my files encrypted with rename file with .encrypted extensions

Status
Not open for further replies.

SHAMSHAD ALAM

New Member
May 21, 2021
8
Respected All, My desktop files are encrypted with .encrypted extension and out of reach, any solution please help.
Example of file name : ""Filename.docx.encrypted" a new text file is also created with following text

All your important files were encrypted with a military-grade key, only our software can recover them.

Do not try to recover your files with any other software, because you could damage them and lose them forever.

You can send us one test file to decrypt, if you need proof for our decryptor, before buying it.

Our contact: d........@......... . ...

with a key ID too

please help.
 
  • Like
Reactions: Nevi

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
425
I am Karsten and will help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.
  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.
  • Note: On weekends I might be slow to reply
-------------------------------------------------------------------

Can you please provide an encrypted file and a ransom note for inspection?
You can upload them to a file sharing service like Filebin and post the link here.
 

SHAMSHAD ALAM

New Member
May 21, 2021
8
I am Karsten and will help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.
  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.
  • Note: On weekends I might be slow to reply
-------------------------------------------------------------------

Can you please provide an encrypted file and a ransom note for inspection?
You can upload them to a file sharing service like Filebin and post the link here.
Thanks alot for your reply/response, your provided link Filebin says " The storage capacity is reached and new file uploads will be rejected. Please come back later. "

I am also in contact with their provided email They said me to purchase descriptor software, I have asked for the price / cost waiting for their reply?

What are the process & procedures would you take to resolve the issue, please describe here.
 
  • Like
Reactions: Nevi

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
425
Okay, I guess this file sharing service is not ideal for our purposes. Please do the following to upload one encrypted file and one ransom note to Virustotal. I can grab the files from there for inspection.

VirusTotal Upload
  • Please go to VirusTotal.com.
  • Click Choose File and locate your file in question
  • It may ask you for confirmation. If it does, click Confirm upload.
  • Once the file has been analyzed, copy the page URL at the top of the window and paste in your next reply

I am also in contact with their provided email They said me to purchase descriptor software, I have asked for the price / cost waiting for their reply?

What are the process & procedures would you take to resolve the issue, please describe here.

At first we need to find out the ransomware family. The encryption of some ransomware families is flawed and those files could be decryptable or recoverable. In those cases you can get your files back without paying the ransom. For doing that I will check your uploaded files for markers of known ransomware families as well as indicators that the encryption is weak.

The criminals of course want your money and you cannot know if they will actually decrypt your files after getting your money. For that reason we recommend not paying them. If you should decide on paying, at the very least make sure they can decrypt, ask them for proof before you pay.
 

SHAMSHAD ALAM

New Member
May 21, 2021
8
Okay, I guess this file sharing service is not ideal for our purposes. Please do the following to upload one encrypted file and one ransom note to Virustotal. I can grab the files from there for inspection.

VirusTotal Upload
  • Please go to VirusTotal.com.
  • Click Choose File and locate your file in question
  • It may ask you for confirmation. If it does, click Confirm upload.
  • Once the file has been analyzed, copy the page URL at the top of the window and paste in your next reply



At first we need to find out the ransomware family. The encryption of some ransomware families is flawed and those files could be decryptable or recoverable. In those cases you can get your files back without paying the ransom. For doing that I will check your uploaded files for markers of known ransomware families as well as indicators that the encryption is weak.

The criminals of course want your money and you cannot know if they will actually decrypt your files after getting your money. For that reason we recommend not paying them. If you should decide on paying, at the very least make sure they can decrypt, ask them for proof before you pay.
Dear Friend,

I have searched google for my encrypted files , the ransomeware family is MedusaLocker ransomeware family. The study is attached herewith. please go through, and help me if you could. Thanks.
 
  • Like
Reactions: Nevi

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
425
MedusaLocker encrypted files cannot be decrypted without a key, unfortunately.

Your options without a backup:

1) Recovery: In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software. The chances are slim that either of those work.
2) Wait: Backup encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this.
3) Pay: There is the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.
 

SHAMSHAD ALAM

New Member
May 21, 2021
8
MedusaLocker encrypted files cannot be decrypted without a key, unfortunately.

Your options without a backup:

1) Recovery: In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software. The chances are slim that either of those work.
2) Wait: Backup encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this.
3) Pay: There is the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.
But i have a key.txt file too,
Code:
HOWTORECOVERMYFILE.TXT SAYS
All your important files were encrypted with a military-grade key, only our software can recover them.

Do not try to recover your files with any other software, because you could damage them and lose them forever.

You can send us one test file to decrypt, if you need proof for our decryptor, before buying it.

Our contact: ----------@----.COM
Key ID:
OJ/DSn1amvRUpB5xC9LV/eKnZTpsniF1npqSyWLO07YWp0pwlsIX14oJlROzvBiCcghg7FUUclXb70tbG+J1+9ro/a2suWZTnrkx9Tf56Qs2WWh14BE5QP7stj7akEjCUlqIdGIvXGnjVf1oG6VMtazrzsOpLAsEvTte0P9IZ9g=


IS IT THE KEY YOU ARE LOOKING FOR? PLEASE HELP
 
Last edited by a moderator:
  • Like
Reactions: Nevi

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
425
Hello. This is NOT your key. It is your key identification. The ransomware threat actors use this identification to know which of their keys is yours. They have one for every infected system. You only get the key if you pay them.
 
  • Like
Reactions: Nevi

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
425
I will leave this thread open for 5 more days in case there are any additional questions. After that I will close it.
 
  • Like
Reactions: Nevi

SHAMSHAD ALAM

New Member
May 21, 2021
8
I will leave this thread open for 5 more days in case there are any additional questions. After that I will close it.
1-Shadow explorer, data recovery did search my lost files but no recovered files are opening, error opening files.
2- i cant wait i need files.
3- i cant pay them, they are not replying my email....
 

SHAMSHAD ALAM

New Member
May 21, 2021
8
I am sorry but there is nothing we can do to help you.
I have got some Idea from here the forum Hidden Tear: Análisis del primer Ransomware Open Source

and from here rajkotraja/ransomeware-example.

it is all with code , explanation video
, and observed that how encryption worked.

I am looking towards autospy my PC and check :
1- which url is used to send the key.
2- To get access into the file on that webserver where key is stored.
3- get all the keys and try above github decryptor with all the keys i find at their web server
4- one key must work for it perhaps.

these are the task I must need your help if possible, so are you there to help?
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
425
HiddenTear is decryptable because the encryption algorithm has flaws. The ransomware that encrypted your files works completely different. It is not HiddenTear and it does not have those flaws.
There is currently now way for us to decrypt your files.
 
Status
Not open for further replies.
Top