valued Member
Morning Folks!
I tried to decrypt one of hrenkis files on my machine. It worked immediately. Password could be recovered. This means, that it is not depending on the Computer running in safe mode.
I opened one of the encrypred files with TinyHexer. It's got the same known signature at the beginning. I don't think, that the criminal has changed the encryption algorithm. What i can imagine is, that the keys for the encryption might get longer or better over time. As machura mentioned, rhenki's id starts wirh a Zero. My Id starts with 2. Mayby the attacker changed the range or length of used keys for the encryption. or even worse, he maybe changed the hash algorithm for creating the keys. This could in worst case mean, that the kaspersky tool can't cover the key space used for higher id values. This would be verry bad News for some of us...
 

hrenki

Valued Member
did you found what the password is? have kaspersky left oshit file on your device? encrypted password is a connection between id and crypted files so we could try to get other passwords by id
 

MisterFister

Valued Member
@hrenki
No oshit file on my machine. I guess this Evolution of the Encoder does not nuse the oshit file. It's well documented on the web, that the left behind oshit file made decryption in older Versions easy. So i guess, the criminals changed the code i a way, that it works without the file. There surely is a link between the id and the Password. Kaspersky did not tell the Password in the logfile. If it was possible to see the Password, it might be possible to find this link. But i think this is a weak Chance. If i was the criminal i had implemented the key creation by random numbers and would simply safe the link between the random key and the id in a database. But i guess we should take any chanve we get, no matter how weak it appears. Is anyone in contact with kaspersky Support?
 

hrenki

Valued Member
hmm it is a bit risky to get connection from infected machine to some server... i mean if it is we could easily found that server and brute forced it or something to get all passwords... i didn't contact kaspersky... it would be great if they join this thread and help
 

machura

New Email
payd:(, ... data are back.

Note: make backup of crypted files before decrypting, because all files opened in time, when virus crypted - was renamed but not crypted, because virus had not access for this files. After recovery will be this files crypted => You must find it and take it from backuped crypted files and rename it only...

bye
 

sfreeatt

New Email
Hi everyone! I just wanted you to know that rakhnidecryptor did the job. It recovered around 95% percent of all encrypted files. Around 5% it couldn't decrypt and I don't know the reason but hey atleast it saved me the ransome money.
 

MisterFister

Valued Member
It seems, we have two cases of successfull decryption. At least this means, that the algorithm used by the criminal is known. Now the question is, why it works in some cases and why it doesn't in other cases. I can only imagine, that the Kaspersky tool doesn't cover the whole key range used by the criminal. I still have hope that there will be an update of the tool available soon. I just checked the Kaspersky download site. Currently there is version 1.14.0.0 available which is the same as two weeks ago. This version didn't work in my case.
 

MisterFister

Valued Member
Morning!

I just wrote a post ion the english user Forum on the kaspersky Website, where someone started a threat about this Virus at the end of july. Perhaps there will be any reply from the kaspersky Support. I mentioned that their tool was capable of decrypting the files in some cases. So they hopefully decide to work on an update of rakhnidecryptor.
 

sfreeatt

New Email
Hi again!
Seeing that I'm one of the lucky ones I thought I'd share whatever information I have about my case! As I mentioned in my previous post around 5% of my files were not decrypted. However, they are all located in a bunch of folders that I had previously deleted by mistake and had to recover them with "Pandora recovery" prior to the decryption process which might have caused some damage to them (which is to be expected). This being said some of these successfully decrypted files could not be opened and I don't know which of the two processes damaged them. Files in other folders were decrypted 100% and working.

I am using windows 10 32 bit and my CPU is an old AMD Athlon 64 X2 5200+. The program ran for about 30 hours and the load bar was at about 30% when the software guessed (maybe not the proper term) the password. In my case rakhnidecryptor had to be the only running third party application otherwise it crashed after some time. It also saved a log file on my PC after it had done it's job (maybe there is some useful info in there).

I should say that I am not very tech savvy and I'm just posting whatever info I have about the problem. I don't insist in any way that it could be used to solve other peoples problems with this virus.

In my opinion if time is not a factor the right approach to the problem should be to wait until a software capable of decrypting your files is released. The people responsible for this virus should not be stimulated financially in any way.
 

killah78

New Email
@sfreeatt: Which filetype did you take to run the recovery? And with which number does your id (part of the filename)start with? I also have this problem and run the recovery at the moment. With a jpg-file I got lots of false success-messages. I guess the recovery programme is looking to the file-header. In case of jpg-files only 2 bytes.
 

Kai9456

New Email
The account of the criminal has been suspended.

They can no longer use that SCRYPTmail address as a way to communicate and request payment from victims.

Hello, 4 years ago, in 2015, I was a user who had been infected by the SCRIPTmail ramsonware detected as a file encoder, I deleted the virus, but during these 4 years I have not discovered how to decrypt my personal files, they are photos and videos. I still have my encrypted files and Kasperky no longer works to decrypt them. I would be very grateful that I would like you to help me recover them.
upload_2019-11-4_23-32-2.png





upload_2019-11-4_23-31-51.png
 

EQ Admin

EQ Forum Admin
Staff member
Hi Kai,

That address was used by a bad guy who I believe was running a Ransomware scam at the time. It might not be possible to recover those files anymore.
 

Kai9456

New Email
Thanks for answer me Popowich,

Unfortunately, Kaspersky does not working for decrypt already. I arrived too late to solve this problem, I doubt that SCRYPTmail have some solution for this after of 4 years ago. :(
 

EQ Admin

EQ Forum Admin
Staff member
I understand it's probably not a helpful answer, but that's like asking Google for a solution if a bad guy had registered and happened to use a gmail address for a few days. SCRYPTmail was an email hosting provider but didn't make it and is shutting down in a few months.
 

Kai9456

New Email
This was the only site where there people report about this topic, these ransomware just was executed using a account for SCRYPTmail a couple times during 2015, I will try using others decrypt programs.
 

Kai9456

New Email
I understand it's probably not a helpful answer, but that's like asking Google for a solution if a bad guy had registered and happened to use a gmail address for a few days. SCRYPTmail was an email hosting provider but didn't make it and is shutting down in a few months.

Only in some versions of Karsperky can these files be decrypted but in others not, in my case it did not work, there has only been one user who managed to decrypt them with version 1.14.0.0, and I am not in the mood right now. I am tired of being constantly writting for resolv this problem, these photos and videos are more of 10 years old and they have a lot value for me. (Sorry if that sound like rude).
 

huggies99

New Email
Help, I can’t go to my 3 mails; an error is issued; incorrect login password; problem with the site. I need to log in to re-link to another
 
Top