A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13657  by Fabian Wosar
 Sun Jun 03, 2012 2:58 am
Thanks Quads. I tried the samples you provided using my decrypter and the encrypted files were decrypted just fine after I imported the user's decryption keys to my registry :).
 #13658  by Quads
 Sun Jun 03, 2012 3:07 am
I have just also tried it by importing the key on a Win 7 system and right click the decrypt tool select the "Run as Admin.." and it also decrypted the files fine.

may be good to disable the AV so no interference during the scan.

Quads
 #13659  by Fabian Wosar
 Sun Jun 03, 2012 3:11 am
There shouldn't be any incompatibilities, but it will most definitely speed up the decryption process quite a bit :).
 #13680  by Quads
 Mon Jun 04, 2012 12:51 am
One user has the encrypted files but the Winlogon key has no password line.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ExcludeProfileDirs"="AppData\\Local;AppData\\LocalLow;$Recycle.Bin"
"BuildNumber"=dword:00001db1
"FirstLogon"=dword:00000000
"ParseAutoexec"="1"
"id"="697"



Quads
 #13988  by Quads
 Thu Jun 14, 2012 7:57 pm
I got this message haha

Hello
I am from the creator of this virus. I would like to inform you that you will not get help in deciphering the files or on this forum, on any else. Decrypt files can only know the password and nothing else. This password will only know we are!
With regard to the program which has provided Quads... it worked because of errors in the first version of the virus. This error occurs very rarely and was immediately corrected.
I would also like to inform you that we occasionally reset our database and after a reset to restore your data will not be able to no one. If your files you really need them you have a last chance.
Best Regards
 #13989  by Fabian Wosar
 Thu Jun 14, 2012 8:16 pm
He is correct. The newer versions of this crypto malware no longer save the password from the ransomer's server to the registry. It is written to the disk temporarily though (ccrypt.txt and ccrypt.txt.enc) but as soon as the encryption of all suitable files is finished, the text files are overwritten and finally deleted. So unless you were able to stop the malware before it finished encrypting all files or unless the malware crashed half way through the process, so that either ccrypt.txt or ccrypt.txt.enc is still intact, you won't be able to find the necessary password.
 #13991  by Quads
 Thu Jun 14, 2012 8:51 pm
One user was able to get the pics back by using photorec / testdisk, which means the original is deleted, and data recovery software works like photorec to find the deleted personal files back

Found a free data recovery version for people by EASEUS

Quads
 #14037  by Quads
 Sun Jun 17, 2012 1:27 am
What happens if you do this It worked on one system

Windows 7 64 bit,
I went to c:\users\(my username), right clicked and choose properties. I then clicked the tab previous versions. Guess what there was a back up from just minutes before the encryption started. I opened it and looked and everything was there. I copied everything to another drive for safe keeping then proceeded to replace my files, about 20K of them. Searching for *.crypt helped delete the bad guys.

Quads
 #20703  by Blaze
 Tue Sep 03, 2013 1:36 pm
New version so it seems, I'll be on the lookout for any droppers. Anyone seen this new version as well?
Warning! Access to your computer is limited. