You are welcome to discuss various security topics with our professional team and other users like you!
Read our Registration Agreement and create your FREE account here!

*

florind

  • *
  • 2
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #15 on: November 10, 2015, 08:01:28 am »
You can start Rakhnidecryptor in a command prompt window with parameters:
-h         -> help
-l          -> path and name for the log file
-start    -> value to start from [0;1.000.000] (for you should be 557976)
-end     -> the value where to stop the scan <=1.000.000
I didn't find yet the Password, so I don't know what you should do after.

*

Execute

  • *****
  • 388
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #16 on: November 10, 2015, 11:25:25 am »
You can start Rakhnidecryptor in a command prompt window with parameters:
-h         -> help
-l          -> path and name for the log file
-start    -> value to start from [0;1.000.000] (for you should be 557976)
-end     -> the value where to stop the scan <=1.000.000
I didn't find yet the Password, so I don't know what you should do after.

That is helpful, but not everybody knows exactly how to do that.

First, if someone needs to get information about a log file from a previous RakhniDecryptor scan - they are .txt files located in your SystemDrive directory (the Drive where you have installed the Operating System), usually "C:\" . All logs start with the name "RakhniDecryptor." and are all visible.

Second, in order to start RakhniDecryptor in a CommandPrompt window, so you can write different parameters in it, you need to do the following:
  • Go to Windows "Search" opened from the "Start" button.
  • Type in "cmd" in that search field and press the "Ctrl+Shift + Enter" buttons (at the same time) to open CommandPrompt as an Administrator.
  • Move the "rakhnidecryptor.exe" file into the "C:\" Drive.
  • Go back to Command Prompt, see what directory is written before the blinking lower dash. If it is D:\... or something different than the C:\ drive, you have to change it to only the C:\ letter.
  • To change the directory to C - type in "C:". If it's showing a path like C:\Windows\System32, type in "cd.." as many times as needed, until it is showing only the "C:\" drive letter:
===>

Third, type in Command Prompt the following parameters:
  • RakhniDecryptor.exe -start <number from 0 to 1000000> to start decrypting from a certain value.
  • In test4just's case, it should look like: "RakhniDecryptor.exe -start 557975" (One number before it found the password - if it indeed does scan chronologically)
  • If you want to set where the scan will end - just type "end" instead of "start". "RakhniDecryptor.exe -end 999999" for example. You can type both commands in one line.
Fourth, some optional commands you can type for convenience:
  • A command you can type to specify how many cores of your processor to be utilized, thus changing how much resource the Decryptor uses:
    "RakhniDecryptor.exe –threads <number>";
    If you don't write the -threads and number parameters, the Decryptor should utilize all cores and threads of your processor.
    But if the whole computer is running slow because of it, you can type in 2 threads less then the number of cores you have.
    If you have an 8 core processor, you can type "RakhniDecryptor.exe –threads 6" to see if it helps.
  • Typing "RakhniDecryptor.exe -l <Directory and filename (.extension)>" will save your log files in a Directory and format you want.
    E.g.: RakhniDecryptor.exe -l D:\Log.txt - this will create a file named "Log" with the .txt extension in the D:\ Drive.
    Note: If you type the same command every time without changing the name of the file or its format - there will be only one file which is going to be overwritten every time.
« Last Edit: November 10, 2015, 11:34:05 am by Execute »

*

xxxnick

  • *
  • 5
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #17 on: November 11, 2015, 01:33:43 pm »
Hi Never,

still no luck ...7 days now!

About system configuration (poor pc) :
Processor: Intel(R) 2140 @ 1.60 Ghz 800Mhz
RAM: 3,00GB
OS: Win7 64-bit
Hard Disk: 500GB

In the Rakhni log file the last current state is : Current state: 644808 / 1000000 and continues...

