Bitcoin Ransomware

By Edrick Smith
in Microsoft (Windows)

 Share

Recommended Posts

Grand Master

Circaflex

Posted
Posted (edited)

Luckily, it seems the encryption keys have been found and there is a tool to decrypt .wallet files and retrieve your data.

 

https://www.bleepingcomputer.com/news/security/wallet-ransomware-master-keys-released-on-bleepingcomputer-avast-releases-free-decryptor/

 

That link will give you the fine details/instructions, here are mine in short form

 

Download this tool: http://files.avast.com/files/decryptor/avast_decryptor_crysis.exe

 

Run it, this will take a while, and hopefully your files are back. There is one point when running the program where there are two check mark boxes, leave both checked when you run the scan.

 

 

Kaspersky also has a tool to decrypt wallet files, http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip I would probably give Kaspersky a shot first, as it is newer, however both should do the job just fine.

Grand Master

Edrick Smith

Posted
  • Author
Posted
Just now, Circaflex said:

Luckily, it seems the encryption keys have been found and there is a tool to decrypt .wallet files and retrieve your data.

 

https://www.bleepingcomputer.com/news/security/wallet-ransomware-master-keys-released-on-bleepingcomputer-avast-releases-free-decryptor/

 

That link will give you the fine details/instructions, here are mine in short form

 

Download this tool: http://files.avast.com/files/decryptor/avast_decryptor_crysis.exe

 

Run it, this will take a while, and hopefully your files are back. There is one point when running the program where there are two check mark boxes, leave both checked when you run the scan.

Is it recommended to wipe / reimage the system after or do tools like malware bytes and the decryption software do a good enough job? 

Grand Master

Circaflex

Posted
Posted
Just now, Edrick Smith said:

Is it recommended to wipe / reimage the system after or do tools like malware bytes and the decryption software do a good enough job? 

If it were my machine, or a friends, I would wipe and start over, however if you like a good project and are tech savvy enough to replace system files, you can probably fix it enough with Malwarebytes and some manual repair. Totally up to you, everyone values their time differently.

Grand Master

Circaflex

Posted
Posted (edited)
3 minutes ago, Edrick Smith said:

The avast tool is coming back with Invalid Password or decryption key. 

 

it says [[email protected]]-id-BAC_wallet 

Give the Kaspersky tool a try, I believe it was a little newer.

 

http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip

Grand Master

Edrick Smith

Posted
  • Author
Posted (edited)

According to that link via the email method as I've stepped away from the computer right now it says based on that email address. However the extensions it list for the BTCWARE don't match my .wallet

 

BTCWare PayDay

 This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

ransomnote_email: [email protected]

Click here for more information about BTCWare PayDay

Grand Master

Jim K Global Moderator

Posted
  • Global Moderator
Posted
Just now, Edrick Smith said:

According to that link via the email method as I've stepped away from the computer right now it says based on that email address 

 

BTCWare PayDay

 This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

ransomnote_email: [email protected]

Click here for more information about BTCWare PayDay

Did you upload a sample encrypted file?  

Grand Master

Jim K Global Moderator

Posted
  • Global Moderator
Posted

ok, you may have the same thing as this poor gent (new BTCWare variant with .wallet extension) ...

 

https://www.bleepingcomputer.com/forums/t/668054/new-btcwware-variant-with-wallet-extension/

 

Which, if it is a newer variant ... according to Bleeping Computer:

"Unfortunately, newer variants of BTCWare are AES-256 versions of the malware which uses a different RSA-1024 key and are not decryptable unless you pay the ransom and get the private AES key from the criminals. There is no way to bruteforce the key for any of these versions."

 

If the encrypted file sample comes back with the same ransomware variant ... yea ... you may want to take a look at Bleeping Computer.  Obviously, don't pay the ransom but you may have to blow up the hard drive.

 

Edit:  I really wish Microsoft would release some sort of preventative measures for this crud.  Not sure how they can ... but dang if this wouldn't tick me off to no end.  Some are getting installed via brute force of RDP.  /rant off

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted
3 hours ago, Jim K said:

I really wish Microsoft would release some sort of preventative measures for this crud.  Not sure how they can ... but dang if this wouldn't tick me off to no end.  Some are getting installed via brute force of RDP.  /rant off

 

Who puts RDP Internet facing? VPN + RDP is the only way I roll.

Grand Master

Jim K Global Moderator

Posted
  • Global Moderator
Posted
50 minutes ago, Edrick Smith said:

I've uploaded a file and the txt instruction file and it confirmed it is as listed above and no method of unlocking. 

I don't want to say you're SOL ... but I think you're kinda SOL.  If there isn't a decrypter ... then the only thing you can do is hold out and hope one becomes available or blast the drive (when in doubt ... C4 ...though it might be overkill).  

 

Someone might have a better opinion ... or you could pose the question at Bleeping and see what they say.  But no decrypter=no files.

Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

 

Contact the anti-malware company whose software is on the client's box, and explain the situation to them.  They should tell you what artefacts (forensic info like logs, samples of encrypted files,  copy of ransomware note, wallpaper, etc.) that they need in order to tell you whether or not the system can currently be decrypted.  Even if the answer is "no" right now, it may be possible some event in the future allows for decryption in the future.  I'd also suggest removing the drive and putting a new one in, as that leaves the old drive with its encrypted files intact if needed in the for insurance and legal purposes.

 

Regards,

 

Aryeh Goretsky

  • Jim K and Blue-Vision
  • Like 2
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • "CRAZIER than ever!" Crazy Taxi: World Tour is officially coming soon

      By margrave · Posted

      YES!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    • Apple's AI smart glasses and Vision headset plans reportedly delayed, again

      By AnalystDan · Posted

      Apple are scared of their customers! They have built a brand over the years of "it just works out of the box", but that slows innovation. Samsung's master stroke was the Galaxy Ultra: "Let's cram everything into one handset, make it so stupid only real nerds will love it, some of the features will work, some won't, but the audience will have such a high tolerance they won't care". Apple has no such device and so they are constantly worrying these days about the fallout of creating a new experience that customers might not like. I know it is often cited the reason they don't build a touchscreen Mac Book is they don't want to cannibalise the the iPad market, but I think it's equally cold feet after the criticism Microsoft receive trying to make a touch compatible desktop OS
    • HandBrake 1.11.2

      By Copernic · Posted

      HandBrake 1.11.2 by Razvan Serea HandBrake is an open-source, GPL-licensed, multiplatform, multithreaded video transcoder, available for MacOS X, Linux and Windows. Handbrake can process most common multimedia files and any DVD or BluRay sources that do not contain any kind of copy protection. Here is a detailed breakdown of HandBrake’s features: Built-in Device Presets—Get started with HandBrake in seconds by choosing a profile optimized for your device, or choose a universal profile for standard or high quality conversions. Simple, easy, fast. For those that want more choice, tweak many basic and advanced options to improve your encodes. Supported Input Sources—Handbrake can process most common multimedia files and any DVD or Blu-ray sources that do not contain any kind of copy protection. Outputs: File Containers: .MP4(.M4V) and .MKV Video Encoders: H.265 (x265 and QuickSync), H.264(x264 and QuickSync), H.265 MPEG-4 and MPEG-2, VP8 and Theora Audio Encoders: AAC / HE-AAC, MP3, Flac, AC3, or Vorbis Audio Pass-thru: AC-3, E-AC3, DTS, DTS-HD, TrueHD, AAC and MP3 tracks Additional features: Title/ Chapter Selection Queue up Multiple Encodes Chapter Markers Subtitles (VobSub, Closed Captions CEA-608, SSA, SRT) Constant Quality or Average BitRate Video Encoding Support for VFR, CFR and VFR Video Filters—Deinterlacing, Decomb, Detelecine, Deblock, Grayscale, Cropping and Scaling Live Video Preview HandBrake 1.11.2 changelog: All platforms Video Fixed a crash that happened when doing a 2-pass lossless x265 encode Fixed a memory leak that happened when doing a 2-pass MPEG-4/MPEG-2/VP9/FFV1 encode Audio Updated the list of supported dithers and encoders combinations Fixed the Core Audio AAC encoder 7.1 channel layout Subtitles Fixed the VobSub palette creation in the MP4 container Build system Improved build system compatibility with older build tools Third-party libraries FFmpeg 8.0.2 (decoding and filters) SVT-AV1 4.1.0 (AV1 video encoding) Linux Added WebM MIME type to the list of the supported formats Mac Improved handling of unsupported presets Updated Sparkle automatic update library Windows Improved handling of unsupported presets Improved queue low space pause behaviour Fixed the automatic audio track name generation Fixed the summary description of HDR video Download: HandBrake 64-bit | Portable 64-bit | ~30.0 (Open Source) Download: HandBrake ARM64 | Portable Links: HandBrake Website | Other Operating Systems | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Dell, HP PCs ran into endless reboot, BitLocker recovery loops but Windows 11 isn't to blame

      By grunger106 · Posted

      So, an article that has nothing to do with Windows 11, still gets Windows 11 in the title and a build number as the picture? Dell have a buggy build of Support Assist HP have UEFI settings that need unlocking for the secureboot cert upgrade to take place.
    • I Can't Wrap My Head Around This Number - Google to buy computing from SpaceX at $920 million per month

      By Nick H. · Posted

      What I can't seem to understand is that Google are paying SpaceX? Surely it would be the other way round, with SpaceX needing Google's datacenters etc.? Oh well, this level of money and power is way outside of my comprehension at the best of times.

  • Recent Achievements

    • One Month Later
      DJC50PLUS earned a badge
      One Month Later
    • Week One Done
      DJC50PLUS earned a badge
      Week One Done
    • Proficient
      Eric Biran went up a rank
      Proficient
    • Dedicated
      Conjor earned a badge
      Dedicated
    • Week One Done
      Windows Guy earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      493
    2. 2
      PsYcHoKiLLa
      244
    3. 3
      Steven P.
      71
    4. 4
      +Edouard
      69
    5. 5
      ATLien_0
      68
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!