CryptoSearch - Find Files Encrypted by Ransomware

Great software! it must have helped many victims of WannaCry and Petya ransomware recently and an article also mentioned your tool. 

Hey,

 

My Name Is Hemanta Naik And I'm From India......I Got Hacked By Satan Ransomware Virus From 5 Days And I Used CryptoSearch And Found 4899 encrypted folders with 61910 encrypted files All Files Become Stn. File....I Need To Decrypt My Files And Get It Back....Help Me Plss Or Let Me Know How To Decrypt It...

 

Note---I Dont Have Any Back Ups Of My Files And I Succesfully Removed The Virus Only Waiting For To Decrypt My Files.........

 

Plss Help Me To Get My Files Back.....Thanks

....I Got Hacked By Satan Ransomware...I Need To Decrypt My Files And Get It Back....Help Me Plss Or Let Me Know How To Decrypt It...

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

• Satan Ransomware Help & Support Topic: .STN extension & HELP_DECRYPT_FILES.html

Hello,

 

I have a question about CryptoSearch and BandarChor ransomware.

 

If you put the email donald@trampo.info in ID ransomware, BandarChor is detected https://id-ransomware.malwarehunterteam.com/identify.php?case=cdee5d778a099be57d27e0e4b3e645b309b8e587

 

But CryptoSearch can't find it because the email in BandarChor crypted files are extended with another one like that : infont@post.cz_donald@trampo.info

 

Do you think there is a way to improve the detection of BandarChor's crypted files by CryptoSearch ? Thank you very much for any help about this issue.

Kind regards,

 

Emmanuel

Ich habe mir ebenfalls den Satan *stn Virus eingefangen. Was mich dabei ärgert ist, dass ich nicht mal weis "woher" !!

Ich bräuchte dringend HILFE 

@Emmanuel_ADC-Soft

 

What is an example of a full encrypted file's name? CryptoSearch does not use the email address data to identify encrypted files, it uses the extension patterns and filemarkers from ID Ransomware (e.g. 0x803E0000 at offset 0x00 for BandarChor). I do not support multi-layered encryptions by multiple ransomwares on either service, it would be way too much for false-positives and a serious pain.

 

@BitCoinMember

 

There is no way to decrypt Satan. More info: https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/

@Demonslay335,

Thank you for your answer.

 

Dr.Web can decrypt BandarChor ransomware if they have enough informations.

Maybe you can update this information on ID Ransomware instead of this message https://id-ransomware.malwarehunterteam.com/identify.php?case=693ddaa3087ea5142977d0b3225da1731b1d75c4

 

I already helped one of my client with this issue. If you need any informations, I am here to help.

Kind regards,

Emmanuel

Updated CryptoSearch v0.9.9.0 to allow searching for filemarkers in files encrypted by #ransomware at end of the file too. Also minor bugfix.

 

a good idea!

 

so you can find, for example, secring.gpg files, if they are saved on the disk after the encoder with GnuPG encryption is running.

 

How do you identify the byte Pattern in the encrypted files?

How do you identify the byte Pattern in the encrypted files?

 

Some ransomware have certain patterns or filemarkers they leave on files that are encrypted, and CryptoSearch checks for these based on data from my ID Ransomware website. This means it is always updated with the latest known filemarkers as long as you are online.

Hey, I just tried using this to scan a folder that is known to have Cry36 encrypted files in it (per the ID Ransomware site), but they were not detected/all showed up as clean. Any idea what could be happening here?

 

Also, when pointed at a known clean folder, the tool does not report the number of folders properly, either encrypted or clean - it is always zero.

Edited by bilditup1, 31 July 2018 - 10:37 PM.

@bilditup1

 

Can you make sure the tool has permissions to the directory? That tends to cause the most problems if it isn't running as administrator for example. Also, how were they identified on ID Ransomware? CryptoSearch can only go off the custom byte pattern rule for Cry36 in most cases, which on IDR would show as the "sample_bytes" rule.

Hi All, I was hit on the 23 Nov with a nasty ransomware with ext.pumax. All my HDD are affected and have a text note demanding bit coin. Is there any free software to decrypt available?

Hi All, I was hit on the 23 Nov with a nasty ransomware with ext.pumax. All my HDD are affected and have a text note demanding bit coin. Is there any free software to decrypt available?

Any files that are encrypted with STOP ransomware will have the .STOP, .SUSPENDED, .WAITING, .PAUSA, .CONTACTUS, .DATASTOP, .STOPDATA, .KEYPASS, .WHY, .SAVEfiles, .DATAWAIT, .INFOWAIT, .PUMA or .PUMAX extension appended to the end of the encrypted data filename and leave files (ransom notes) named !!!YourDataRestore!!!.txt, !!!RestoreProcess!!!.txt, !!!INFO_RESTORE!!!.txt, !!!!RESTORE_FILES!!!.txt, !!!DATA_RESTORE!!!.txt, !!!KEYPASS_DECRYPTION_INFO!!!.txt, !!!WHY_MY_FILES_NOT_OPEN!!!.txt, !!!SAVE_FILES_INFO!!!.txt, !readme.txt as explained here.

Dr.Web is able to decrypt some variants of STOP Ransomware (i.e. .DATAWAIT, .INFOWAIT) as indicated in Post #20 by Emmanuel_ADC-Soft.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

• STOP ransomware (.STOP, .SUSPENDED - !!! YourDataRestore !!! txt) Support Topic

oh, no, wait! I can not move the files freely?
and if I wanted to put them in the cloud (google drive) like I would?