Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Google Chrome to let Isolated Web App access sensitive USB devices

Featured Deal: Block malvertising with $60 off AdGuard ad blocker

Latest Buyer's Guide: Best web browsers with built in VPN: Boost online privacy

Ransomware (.crypted)

Started by krlosrhg , Jun 24 2024 04:43 PM

Please log in to reply

3 replies to this topic

#1 krlosrhg

Members
2 posts
OFFLINE

Local time:11:57 PM

Posted 24 June 2024 - 04:43 PM

Good day friends, I am new to this community, my name is Carlos Herrera, today I would like to ask you for help since a few months ago I had a ransomware attack, where many files were encrypted, if I upload the files to no more ransom, it says that I have probably infected by "CrySIS" or "PHP ransomware" or "XORBAT" or "Nemucod" or "MegaLocker" or "Hakbit", however, none of the tools provided by the page have been useful, so I am addressing this great community, to find out if there is anything you can do to decrypt such files.

I share Original Copy and encrypted file

Attached Files

HASTA N.A. 252125.pdf 185.03KB 2 downloads
HASTA N.A. 252125_crypted.pdf 185.04KB 1 downloads
Screenshot_1.png 5.47KB 0 downloads

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 quietman7

Bleepin' Gumshoe

Global Moderator
62,051 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:12:57 AM

Posted 24 June 2024 - 05:14 PM

Did you find any ransom notes? If so, what is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents in your next reply?

The .crypted (.CRYPTED) extension is more generic and has been used by several types of known ransomware to include Hakbit (Thanos), HiddenTear/EDA2, Tripoli, HelloKitty, MegaLocker (NamPoHyu), Yoshikada Decryptor (GlobeImposter variant), System Crypter and Nemucod. The .crypted extension is also used by many unidentified ransomwares.

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses provided by the malware developer to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. ID Ransomware can identify ransomware which adds a prefix instead of an extension and more accurately identifies ransomware by filemarkers if applicable. Doing this also ensures we get the ransomware information into the IDR system for reference. Uploading both encrypted files and ransom notes together along with any email addresses provided gives a more positive match with identification and helps to avoid false detections. Please provide a link to the ID Ransomware results.

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click

Back to top

#3 krlosrhg

Topic Starter

Members
2 posts
OFFLINE

Local time:11:57 PM

Posted 25 June 2024 - 06:00 AM

I did find a note, but in windows operating systems, in computers that have windows the files were like this example: 157121.pdf.5OSQe5NUm and the name of the note is: 5OSQe5NUm.README.txt, but for linux servers there was no note, the files were only .crypted.

Mail to which they are waiting for a reply: farmacon@protonmail.com

ID Ransomware, cannot determine which ransomware is

Contents of the note:

~~~ Unlock your files! ~~

Hello, we hacked your PC and encrypted all your files.

BUT!!! Fear not, you can decrypt your files and recover everything very easy,

You just need to pay a small ammount. this is just bussiness.

You pay the ransom, we give you the file to decrypt your files, and we move on.

We won't attack you again, or talk to anyone about this.

Send an email to farmacon@protonmail.com and talk to us.

You would need to buy XMR (Monero) to make the payment, it's very easy.

or follow an online guide, ask us in the email if you need help.

>>>>

>>>> Your personal DECRYPTION ID: F99931269EE37BDC3E8BBDA1F6CA0C5E

>>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!

>>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

Edited by krlosrhg, 25 June 2024 - 06:00 AM.

Back to top

#4 quietman7

Bleepin' Gumshoe

Global Moderator
62,051 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:12:57 AM

Posted 25 June 2024 - 06:47 AM

It appears you have been hit with more than one ransomware infection.

Ransomware can be responsible for double (multiple) encryptions since it will encrypt any directory or file it can read/write to regardless if previously encrypted by another ransomware variant. Ransomware does not care about the contents of the data or whether your files are already encrypted...it will just re-encrypt them again and again if it has access. Even the same ransomware can encrypt data multiple times with different strains and that means the files may get corrupted multiple times. Any file corruption complicates possible decryption solutions.

Double (multiple) infections also means having to deal with all ransom demand payments and different decryptors created by the criminals in order to decrypt data if the encryption was caused by different ransomware families. Unfortunately there is not much you can do in scenarios like this especially if any of the ransomwares are not decryptable.

From what you have provided (157121.pdf.5OSQe5NUm with a 5OSQe5NUm.README.txt note) looks to be LockBit 3.0 (Black) + a ransomware that also appended the .crypted extension.

In your case, the random 9 char naming format of your README.txt ransom note together with the same random 9 alpha-numerical char extension appended to your encrypted files are similar to what we have seen with this ransomware. These are some examples.

.hZiV1YwzR
.3WbzmF0CC
.JxxLLpPns
hZiV1YwzR.README.txt
3WbzmF0CC.README.txt
JxxLLpPns.README.txt

Most LockBit 3 Black/CriptomanGizmo ransom notes are known to include a long string of hexadecimal characters comprising a Decryption ID similar to N3ww4v3/Mimic but without an asterisk (*) and extension after the ID numbers.

Your personal DECRYPTION ID: 495927C9CC58D8A36B47827EAE1AEA72
»» Your personal DECRYPTION ID: 9FE85D4F9C7EA210F904E9BC55F74ECA
>>>> Your personal DECRYPTION ID: 8F2AC6FD69FFFB2BEF710F5010CA2763
specify your ID - 6800F4848694EC5B39B3525AF9F34521
report your ID - C7EC9516C90F63DF285
YOU LOCK-ID: 7565BD6495000673051C5B6F24EE1B30

Your ransom note contents are similar to what we have seen with this ransomware and includes a personal Decryption ID like those listed above.

>>>> Your personal DECRYPTION ID: F99931269EE37BDC3E8BBDA1F6CA0C5E

Without more information, it will be difficult to identify the second ransomware which used the .crypted extension.

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click