Regards,
Nikos

*

never

  • *****
  • 122
  • +26/-0
  • Network Administrator and Malware Researcher
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #18 on: November 11, 2015, 03:20:51 pm »
Dear Nikos,

Can you share 1 file encrypted by this specific ransomware variant? I will make an attempt to decrypt it. Send it via email on this address:

idunn0@abv.bg

You may have been hit by a more difficult encryption containing variant and I will attempt to try decrypting it via several different methods, after which I will reply you with instructions, If we succeed, that is.
Thanks in advance,
Never
PS: In case the file is not that important to you, you can straight up upload it as an attachment so others interested in this forum topic may also try to decrypt it.
« Last Edit: November 11, 2015, 03:30:12 pm by never »

*

xxxnick

  • *
  • 5
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #19 on: November 12, 2015, 09:34:14 am »
Hi Never,

I attach the file and thank you for your interest and your time

Thanks in advance,
Nikos
« Last Edit: May 25, 2018, 04:13:29 pm by sensadmin »

*

kazak

  • *
  • 7
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #20 on: November 12, 2015, 10:47:38 am »
Hi Never,

unfortunately I have been hit by the same helpme@freespeechmail.org ransomware, too
Currently I'm trying with RakhniDecryptor - still in the beginning.
I have a chance to have some pairs of original jpg files and encrypted ones. When I compare them it looks like only a block at the beginning of the file is encrypted and rest of it is the same in both versions.
Is this the normal variant of the virus, or I had been hit by some strange variant ?
Can I send you a sample to check?

Another strange thing is that I still cannot identify the source PC of infection. As two PCs have access to the same network resource, which have been affected, I checked both PCs with many scan and remove programs including Kaspersky, ESET, Malwarebytes, SpyHunter .... They also had ESET and Malwarebytes pre-installed up to date. None of them shows a trace of Ransomware virus, while cheked with any of the aboves.
Is there a scan/remove tool which detects those malware?
I checked already system processes, files, etc. as per manual removal guide, but didn't see anything suspicious, which make me even more suspicious :)

Regards,
Kazak
 

*

kazak

  • *
  • 7
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #21 on: November 12, 2015, 11:47:46 am »
Hi again,

trying to check with cryptotool gives this results:

[root@:/usr/src/cryptotool#]python ./decrypt.py "DSC_4011_.jpg.id-9580666189_helpme@freespeechmail.org"
[-] Error parsing file footer
[root@:/usr/src/cryptotool#]python ./decrypt.py "14 yoga uprajneniq, koito da pravish vkyshti_.pdf.id-9580666189_helpme@freespeechmail.org"
[-] Error parsing file footer


*

never

  • *****
  • 122
  • +26/-0
  • Network Administrator and Malware Researcher
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #22 on: November 12, 2015, 12:51:11 pm »
Hello, I have tried multiple times to decrypt files of the virus and it seems as though the creator of the ransomware may have improved his encryption algorhitm. This means that it may no longer be possible to decrypt your files using RakhniDecryptor. I will continue working on newer instructions on how to decrypt and I will try to identify if it is at all possible to decrypt the files and which tool is needed. Stay tuned to this topic and do NOT pay the ransom money even if it is not possible to decrypt your files because this way you are funding the cyber-criminals to develop it even more.

PS:Thanks to information by Nod32 I have managed to find the encryption algorithms used by the variants of this trojan and I am currently looking for decryption tools for those algorhitms. Here are the algorhitms:

SHA512, 3DES
SHA512, AES
SHA512, Blowfish
SHA512, CAST-128
SHA512, CAST-256
SHA512, DES
SHA512, GOST
SHA512, ICE
SHA512, IDEA
SHA512, MARS
SHA512, MISTY1
SHA512, RC2
SHA512, RC4
SHA512, RC5
SHA512, RC6
SHA512, Serpent
SHA512, TEA
SHA512, Twofish

« Last Edit: November 12, 2015, 01:56:39 pm by never »

*

never

  • *****
  • 122
  • +26/-0
  • Network Administrator and Malware Researcher
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #23 on: November 12, 2015, 12:53:37 pm »
Hello, kazak

It seems that your variant has not encrypted your files with the RSA encryption algorhitm, for which is the Ubuntu tutorial. Please check my previous reply for what possible algorhitms do the variants of this trojan use.

