I think there may be two file encryption algorithms, BlowFish and AES, 56 bytes is the IV value of AES encrypted with BlowFish, and the last 32 bytes is the AES-256 key.
Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
TargetCompany/Mallox Ransomware (.tohnichi, .mallox, .xollam) Support Topic
Started by
caohaiwang
, Nov 26 2021 12:27 AM
294 replies to this topic
#16
caohaiwang
- Topic Starter
-
- Members
- 13 posts
- OFFLINE
- Local time:01:07 PM
Back to top
#17
Demonslay335
-
- Security Colleague
- 4,770 posts
- OFFLINE
Ransomware Hunter
- Gender:Male
- Location:USA
- Local time:11:07 PM
Posted 03 December 2021 - 04:03 PM
Nope. It's ChaCha20, AES-128, and Curve25519.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
#18
Demonslay335
-
- Security Colleague
- 4,770 posts
- OFFLINE
Ransomware Hunter
- Gender:Male
- Location:USA
- Local time:11:07 PM
Posted 03 December 2021 - 06:02 PM
@everyone
If you have been encrypted by this ransomware, please DM me with the following information:
- *1-2 encrypted files
- A copy of your ransom note
- Whether you are a home user or if this affected a business
* Simply use any third-party sharing site (SendSpace, Mega, Dropbox, GDrive, etc...) to give me a link to the files.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
#19
caohaiwang
- Topic Starter
-
- Members
- 13 posts
- OFFLINE
- Local time:01:07 PM
Posted 07 December 2021 - 05:56 AM
Nope. It's ChaCha20, AES-128, and Curve25519.
roger .is there a more detailed analysis of the cryptographic algorithm?thank you sir
#20
caohaiwang
- Topic Starter
-
- Members
- 13 posts
- OFFLINE
- Local time:01:07 PM
Posted 08 December 2021 - 02:45 AM
@everyone
If you have been encrypted by this ransomware, please DM me with the following information:
- *1-2 encrypted files
- A copy of your ransom note
- Whether you are a home user or if this affected a business
* Simply use any third-party sharing site (SendSpace, Mega, Dropbox, GDrive, etc...) to give me a link to the files.
​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​
#21
Amigo-A
-
- Members
- 3,049 posts
- ONLINE
Security specialist and Ransomware expert
- Gender:Male
- Location:Bering Strait
- Local time:10:07 AM
Posted 07 February 2022 - 01:10 PM
My site: The Digest "Crypto-Ransomware" + Google Translate
#22
xuedj
-
- Members
- 11 posts
- OFFLINE
- Local time:01:07 PM
Posted 20 February 2022 - 07:11 PM
Hello, according to the tutorial of your website, after the third part, I have to enter the password of the previous decrypter to proceed to the next step, but I have not decrypted it before, what should I do
#23
xuedj
-
- Members
- 11 posts
- OFFLINE
- Local time:01:07 PM
Posted 20 February 2022 - 07:51 PM
I used the "avast_decryptor_targetCompany64" tool to decrypt it. After the third step, I have to enter a password to proceed to the next step, but I have not decrypted it before, so there is no password,
#24
quietman7
-
- Global Moderator
- 61,818 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:12:07 AM
Posted 20 February 2022 - 08:34 PM
Did you submit (upload) samples of encrypted files, ransom notes and any contact email addresses provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection?
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015 
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click 
#25
quietman7
-
- Global Moderator
- 61,818 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:12:07 AM
Posted 20 February 2022 - 08:44 PM
Can you provide (copy & paste) the ransom note contents in your next reply?
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
#26
cybercynic
-
- Members
- 2,073 posts
- OFFLINE
- Gender:Male
- Local time:12:07 AM
Posted 20 February 2022 - 09:35 PM
Are you sure the encrypted file extension is .avast?
The TargetCompany ransomware has several variants - .avast doesn't appear to be one of them.
#27
xuedj
-
- Members
- 11 posts
- OFFLINE
- Local time:01:07 PM
Posted 20 February 2022 - 09:48 PM
Are you sure the encrypted file extension is .avast?
The TargetCompany ransomware has several variants - .avast doesn't appear to be one of them.
Yes, the suffix is. Avast. Can I send you a ransom file and a ransom note
#28
xuedj
-
- Members
- 11 posts
- OFFLINE
- Local time:01:07 PM
Posted 20 February 2022 - 09:50 PM
Can you provide (copy & paste) the ransom note contents in your next reply?
YOUR FILES ARE ENCRYPTED !!!
TO DECRYPT, FOLLOW THE INSTRUCTIONS:
To recover data you need decrypt tool.
To get the decrypt tool you should:
1.In the letter include your personal ID! Send me this ID in your first email to me!
2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!
3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool!
4.We can decrypt few files in quality the evidence that we have the decoder.
CONTACT US:
mallox@tutanota.com
recohelper@cock.li
YOUR PERSONAL ID: XXXXXXXXXXXX
#29
quietman7
-
- Global Moderator
- 61,818 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:12:07 AM
Posted 20 February 2022 - 09:53 PM
Follow the instructions I provided in your other topic.
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
#30
xuedj
-
- Members
- 11 posts
- OFFLINE
- Local time:01:07 PM
Posted 20 February 2022 - 09:57 PM
Did you submit (upload) samples of encrypted files, ransom notes and any contact email addresses provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection?
It's been submitted, but it's possible to decrypt it under certain conditions
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
