Become a fighter against malware and join the forum at SensorsTech!  The SensorsTech’s forum is the place where you can solve your PC issues and educate yourself about malware. You are welcome to discuss various security topics with our professional team and other users like you! To unlock all features of the forums, you have to create an account. Otherwise, you can only browse the topics without taking part in the discussions. To leave a comment or ask your questions, read our Registration Agreement and create your free account here.

*

never

  • *****
  • 121
  • +24/-0
  • Network Administrator and Malware Researcher
      • View Profile
Decrypt files Encrypted By [email protected] Ransomware Virus
« on: October 29, 2015, 04:47:08 pm »
A very nasty ransomware infection has been reported to significantly increase its infections over consumer user PCs encrypting thousands of files per infected computer. The ransomware has several different variations main of which are [email protected] [email protected] leaves this ransom note naming it Recovery.bmp:



First, before decrypting the files you need to do it safely. Use this tutorial in order to remove the virus .tmp files:

http://sensorstechforum.com/forums/malware-removal-questions-and-guides/remove-malware-from-your-pc-completely/

Now it is time to decrypt your data. Fortunately for users, Kaspersky has released a decryptor for this nasty ransomware, going by the name of Raknidecryptor. You can download it from by clicking on this link:

http://support.kaspersky.com/viruses/utility

Once you have downloaded Rakhni Decryptor, simply start the .exe file and click on Start Scan. This will open a file manager where you can select the file that you want to decrypt. It will then start the decryption process.

IMPORTANT: Decrypting files(if the algorhytm allows decryption and is not too strong)may take hours to even days time, depending on the encryption. You should leave your computer working at all time and NOT interrupt the decryption process. In order to do this, you should make sure you change your PC's power settings to not allow it to hybernate or sleep during decryption. To do this, follow these steps.
Step 1: Click on the battery icon in your system tray (next to the digital clock) in Windows and then click on More Power Options.
Step 2:The mighty Power options menu will appear. In your power plan click on Change Plan Settings.
Step 3: In your plan's settings make sure you set "Turn off the display" and "Put computer to sleep" to "Never" from the drop down minutes menu.
Step 4: Click on Save Changes and close it.
Now, you should leave your PC to work it out. Bear in mind that the process may take a lot of time so arm yourself with patience and hope that the algorhytm is decryptable.

Good Luck!

« Last Edit: December 04, 2015, 04:37:01 pm by never »

*

sensadmin

  • ******
  • 15
  • +14/-0
      • View Profile
Re: Decrypt files Encrypted By [email protected] Ransomware Virus
« Reply #1 on: October 30, 2015, 11:28:29 am »
A very nasty ransomware infection has been reported to significantly increase its infections over consumer user PCs encrypting thousands of files per infected computer. The ransomware then leaves this ransom note naming it Recovery.bmp:



First, before decrypting the files you need to do it safely. Use this tutorial in order to remove the virus .tmp files:

http://sensorstechforum.com/forums/malware-removal-questions-and-guides/remove-malware-from-your-pc-completely/

Now it is time to decrypt your data. Fortunately for users, Kaspersky has released a decryptor for this nasty ransomware, going by the name of Raknidecryptor. You can download it from by clicking on this link:

http://support.kaspersky.com/viruses/utility

Once you have downloaded rakni, simply start the .exe file and click on Start Scan. This will open a file manager where you can select the file that you want to decrypt. It will then start the decryption process.

IMPORTANT: Decrypting files(if the algorhytm allows decryption and is not too strong)may take hours to even days time, depending on the encryption. You should leave your computer working at all time and NOT interrupt the decryption process. In order to do this, you should make sure you change your PC's power settings to not allow it to hybernate or sleep during decryption. To do this, follow these steps.
Step 1: Click on the battery icon in your system tray (next to the digital clock) in Windows and then click on More Power Options.
Step 2:The mighty Power options menu will appear. In your power plan click on Change Plan Settings.
Step 3: In your plan's settings make sure you set "Turn off the display" and "Put computer to sleep" to "Never" from the drop down minutes menu.
Step 4: Click on Save Changes and close it.
Now, you should leave your PC to work it out. Bear in mind that the process may take a lot of time so arm yourself with patience and hope that the algorhytm is decryptable.

