Checkmate Ransomware (.checkmate) Support Topic

DecAns

Can you help to sikich with problem?

Edited by Amigo-A, 10 June 2022 - 03:41 AM.

Can you help to sikich with problem?

I cannot decrypt all files, I can only partially repair jpeg files. Repaired files that were in the encrypted_pics.zip archive.

Edited by DecAns, 10 June 2022 - 03:57 AM.

I cannot decrypt all files

 

I know it. Thank you. 

Edited by Amigo-A, 10 June 2022 - 05:16 AM.

rohitsecres

There are no samples. There are only encrypted files.

OK thanks for the info

Topic title changed to reflect naming convention and direct other victims to this support topic.

I forgot to say, me need at least one original unencrypted file from these files.

Sorry for the delayed answer, but there is no unencrypted samples (until now) . Today i'll ask my clients to find (if they can) several unencrypted files for the comparison. 

Can any please provide the sample for deep analysis purpose, would be great

Today i'll try to provide some files ... 

here are two encrypted files and their originals

sikich

Did you read the DecAns post?

https://www.bleepingcomputer.com/forums/t/773059/checkmate-ransomware-checkmate-support-topic/?p=5370288

DecAns restored the image files with his method. They could be fixed, but document files cannot be recovered by this method.

Edited by Amigo-A, 13 June 2022 - 10:37 AM.

@Amigo-A

Hope somebody to get lucky with that wonder. Waiting for the dark side to be defeated ! 

When dealing with ransomware, in some cases the use of file recovery software may be helpful to recover (not decrypt) some of your original files but there is no guarantee that it it work. However, it never hurts to try in case the malware did not do what it was supposed to do. It is not uncommon for ransomware infections to sometimes fail to encrypt all data, fail to leave ransom notes, fail to delete all shadow copy snapshots, add an extension but fail to encrypt files or only execute partial encryption of large files especially if the encryption process was interrupted by the victim (i.e. shutting down the computer), encountered encryption glitches, involved shoddy malware programming code or was hindered by installed security software. Again, Data recovery does not decrypt encrypted data.
 
See my comments in this this topic (Post #15) for more specific details about decryption vs the possible use of data recovery software.

Although it never hurts to try this approach, in the end most victims may have no choice but to backup/save encrypted data as is and wait for a possible solution at a later time. 
 
As with most ransomware the best solution for dealing with encrypted data after an infection is to restore from backups.

The most important files are tables, documents and drawings, photos are in last place.

 

Yes, that's understandable. These files should have a different recovery algorithm when they are partially damaged. There are tools that can recover files when they are partially damaged but not encrypted. I have already tried various tools that promise recovery miracles, but after encryption they fail. In the best case, out of 100 encrypted files, 1-2 can be restored. Probably when the encryption is affected by minor sectors. 

If your drawings were duplicated and saved as normal images, then the genius of DecAns will recover such files as well. Then negotiate with him. But DWG drawings and others are still not jpg a priori.

Edited by Amigo-A, 16 June 2022 - 01:35 AM.

@quietman7 
Thanks for the advice, we've already tried this before I started the topic. Ransom was active all night and all data was encrypted. Just to remind you, the recovery software tries to recover only deleted files. The encrypted file was not deleted, it was simply changed. I'm sure you know that very well. But as people say: It never hurts to try ;-) About backups.... i can't say anything ...

@Amigo-A 

As I said in my previous post, we try different tools and methods ... Drawings are not exported as images or pdf and this method is not an option. Even the drawing was exported as images, the images doesn't include measurements and other stuff... so the situation is complicated. In this case, there are no backups. 
 

Thanks both of you  

Hi, my files were also encrypted by them. For me the most important files are pictures and videos. I have tried "jpegMedic awre 2" and it works for photos. Do you know a similar software for videos?