Proton Ransomware (.[email].c77L; #Restore-files.txt) Support Topic

Any files that are encrypted with Proton Ransomware will have an .[<email>].[random 4-5 char] extension to include .c77l, .ZENEX, .SWIFT appended to the end of the encrypted data filename and typically leave files (ransom notes) named #Restore-files.txt, #Zenex-Help.txt, #SWIFT-Help.txt. These are some examples.

.[decrypt.computer@gmail.com].c77L
.[decrypthelp0@gmail.com].ZENEX
.[swift_1@tutamail.com].SWIFT

Kigatsu@tutanota.com
Kigatsu@mailo.com
Telegram: @ransom70
Kigatsu@onionmail.com
Kigatsu@mailo.com
Telegram: @ransom70
DoraRec@onionmail.org
DoraRec@msgsafe.io
RecoverProtonData@gmail.com
Telegram:  @RecoverProton
Cyberexploit.59@gmail.com
Cybererror.59@gmail.com
filesupport@airmail.cc
proton@onionmail.org
contact.encryptor@gmail.com
contact.decryptor@gmail.com
helpdec10@decoymail.com
helpdecfile1@onionmail.org
vpsadminmain12@onionmail.org
vpsadminmain13@onionmail.org
HarpyRage@onionmail.org
HarpyRage@cyberfear.com
Telegram: @HarpyRage
drhelper4@gmail.com
jouniorfile@gmail.com
decryption38@gmail.com
keyseller@zohomail.eu
keyseller@mailfence.com
Decrypt.computer@gmail.com
Decrypt.network@gmail.com
swift_1@tutamail.com
swift@onionmail.com
Telegram: @swift_support
decrypthelp0@gmail.com
cryptblack@mailfence.com

 
 
Unidentified ransomware on Windows has encrypted data files and renamed them like this:
filename.txt  >  filename.txt.[Decrypt.computer@gmail.com].c77L

example original filesize: 122 340 bytes, encrypted: 122 516 bytes

A ransomnote named "#Restore-files.txt" is left on each disk with encrypted files.

The ransomnote includes the following:

Personal ID: D97ED7F82CED120F
Primary Email: Decrypt.computer@gmail.com
Secondary Email: Decrypt.network@gmail.com

Can you provide (copy & paste) the ransom note contents in your next reply?

Please submit (upload) samples of encrypted files, ransom notes and any contact email addresses provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. ID Ransomware can identify ransomware which adds a prefix instead of an extension and more accurately identifies ransomware by filemarkers if applicable. Doing this also ensures we get the ransomware information into the IDR system for reference. Uploading both encrypted files and ransom notes together along with any email addresses provided gives a more positive match with identification and helps to avoid false detections. Please provide a link to the ID Ransomware results.

Sure!

>> What has occurred?
We have securely encrypted and taken possession of all your files.
Your files are inaccessible without availing our decryption service.

>> How can you reach us?

To initiate the decryption process, please exclusively send messages to the email addresses provided below.
We do not take responsibility for communication through other email addresses.
Write your personal ID in the subject of the email.

Personal ID: D97ED7F82CED120F
Primary Email: Decrypt.computer@gmail.com
Secondary Email: Decrypt.network@gmail.com

>> What assurances do you have?

To demonstrate the decryption procedure, we will open a small, inconsequential file less than 1MB in size (e.g., an image, text, PDF, etc.).
This will allow you to witness the decryption process. Please refrain from sending important or backup files.

>> Cautions!

1- Decryption can only be accomplished through us, so any attempts to decrypt through other means or individuals will prove futile.
2- Please avoid manipulating the file formats with unnecessary methods, as this can corrupt the file structure, and such an error is irreversible.
3- We have retained all your data, and it has been encrypted solely on your computer.
4- A secure backup copy of all your data is stored in our company's cloud space. Failure to make payment may result in data exposure on the dark web.
5- We have no interest in keeping your files, and upon payment, you will receive all of them.)

ID Ransomware said:

I think it's Proton Ransomware

Edited by rivitna, 02 February 2024 - 08:10 AM.

Please attach the original (unedited) ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file in a "zip file" for comparison so our crypto malware experts can manually inspect them and possibly identify/confirm the infection if they see this topic.

zip attached

Edited by pete0980, 02 February 2024 - 08:03 AM.

Please check you registry

 

zip attached

Attached Files

•  ransomware.zip   4MB   1 downloads

 

The files were encrypted like Proton

here is my screen

It is possible to decrypt files?

In my opinion, Proton ransomware is C++ implementation of LokiLocker/BlackBit.

Proton ransomware is related to LokiLocker/BlackBit and RCRU64

Thank you for help.

Is there any soft or faq how to decrypt it?

It is possible to decrypt files?

Unfortunately, no solution jet :-(

crypto scheme:

XChaCha20-Poly1305 - Session X25519 Key - Master X25519 Key

~~~ ZENEX ~~~
>>> What happened?
    We encrypted and stolen all of your files.
    We use AES and ECC algorithms.
    Nobody can recover your files without our decryption service.
 
>>> How to recover?
    We are not a politically motivated group and we want nothing more than money.
    If you pay, we will provide you with decryption software and destroy the stolen data.
 
>>> What guarantees?
    You can send us an unimportant file less than 1 MG, We decrypt it as guarantee.
    If we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.
 
>>> How to contact us?
   Our email address: decrypthelp0@gmail.com
   In case of no answer within 24 hours, contact to this email: cryptblack@mailfence.com
   Write your personal ID in the subject of the email.
 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>> Your personal ID: D997A6BB89E365E296A76EF03D527698 <<<<<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 
>>> Warnings!
  - Do not go to recovery companies, they are just middlemen who will make money off you and cheat you.
   They secretly negotiate with us, buy decryption software and will sell it to you many times more expensive or they will simply scam you.
  - Do not hesitate for a long time. The faster you pay, the lower the price.
  - Do not delete or modify encrypted files, it will lead to problems with decryption of files.