Good Luck!

*

dantralee

  • *
  • 1
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By [email protected] Ransomware Virus
« Reply #2 on: November 01, 2015, 08:12:45 pm »
Hello, Company i work for got hit with this last week and we had to pay the ransom (no backups) we were supplied with the unlock tool and key, but it doesn't seem to have worked on our server, unless its after corrupting all our files. It did work on a pc that was infected with the same.

Do you know if there is anyway to tell if a file is still encrypted besides trying to just open it? or do you know another tool besides their tool where we could enter the key they gave us? really stuck here, thanks for your help


*

mbuljan

  • *
  • 2
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By [email protected] Ransomware Virus
« Reply #3 on: November 01, 2015, 10:54:44 pm »
Anyone had success with rakhnidecryptor?

*

never

  • *****
  • 121
  • +24/-0
  • Network Administrator and Malware Researcher
      • View Profile
Re: Decrypt files Encrypted By [email protected] Ransomware Virus
« Reply #4 on: November 02, 2015, 09:25:54 am »
Hello, dantralee
As far as I know there are two ways to spot an encrypted file:
One way is to use https://www.cryptool.org/en/ Cryptool, software for cryptoanalysis. I am not very familiar with it but you may want to check it out.

The other way is to look for an unique encryption key that is in a completely random sequence. You can do this by using python in ubuntu.
First, you should download ubuntu iso from here:
http://www.ubuntu.com/download/desktop
Then you should download unetbootin and boot ubuntu into a flash drive. Download and boot instructions here:
http://unetbootin.github.io/
After you have booted into ubuntu you should type 'Terminal' in the search bar on top left and open it.
After you have opened the Terminal, type:
sudo apt-get update
sudo apt-get install python3.2
sudo apt-get install sqlite3 libsqlite3-dev
sudo gem install sqlite3-ruby

Then, download decrypt.py by right-clicking on the following link and choosing Save as...
https://bitbucket.org/cybertools/malware_tools/raw/fa4ec9df293b2504a1fa8691c91f006f32acb8bc/bitcrypt/decrypt.py
Save it in your home folder in order for the next command ot work properly. Now copy the file you want to check for encryption in the very same home folder and type this command in the Terminal:

python ./decrypt.py “Your_Encrypted_Document_Name_and_Extension”

After that you should be able to see something like this:



Attach a screenshot and send it back or simply send me the file in case you are having difficullty establishing whether it is encrypted or not and I will check it.

Best Regards,
Never

*

never

  • *****
  • 121
  • +24/-0
  • Network Administrator and Malware Researcher
      • View Profile
Re: Decrypt files Encrypted By [email protected] Ransomware Virus
« Reply #5 on: November 02, 2015, 10:07:09 am »
Hello, mbuljan
Yes, fortunately it is confirmed for sure that rakhni decryptor works! It just takes a bit more time to decrypt the files. In case it doesn't work for you you may have seen another variant of the ransomware. In this case you should try either this method via Linux OS using cado-nfs, part of which i mentioned in my previous reply:

http://sensorstechforum.com/restore-files-encrypted-via-rsa-encryption-remove-cryptowall-and-other-ransomware-manually/

Or using other Kaspersky decryptor tools:

http://support.kaspersky.com/viruses/utility#

There is also another method for decryption, but it is near Sci Fi since it hasnt even been completely revealed to the public or made user friendly:

http://sensorstechforum.com/rsa-encryption-finally-broken/

*

Miloss66

  • *
  • 1
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By [email protected] Ransomware Virus
« Reply #6 on: November 04, 2015, 03:19:00 pm »
Hello mbuljan,
I can confirm that Kaspersky rakhnidecryptor is working perfect! It tooks 2 days and 2 hours, but all files was decrypted and sucessfully restored.
Thank you all for posting this, you save my ass...  :D

*

mbuljan

  • *
  • 2
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By [email protected] Ransomware Virus
« Reply #7 on: November 04, 2015, 09:52:25 pm »
Yaaaay.... i want to confirm too, it took 2 days and 2 hours too... Thank you never on your help...

