It's Proton ransomware
Edited by rivitna, 18 February 2024 - 07:18 AM.
Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
Proton Ransomware (.[email].c77L; #Restore-files.txt) Support Topic
Started by
pete0980
, Feb 02 2024 07:42 AM
36 replies to this topic
#16
rivitna
-
- Security Colleague
- 185 posts
- OFFLINE
- Gender:Male
- Local time:08:07 AM
Posted 18 February 2024 - 07:15 AM
Back to top
#18
rivitna
-
- Security Colleague
- 185 posts
- OFFLINE
- Gender:Male
- Local time:08:07 AM
Posted 18 February 2024 - 07:25 AM
To decrypt your files, you need the X25519 master private key :-(
#19
quietman7
-
- Global Moderator
- 61,818 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:12:07 AM
Posted 18 February 2024 - 07:47 AM
@kingeope
I have merged your topic into the primary support topic for victims of this ransomware.
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015 
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click 
#20
kingeope
-
- Members
- 5 posts
- OFFLINE
- Local time:09:07 AM
Posted 18 February 2024 - 10:15 AM
To decrypt your files, you need the X25519 master private key :-(
The virus is active on the computer and can also encrypt new files. Doesn't it use the same key for encryption? Would it be possible to find it this way?
Thanks for your reply.
#21
rivitna
-
- Security Colleague
- 185 posts
- OFFLINE
- Gender:Male
- Local time:08:07 AM
Posted 18 February 2024 - 11:08 AM
The ransomware contains only the master public key, and immediately encrypts and erases the session private key
Edited by rivitna, 18 February 2024 - 11:15 AM.
#22
kingeope
-
- Members
- 5 posts
- OFFLINE
- Local time:09:07 AM
Posted 18 February 2024 - 01:59 PM
The ransomware contains only the master public key, and immediately encrypts and erases the session private key
And the private key is not on the computer? The device is encrypting without an internet connection. Shouldn't it use the same key again? Wouldn't it be possible to find this key with the debugger? Sorry to bother you with my questions, I'm just wondering if there is a possible solution.
Finally, is this encryption not decrypted in any way? Do you think there is a chance that it will be decrypted in the future? I had important data but I lost it, should I give up hope completely?
Thank you for your response.
#23
quietman7
-
- Global Moderator
- 61,818 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:12:07 AM
Posted 18 February 2024 - 02:04 PM
Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with, the type and strength of encryption used by the malware writers and a variety of other factors as explained in Ransomware Encryption: The math, time and energy required to brute-force an encryption key (Post #16)
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
#24
rivitna
-
- Security Colleague
- 185 posts
- OFFLINE
- Gender:Male
- Local time:08:07 AM
Posted 18 February 2024 - 02:36 PM
And the private key is not on the computer? The device is encrypting without an internet connection. Shouldn't it use the same key again? Wouldn't it be possible to find this key with the debugger? Sorry to bother you with my questions, I'm just wondering if there is a possible solution.
Finally, is this encryption not decrypted in any way? Do you think there is a chance that it will be decrypted in the future? I had important data but I lost it, should I give up hope completely?
For the first time, the ransomware generates a pair of session keys, it encrypts these session keys and writes them to the registry.
The ransomware also writes the session public key to the registry.
The next time the ransomware is launched, it will either use the public key from the registry, or generate a new pair.
Attached Files
-
1.png 42.68KB
0 downloads
#25
kingeope
-
- Members
- 5 posts
- OFFLINE
- Local time:09:07 AM
Posted 20 February 2024 - 01:01 AM
As far as I understand, the virus does not fully encrypt files larger than 4 MB. I don't know if this will help, but I'm writing it as a note.
#26
saladin19
-
- Members
- 3 posts
- OFFLINE
- Local time:07:07 AM
Posted 20 February 2024 - 10:04 AM
i have the same problem and i paied to them and they told me they need to access the server again and after accessing it they told me they cant find the key as my windows was formated and i installed a new one but the data is tthere they told me to pay another money to generate the key manualy and after paying they stoped answering me and i need the data ergent is there is any solution
#27
saladin19
-
- Members
- 3 posts
- OFFLINE
- Local time:07:07 AM
Posted 20 February 2024 - 10:05 AM
i have the same problem and i paied to them and they told me they need to access the server again and after accessing it they told me they cant find the key as my windows was formated and i installed a new one but the data is tthere they told me to pay another money to generate the key manualy and after paying they stoped answering me and i need the data ergent is there is any solution
#28
quietman7
-
- Global Moderator
- 61,818 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:12:07 AM
Posted 20 February 2024 - 10:20 AM
Why would you trust the criminals who encrypted your data in the first place? Negotiating with the ransomware developers is not a good idea and in many cases the criminals have no intention of decrypting files after the ransom is paid. See my comments about victim experiences in Should you pay the ransom? (Post #17) in regards to paying the ransom (which is not advisable) or negotiating with the ransomware developers.
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
#29
Bokerss
-
- Members
- 134 posts
- OFFLINE
- Gender:Male
- Location:Indonesia
- Local time:12:07 PM
Posted 21 February 2024 - 03:11 AM
You can inform the contact address, so the other will know not to trust this variant, in case the victim decide to pay the ransom.
i have the same problem and i paied to them and they told me they need to access the server again and after accessing it they told me they cant find the key as my windows was formated and i installed a new one but the data is tthere they told me to pay another money to generate the key manualy and after paying they stoped answering me and i need the data ergent is there is any solution
2 user(s) are reading this topic
0 members, 2 guests, 0 anonymous users
