SensorsTechForum - How to Technology and PC Security Forum

PC Security and Protection => Malware Removal Questions and Guides => Topic started by: never on December 04, 2015, 03:01:46 pm

Title: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: never on December 04, 2015, 03:01:46 pm
First, before decrypting the files you need to do it safely. Use this tutorial in order to remove the virus .tmp files:

http://sensorstechforum.com/forums/malware-removal-questions-and-guides/remove-malware-from-your-pc-completely/ (http://sensorstechforum.com/forums/malware-removal-questions-and-guides/remove-malware-from-your-pc-completely/)

Now it is time to decrypt your data. Fortunately for users, Kaspersky has released several decryptors for different Ransomware variants. You can download and try with Rakhni or other decryptors by visiting their web page below:

http://support.kaspersky.com/viruses/utility (http://support.kaspersky.com/viruses/utility)

Once you have downloaded Rakhni, simply start the .exe file and click on Start Scan. This will open a file manager where you can select the file that you want to decrypt. It will then start the decryption process.

IMPORTANT: There is no guarantee that these tools will work for you since every ransomware variant behaves differently when it comes to file encryption. Decrypting files(if the algorhytm allows decryption and is not too strong)may take hours to even days time, depending on the encryption. You should leave your computer working at all time and NOT interrupt the decryption process. In order to do this, you should make sure you change your PC's power settings to not allow it to hybernate or sleep during decryption. To do this, follow these steps.

Step 1: Click on the battery icon in your system tray (next to the digital clock) in Windows and then click on More Power Options.
Step 2:The mighty Power options menu will appear. In your power plan click on Change Plan Settings.
Step 3: In your plan's settings make sure you set "Turn off the display" and "Put computer to sleep" to "Never" from the drop down minutes menu.
Step 4: Click on Save Changes and close it.

Now, you should leave your PC to work it out. Bear in mind that the process may take a lot of time so arm yourself with patience and hope that the algorhytm is decryptable.

This is a threat-based topic discussion about Weekendwarrior55(.)com ransomware. You may share your opinions, ask our experts to help your, upload encrypted files to help with the research and share your experience.
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: mirogombar on December 06, 2015, 07:37:14 pm
Hello,

my Friend has an external disk and every file is renamed and end of the files ist with -- id-2743227045_av666@weekendwarrior55.com
I have tried all latest kaspersky tools, but nothing works.

Any idea?

Thanks
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: never on December 07, 2015, 10:02:21 am
Hello, can you please respond with several encrypted files. I will not make them public they will be visible solely to me. I will try to analyze how are they decrypted exactly, however I do not guarantee I will be of much help, since I read that this ransomware is more sopishitacted than others of its kind.
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: pranza on December 07, 2015, 10:38:45 am
here's one encrypted txt and jpg, as well as unencrypted jpg version :)
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: janus5555 on December 07, 2015, 11:07:50 am
Hello,

My company has been struck by the same virus, the damage inficted to ours systems is quite extended. To my knowledge, currently we have not yet located the initial point of entrance nor have we found a ransom message, we just have the encrypted files on the different computers.
I will attach some files to aid your search for a "cure",  please post here any updates on the issue to know what I can hope for. :)
Thank you in advance.
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: never on December 07, 2015, 03:52:26 pm
Ok, thanks I will look into them and get back to you tommorow. Unfortunately there is no tool so far to Identify the encrypted code and its strenght (in bit), however we will keep trying and get back to you in 24.

Best Regards,
Never
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: never on December 07, 2015, 05:12:24 pm
Hello,

So far I have established that Rakni Decryptor by Kaspersky is trying to decrypt the a docx file sent to me by you.I will write you In case I succeed. You can download it here: http://support.kaspersky.com/viruses/utility#rakhnidecryptor (http://support.kaspersky.com/viruses/utility#rakhnidecryptor)


(http://sensorstechforum.com/wp-content/uploads/2015/12/cyclodecrypting.jpg)

I will keep trying but there is no guarantee. It is obvious now that this malware uses different tools that have worm-like behavior, allowing it to spread to LANs.
BR,
Never
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: pranza on December 07, 2015, 11:32:08 pm
Rakhni decryptor seems to work somewhat, tells that it finds password after some time, but decodes rubbish from most files. Oddly though, several zip files seem to have been decoded successfuly.
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: janus5555 on December 08, 2015, 07:45:33 am
Thank you for your efforts. I believe that our IT department has already given a try to the rakhni decryptor with no success but by all means don't stop until you reach either a failure or a success. In the meantime, since this issue is getting very serious from what I read, for multiple users globally, some of them belonging to large companies, I believe that there will be a solution soon.
Again thank you for your time, keep sending updates.
Kind regards. :)
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: never on December 08, 2015, 09:21:52 am
I believe that you should keep trying with different files since once a password is found it may decrypt other files as well. No success for the files you sent(I left it overnight to decrypt). However, we will keep looking into it.

