Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

CryptoSearch - Find Files Encrypted by Ransomware


  • Please log in to reply
69 replies to this topic

#31 zailai

zailai

  •  Avatar image
  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 07 July 2017 - 12:45 AM

Great software! it must have helped many victims of WannaCry and Petya ransomware recently and an article also mentioned your tool. 



BC AdBot (Login to Remove)

 


#32 Hems369

Hems369

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 14 September 2017 - 03:29 PM

Hey,

 

My Name Is Hemanta Naik And I'm From India......I Got Hacked By Satan Ransomware Virus From 5 Days And I Used CryptoSearch And Found 4899 encrypted folders with 61910 encrypted files All Files Become Stn. File....I Need To Decrypt My Files And Get It Back....Help Me Plss Or Let Me Know How To Decrypt It...

 

Note---I Dont Have Any Back Ups Of My Files And I Succesfully Removed The Virus Only Waiting For To Decrypt My Files.........

 

Plss Help Me To Get My Files Back.....Thanks



#33 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 14 September 2017 - 04:36 PM

....I Got Hacked By Satan Ransomware...I Need To Decrypt My Files And Get It Back....Help Me Plss Or Let Me Know How To Decrypt It...

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#34 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  •  Avatar image
  • Members
  • 549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:07:07 AM

Posted 18 October 2017 - 07:35 AM

Hello,

 

I have a question about CryptoSearch and BandarChor ransomware.

 

If you put the email donald@trampo.info in ID ransomware, BandarChor is detected https://id-ransomware.malwarehunterteam.com/identify.php?case=cdee5d778a099be57d27e0e4b3e645b309b8e587

 

But CryptoSearch can't find it because the email in BandarChor crypted files are extended with another one like that : infont@post.cz_donald@trampo.info

 

Do you think there is a way to improve the detection of BandarChor's crypted files by CryptoSearch ? Thank you very much for any help about this issue.

Kind regards,

 

Emmanuel



#35 BitCoinMember

BitCoinMember

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 16 November 2017 - 05:46 AM

Ich habe mir ebenfalls den Satan *stn Virus eingefangen. Was mich dabei ärgert ist, dass ich nicht mal weis "woher" !!

Ich bräuchte dringend HILFE 



#36 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 4,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:07 PM

Posted 16 November 2017 - 09:57 AM

@Emmanuel_ADC-Soft

 

What is an example of a full encrypted file's name? CryptoSearch does not use the email address data to identify encrypted files, it uses the extension patterns and filemarkers from ID Ransomware (e.g. 0x803E0000 at offset 0x00 for BandarChor). I do not support multi-layered encryptions by multiple ransomwares on either service, it would be way too much for false-positives and a serious pain.

 

@BitCoinMember

 

There is no way to decrypt Satan. More info: https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#37 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  •  Avatar image
  • Members
  • 549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:07:07 AM

Posted 16 November 2017 - 10:08 AM

@Demonslay335,

Thank you for your answer.

 

Dr.Web can decrypt BandarChor ransomware if they have enough informations.

Maybe you can update this information on ID Ransomware instead of this message https://id-ransomware.malwarehunterteam.com/identify.php?case=693ddaa3087ea5142977d0b3225da1731b1d75c4

 

I already helped one of my client with this issue. If you need any informations, I am here to help.

Kind regards,

Emmanuel



#38 al1963

al1963

  •  Avatar image
  • Members
  • 1,178 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 17 January 2018 - 10:18 AM

Updated CryptoSearch v0.9.9.0 to allow searching for filemarkers in files encrypted by #ransomware at end of the file too. Also minor bugfix.

 

a good idea!

 

so you can find, for example, secring.gpg files, if they are saved on the disk after the encoder with GnuPG encryption is running. :)

 

44945a87604a.jpg



#39 VBCONZ

VBCONZ

  •  Avatar image
  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 13 March 2018 - 04:15 PM

How do you identify the byte Pattern in the encrypted files?



#40 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 4,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:07 PM

Posted 13 March 2018 - 05:07 PM

How do you identify the byte Pattern in the encrypted files?

 

Some ransomware have certain patterns or filemarkers they leave on files that are encrypted, and CryptoSearch checks for these based on data from my ID Ransomware website. This means it is always updated with the latest known filemarkers as long as you are online.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#41 bilditup1

bilditup1

  •  Avatar image
  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 31 July 2018 - 10:34 PM

Hey, I just tried using this to scan a folder that is known to have Cry36 encrypted files in it (per the ID Ransomware site), but they were not detected/all showed up as clean. Any idea what could be happening here?

 

Also, when pointed at a known clean folder, the tool does not report the number of folders properly, either encrypted or clean - it is always zero.


Edited by bilditup1, 31 July 2018 - 10:37 PM.


#42 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 4,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:07 PM

Posted 01 August 2018 - 08:11 AM

@bilditup1

 

Can you make sure the tool has permissions to the directory? That tends to cause the most problems if it isn't running as administrator for example. Also, how were they identified on ID Ransomware? CryptoSearch can only go off the custom byte pattern rule for Cry36 in most cases, which on IDR would show as the "sample_bytes" rule.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#43 JCEva01

JCEva01

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 24 November 2018 - 11:01 PM

Hi All, I was hit on the 23 Nov with a nasty ransomware with ext.pumax. All my HDD are affected and have a text note demanding bit coin. Is there any free software to decrypt available?

#44 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 25 November 2018 - 09:04 AM

Hi All, I was hit on the 23 Nov with a nasty ransomware with ext.pumax. All my HDD are affected and have a text note demanding bit coin. Is there any free software to decrypt available?

Any files that are encrypted with STOP ransomware will have the .STOP, .SUSPENDED, .WAITING, .PAUSA, .CONTACTUS, .DATASTOP, .STOPDATA, .KEYPASS, .WHY, .SAVEfiles, .DATAWAIT, .INFOWAIT, .PUMA or .PUMAX extension appended to the end of the encrypted data filename and leave files (ransom notes) named !!!YourDataRestore!!!.txt, !!!RestoreProcess!!!.txt, !!!INFO_RESTORE!!!.txt, !!!!RESTORE_FILES!!!.txt, !!!DATA_RESTORE!!!.txt, !!!KEYPASS_DECRYPTION_INFO!!!.txt, !!!WHY_MY_FILES_NOT_OPEN!!!.txt, !!!SAVE_FILES_INFO!!!.txt, !readme.txt as explained here.

Dr.Web is able to decrypt some variants of STOP Ransomware (i.e. .DATAWAIT, .INFOWAIT) as indicated in Post #20 by Emmanuel_ADC-Soft.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#45 WendelTytan

WendelTytan

  •  Avatar image
  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 13 April 2019 - 02:17 AM

oh, no, wait! I can not move the files freely?
and if I wanted to put them in the cloud (google drive) like I would?






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users