Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

HowDecrypt or CryptorBit Encrypting Ransomware - $500 USD Ransom Topic


  • Please log in to reply
1760 replies to this topic

#31 Arlothia

Arlothia

  •  Avatar image
  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:25 PM

Posted 26 January 2014 - 01:12 PM

Hello! So I've been following the thread on here called 'Cryptolocker Hijack program' and someone posted a link to here.

Now, I don't speak this language that well so I haven't been able to follow exactly what you guys have been saying here, but am I to believe that there's a way to look at the encoding of the encrypted file and figure out a way to decrypt it?

If so then please teach me how! I was infected back on September 11 (of all days, right?) and I have tried ShadowExplorer (which I know someone on here suggested) but I didn't have a date going back far enough to find unencrypted files.

Early on in this thread it was mentioned that you need to compare the encrypted file with the same file that was saved somewhere else that was not encrypted and I DO have that so can someone help please? Thanks so much!!


Oh, and I had the $300 version but I know this thread says $500. Don't know if this changes my prospects that much...



BC AdBot (Login to Remove)

 


#32 vaso

vaso

  •  Avatar image
  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 26 January 2014 - 01:58 PM

hi, before 20 days i submitted the exe files of this infector as was asked......has anyone looked at them? is there any interest in someone to help?



#33 flydawg

flydawg

  •  Avatar image
  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 AM

Posted 26 January 2014 - 07:41 PM

hi, before 20 days i submitted the exe files of this infector as was asked......has anyone looked at them? is there any interest in someone to help?

The chat seems to have just died. I want some answers too!!



#34 GreenNavi

GreenNavi

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 26 January 2014 - 11:28 PM

As mentioned elsewhere the city I work for has been hit by this.

HOWDECRYPT_zps108ce9c7.gif



#35 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,051 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:25 PM

Posted 27 January 2014 - 11:18 AM

Unfortunately, I still have not been able to get a sample of the installer for this infection.

 

Someone had posted in the CryptoLocker thread showing the screen for HowDecrypt. This screen now has the title of Cryptorbit.

 

cryptorbit.gif



#36 Nathan

Nathan

    DecrypterFixer


  •  Avatar image
  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:25 AM

Posted 27 January 2014 - 12:31 PM

Hello,

Its been awhile since I have posted on bleepings fourms. Prob. back when Decrypt Protect was out.

Any who, i work at a tech company that handles thousands of calls a day and i am the Lead programmer at this company.

 

My absolute favorite thing to do though is reverse any malware that encrypts. So  i figured i would let you know that i am working closely with 3 clients that have this infection. At the moment i have a handful of encrypted pictures and documents of which im checking the headers of currently. 

 

To the point, later today i will be remoteing into a clients PC to get the Crytorbit installer among other files which i would be glad to share to figure out if this thing really uses RSA or not.

 

I also have a EXE my crawler picked up that it seems its pay load is related to Cryptobit, but i have yet to get it deployed correctly. Its quite interesting to see the actions it preforms under Procmon. Currently i only have a very small amount of it reversed as, like i said, its corrupted and i have been waiting for the one from my client.

 

Please let me know if you would like the one my crawler picked up in between the time my client lets me grab his.

 

Thanks. 


Have you performed a routine backup today?

#37 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,051 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:25 PM

Posted 27 January 2014 - 12:38 PM

Yes, we would be grateful for anything you can send to this url:

http://www.bleepingcomputer.com/submit-malware.php?channel=163

Thx!

#38 Nathan

Nathan

    DecrypterFixer


  •  Avatar image
  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:25 AM

Posted 27 January 2014 - 12:57 PM

The sample has been submitted, and hopefully my client will contact me soon.

 

Happy hunting ;)


Have you performed a routine backup today?