*

never

  • *****
  • 121
  • +24/-0
  • Network Administrator and Malware Researcher
      • View Profile
Re: Decrypt files Encrypted By [email protected] Ransomware Virus
« Reply #8 on: November 05, 2015, 04:20:45 pm »
Glad It was useful. Ransomware is just going out of control lately...

*

florind

  • *
  • 2
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By [email protected] Ransomware Virus
« Reply #9 on: November 06, 2015, 02:31:18 pm »
Please, Miloss66 and mbuljan, can you look in the log file of rakhnidecryptor and tell the "Current state number" where it found the key? This can save us 2 days of computing. Thank you!

*

ibn

  • *
  • 1
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By [email protected] Ransomware Virus
« Reply #10 on: November 07, 2015, 09:38:48 pm »
Many many many thanks to all of you, and of course to Kaspersky and God bless you! Excuse me for my poor English. Rakhnidecryptor is a golden tool. After 2d, 18h on my Intel dual core the password was found, and it has decrypt all the affected files. I tried most of them and they are OK. The future solution for me is an external HDD not connected all the time, only when I need. All my best wishes from RO

*

xxxnick

  • *
  • 5
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By [email protected] Ransomware Virus
« Reply #11 on: November 09, 2015, 12:27:27 pm »
Hi all,

...unfortunately no luck yet ... 5 days and 20 hours!

Nikos

*

Execute

  • *****
  • 271
  • +46/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: Decrypt files Encrypted By [email protected] Ransomware Virus
« Reply #12 on: November 09, 2015, 01:36:41 pm »
@ibn
I am glad that it worked! An external disk is a good prevention method for important files to be locked and I endorse it!  ;)

@xxxnick
Well, Nikos, there are different variants of the ransomware and it seems some variants lock the files with a stronger password. Just wait more, to see if you get lucky in the end. Best of luck!

*

never

  • *****
  • 121
  • +24/-0
  • Network Administrator and Malware Researcher
      • View Profile
Re: Decrypt files Encrypted By [email protected] Ransomware Virus
« Reply #13 on: November 09, 2015, 04:56:53 pm »
@xxxnick

Do you mind if I ask what model is your computer and what is its CPU model if you can find them?

The reason I am asking you is because of the fact that in some computers it may take some time, depending on the CPU power, ram and hard drive/ solid drive.
« Last Edit: November 09, 2015, 04:58:24 pm by never »

*

test4just

  • *
  • 2
  • +0/-0
      • View Profile
Re: Decrypt files Encrypted By [email protected]chmail.org Ransomware Virus
« Reply #14 on: November 09, 2015, 05:24:28 pm »
" Please, Miloss66 and mbuljan, can you look in the log file of rakhnidecryptor and tell the "Current state number" where it found the key? This can save us 2 days of computing. Thank you! "

It worked for about 24 houres. It said it had found the password, but nothing happened. I unchecked the "delete encrypted files after decryption" so the file that I wanted to decrypt remained the same. No other copy of that file was made (like a decrypted one). I ran the Rakhni tool under a VirtualMachine and someone else clicked ok after Rakhni finished (that person told me that the only option in the tool at the end was ok or close, with the message : Password has been found). The file is still encrypted. In the Rakhni log file the last current state looks like this:
 13:56:11.0288 0x02d0  Current state: 557976 / 1000000
I belive this is where it found the password. If so, how can I use this current state number to avoid "rescannig"?
« Last Edit: November 09, 2015, 05:37:16 pm by test4just »