Otherwise i think you shoud try the following instructions, posted on the blog:

"BertaB
(Post author)
October 16, 2015 at 7:20 am

Hello,

This may be due to one of the following reasons:

1) Old python version.

sudo apt-get update python

2) Error in file name or command.

Check the command you typed carefully. Can you tell me which one is it? If it is this one:

python ./decrypt.py “MY ENCRYPTED FILE.jpg.bitcrypt”

it should be typed with the brackets exactly as seen above.

3)Error in the ‘decrypt.py’ file

In case it doesnt work you shouldnt try to look for the issue since you may lose a lot of your time in doing so.
Your best bet is to try DecrypterFixer. You can download it from here:

https://bitbucket.org/DecrypterFixer/malware_tools-1/get/fa4ec9df293b.zip

It has a well made ‘decrypt.py’ file and should work for you.

In case the first web link is broken, try this one:

https://bitbucket.org/DecrypterFixer/malware_tools-1/get/fa4ec9df293b.zip"



« Last Edit: November 12, 2015, 01:13:33 pm by never »

*

never

  • *****
  • 122
  • +26/-0
  • Network Administrator and Malware Researcher
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #24 on: November 12, 2015, 01:40:41 pm »
For those of you who have File Hisory or Backup enabled and use Microsoft Windows, you can download Shadow Explorer from here:

http://www.shadowexplorer.com/downloads.html

This program looks for previous versions of backed up files. I hope it helps at least to those with File History enabled.

*

kazak

  • *
  • 7
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #25 on: November 12, 2015, 02:03:04 pm »
Hi Never,
I tried with decrypt.py from the links provided, but the error is the same.
I'm afraid it is not only encrypted with different encryption algorithms, but it looks like only first 0h7530 bytes are encrypted. The rest of the files are identical, except few bytes at the end.
I can attach a sample from jpg I have both in original and crypted, exported as hexdum, but they are 400-500K each and I cannot post them here

Thank you for you time and concern on this!

Regards,
Kazak

*

never

  • *****
  • 122
  • +26/-0
  • Network Administrator and Malware Researcher
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #26 on: November 12, 2015, 02:07:59 pm »
Kazak, send it via email - idunn0@abv.bg
« Last Edit: November 12, 2015, 02:09:45 pm by never »

*

kazak

  • *
  • 7
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #27 on: November 12, 2015, 02:32:44 pm »
Never, sent them to email
Thanks!

*

never

  • *****
  • 122
  • +26/-0
  • Network Administrator and Malware Researcher
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #28 on: November 12, 2015, 03:51:07 pm »
Hello,

Here is a web link to one of the best user friendly data recovery tools that also has a free trial version:

http://www.easeus.com/datarecoverywizardpro/

The sole purpose of this software is to recover deleted files on your computer. Try to scan with it and see what happens. I have personally used the software and managed to recover several JPG files. However, there is a big IT DEPENDS.

Good Luck!
« Last Edit: November 12, 2015, 03:59:20 pm by never »

*

kazak

  • *
  • 7
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
« Reply #29 on: November 13, 2015, 08:07:59 am »
Hi,

it looks I have variation of Ransom which encrypt only first 30K of the files. The smaller ones are encrypted in full. Thus make it very fast and aggressive, as it locks with the same speed big and small files. I think it does not copy file and delete the original, and it overwrites directly the first 30K bytes.

I put a shot with RakhniDecryptor (latest 07.2015 from Kaspersky) for both smaller than 30K and bigger files.
Rakhni reports password found on smaller file very quickly and tried to decrypt all bigger and smaller files, but unfortunately without success. At the end files are not decrypted to their original state.
The interesting is that Rakhni seems to deal with partially decrypted files, as it decrypts only first 30K of the bigger ones, and does not touch unencrypted rest part of the file! Unfortunately it does not found the real key or the encryption method in that case.
I'm not deep in crypt yet, but in that case is it really found the key, and does not match the method for decryption? Or just does not found the real key? 

RakhniDecryptor still running with bigger file (Current state: 394512 / 1000000).

Will attach some samples from first case later

Regards