Regards,
Never
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: janus5555 on December 08, 2015, 09:33:56 am
You mean the rakni decryptor is done and found nothing :/? Should I send you more files then, to try them as well? I only sent those two because of the size limit of the uploaded files.
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: never on December 08, 2015, 12:29:03 pm
Do not send anymore files, since our team Is busy into researching the malware. However you may download Rakhni Decryptor from http://support.kaspersky.com/viruses/utility (http://support.kaspersky.com/viruses/utility)  to try decrypting your files using the instructions in this thread. You should look for files which are preferrably smaller in size and every time the Decryptor returns with a 'cannot decrypt the file' type of message, try with a different file format. For example if a pdf did not work, try with docx and if this doesnt work .jpg and so on and so forth. If you manage to find a password, you may want to copy and upload a log in your reply in case you decrypt your files. Eventually you should be able to recover some of them. This is no guarantee that you will succeed though, because this variant of the ransomware may be using a stronger encryption than its predecessors.

BR,
Never

Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: pranza on December 09, 2015, 01:56:48 am
I want to shed some light into this case.
av666@weekendwarrior55(.)com shit-ware even doesn't manage to encrypt everything, as then it would take ages to encrypt. Checking one txt file from a backup and comparing it to "encrypted" one i found that only first exactly 100 000 bytes is rubbish - all the rest is intact!

Perhaps rakhni decryptor tries to de-code everything and that's why we get rubbish - maybe we should touch only the first 100KB as the rest is good...

Edit by Admin: I have modified the link, so it's not clickable - just in case.
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: janus5555 on December 09, 2015, 12:43:49 pm
How can this be done? Do you know of a way to set the decryptor to decrypt only the first xx kbs?
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: janus5555 on December 14, 2015, 05:58:24 am
Hi, are there any news regarding this malware? Did anyone manage to successfully decrypt any of his files?
Thanks in advance ;)
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: never on December 14, 2015, 09:53:57 am
Hello Janus

We are currently looking into it we will get back soon with more assistance :)
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: cdmgcm on December 16, 2015, 04:41:59 pm
Hi,

I have the same problem. There is any progress regarding this malware? Did anyone managed already to do/find a solution for decrypt the files?  :( :-\

Regards,
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: Execute on December 17, 2015, 11:14:15 am
Hi,

I have the same problem. There is any progress regarding this malware? Did anyone managed already to do/find a solution for decrypt the files?  :( :-\

Regards,

We are still researching the matter. If we find anything that might help - we will share it. We will keep all of you posted.

Best Regards,
Execute
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: Execute on January 07, 2016, 11:25:30 am
We tried around 10 different decryptors, but only 1 of them proved to work and that was Kaspersky's Rakhni Decryptor.

It worked only with some of the files > it successfully decrypted a .png and .jpg image:

(http://i.imgur.com/DTlmC70.png) <===> (http://i.imgur.com/NxUxAk7.png)

Unfortunately, it couldn't decrypt .doc, .xls and the newer .docs and .xlsx files, even after trying to, for several days:

(http://i.imgur.com/freNZ1w.png) <===> (http://i.imgur.com/4qBO6Hn.png)

It just couldn't recover the password for them, leading us to believe that the Weekendwarrior55(.)com may have used a stronger encryption key for them.

(http://i.imgur.com/ah2cOGi.png) <===> (http://i.imgur.com/w4dt5re.png)

It took a lot of time, but at least some files were restored, which is partly good news.

Keep an eye out for updates, and also if we find something that might help you to restore your files - we will keep you informed.
Just don't give up, there is hope. Also, if you have any ideas, write them up, maybe one thing can lead to another and figure out how to beat this ransomware.

Kind Regards,
Execute
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: janus5555 on January 08, 2016, 06:11:33 am
Well then this is partially good news, since you prove that  the files can indeed be decrypted but on the other hand, the decryption worked only for a small number and type of them.
Someone suggested earlier that the virus doesn't encrypt the whole file but only some kbs at the beginning or the end, could there be a solution there? I'm not into IT stuff but couldn't there be a decryptor to take into consideration this specific characteristic of this virus?
It's been almost two months since we were hit by the virus and still we have no success in dealing with it at my company, neither by backups nor by decryption of the files...
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: Grix on January 08, 2016, 12:52:35 pm
I tried last month to decrypt .mdb - NO SUCESS  :-X
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: Execute on January 08, 2016, 05:32:23 pm
@janus5555, yes, some files have only the first 100 kbytes encrypted, according to the user @pranza.