#39 matadores

matadores

  •  Avatar image
  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 27 January 2014 - 02:17 PM

Hello all

I'm from italy i have the same problem virus cryptorbit ransomware

I have a factory in italy and all my documenti .doc ecc...il decripted.... I want to pay for have the key but now I have seen your forum, do you think is possible in the future have the key for decript all my document or is 99% lost all :smash:

 

I have the work of 30 yars. Please help me

 

I don't whant put  500$ for this criminal 



#40 albertvr

albertvr

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 27 January 2014 - 03:21 PM

Same problem (cryptorbit) today here.

This is what I found out after I noticed my files were encrypted :

 

- At about 11:19 MS Security Essentials detected a Trojan (Trojan:Win32/Necurs.gen!A).

- At about 11:29 the encrypting was started

 

- From about 11:00 till 11:30 I have been reading mails (work mail, LinkedIn and others), visited  facebook (playing CC and responded on some messages) and an online shop (visite that shop ofter).

 

I remember some weird message when I opened a link in a LinkedIn email, but can remember what message.

Hope this might help you


 



#41 matadores

matadores

  •  Avatar image
  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 28 January 2014 - 09:27 AM

Hello

I have some files in xls that have problem to open but I have some ods file that have problem to open and some one ods that work fine, I don't now if this information can help you for decript file



#42 Steph30

Steph30

  •  Avatar image
  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 28 January 2014 - 11:20 AM

Hello,

 

i have a file encrypt and the same file not encrypt (recovery) if this information can help you for decrypt file

 

thanks



#43 flydawg

flydawg

  •  Avatar image
  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 AM

Posted 28 January 2014 - 07:46 PM

Hello,

Its been awhile since I have posted on bleepings fourms. Prob. back when Decrypt Protect was out.

Any who, i work at a tech company that handles thousands of calls a day and i am the Lead programmer at this company.

 

My absolute favorite thing to do though is reverse any malware that encrypts. So  i figured i would let you know that i am working closely with 3 clients that have this infection. At the moment i have a handful of encrypted pictures and documents of which im checking the headers of currently. 

 

To the point, later today i will be remoteing into a clients PC to get the Crytorbit installer among other files which i would be glad to share to figure out if this thing really uses RSA or not.

 

I also have a EXE my crawler picked up that it seems its pay load is related to Cryptobit, but i have yet to get it deployed correctly. Its quite interesting to see the actions it preforms under Procmon. Currently i only have a very small amount of it reversed as, like i said, its corrupted and i have been waiting for the one from my client.

 

Please let me know if you would like the one my crawler picked up in between the time my client lets me grab his.

 

Thanks. 

Okay.. This is great news!. Please don't drop out.. keep us informed with your findings. And foremost, thanks for your involvement.



#44 Nathan

Nathan

    DecrypterFixer


  •  Avatar image
  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:25 AM

Posted 28 January 2014 - 11:53 PM

I have successfully restored 15 jpgs, and 14 docs. The method is actually quiet simple and is not RSA or any type of encryption. Is there anyway i can get a few of the corrupted files from victims here so i can test this 100% and release an app? if i can get some tonight, ill have a app to fix these files tomorrow.


Have you performed a routine backup today?

#45 Arlothia

Arlothia

  •  Avatar image
  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:25 PM

Posted 29 January 2014 - 12:00 AM

I have successfully restored 15 jpgs, and 14 docs. The method is actually quiet simple and is not RSA or any type of encryption. Is there anyway i can get a few of the corrupted files from victims here so i can test this 100% and release an app? if i can get some tonight, ill have a app to fix these files tomorrow.

What do you need and how can I get them to you? Do you want a sampling of different files because I have JPEGs and Microsoft Word/Excel/PowerPoint that are encrypted and would be happy to send you a couple of each if need be. 

I'll help however I can so people can get their files back and I'm just happy there are people like you who know how to do this sort of thing!

Oh, I should mention that I got hit with the $300 USD version back in September, not the $500 like the threat title says. I don't know whether or not that will make much of a difference. But still, maybe my files can help solve at least one of the two variants!


Edited by Arlothia, 29 January 2014 - 12:06 AM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users