I also believe there must be a solution, it sounds logical - less encryption, smaller size - probably easier to pinpoint and shorter time to decrypt such files. But we are not sure if that is for every file extension or only for a small number of them, and we haven't really seen that idea implemented in a decryptor for now. Either way, any data that can be recovered is worth the shot of trying to find a fix.

However, we are searching for some brute-forcing method ways to get the knowledge we have about the ransomware into good use. We will see if we can make it happen. If the encryption is not that strong, then we should be able to break it somehow. We will write with whatever possible solution we find.

@Grix, that's bad - database files, right? If you tried with Rakhni, then yeah - no updates since 1 month back, up to this moment. We are hoping a new version of the decryptor is released soon or to somehow make our ideas about decryption possible.

Best Regards,
Execute
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: Execute on January 28, 2016, 10:21:51 am
@Linda Beccani, hello, you can send a few encrypted files, and if there is a ransom note to idunn0@abv.bg, so we can see if we can decrypt them.

Kind Regards,
Execute

P.S.: Your English is good and understandable.
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: test4just on January 28, 2016, 01:30:01 pm
Hi, I am also fighting with .id-3113278688_johndoe@weekendwarrior55(.)com. RakhniDecryptor for .doc and .xls runs 2 days and "cannot recover password", for .mfd and .dbf does not run at all saying "Unsupported file type". For .jpg runs for 2 hours and "Password has been recovered succesfully". It shows that all the encrypted files have been decrypted. Now the files have the correct extension (with no  "@weekendwarrior"), but when trying to open, all of them are still encrypted (including the .jpg). I would like to send you samples of both encrypted and "Rakhni-decrypted" file. I have just registered to your forum and I do not know how or at what e-mail address to send the files.

Edit by Sensadmin: I modified the link, so it's not clickable or associatable with e-mails.
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: Execute on January 29, 2016, 09:58:47 am
@test4just, that is unfortunate that you cannot open the files.
You can send them to the same email, given above - idunn0@abv.bg.

Kind Regards,
Execute

Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: janus5555 on March 10, 2016, 08:32:54 am
Hello everybody, are there any news regarding this virus encryption issue? The topic has stagnated and so far, from what I know, there has been no successful decryption method...Is there an official and hopefully more useful update? Thanks in advance..;)
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: Execute on March 10, 2016, 02:15:43 pm
Hello, @janus555,
Nothing new is found. We couldn't recover more files.

Following Rakhni Decryptor for updates of it and scanning for different files
for a probable password to be found is your best bet now.

We have some cases with people reporting for data recovery programs to work
in recovering some of their files (since the originals are deleted).

Here are some examples of such programs:

EaseUS Data Recovery (http://www.easeus.com/)
Recuva by Piriform (https://www.piriform.com/recuva)

File Recover Plus (http://sensorstechforum.com/file-recover-plus-software-review/)
Stellar Phoenix Data Recovery Pro (http://sensorstechforum.com/data-recovery-pro-by-pareto-logic-software-review/)
Pareto Logic Data Recovery Pro (http://sensorstechforum.com/data-recovery-pro-by-pareto-logic-software-review/)


Best Regards,
Execute
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: never on April 04, 2016, 11:20:22 am
Nice programs, Execute.

Here is a little video to show to you to work with data recovery software and find hidden files. I hope it helps to all the affected users at least to some extent.

Recover Your Data and Find Hidden Files (https://www.youtube.com/watch?v=P0sWqfRaZiU)
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: janus5555 on July 26, 2016, 11:05:19 am
Hello again, this thread has been inactive for quite some time..
Are there any news regarding the solution to the weekendwarrior virus file decryption?
Thanks for any relevant info guys ;)
Title: Re: Restore Files Encrypted by Weekendwarrior55(.)com Ransomware
Post by: Execute on July 26, 2016, 01:19:07 pm
Hello again, this thread has been inactive for quite some time..
Are there any news regarding the solution to the weekendwarrior virus file decryption?
Thanks for any relevant info guys ;)

Hey again, @janus5555!
We do not have any new information.
What is left for you to try is:


*In the 7th comment a user mentions that it is possible that a thing called "EGGDROP BLOWFISH" is used for encryption. I have found this site (http://www.eggheads.org/support/egghtml/1.6.17/mod-blowfish.html), but it seems that this is modifiable with configuration files, so if we don't have the one used for encryption we might not be able to decrypt the files without it. Writing to Support at that site, might be a good idea, as well.


Personally, I am out of ideas and asked most of the staff members of STF and none of them came up with better ideas or knew something new on the matter...

Keep us in the loop, with whatever you decide to go with.

Best Regards,
Execute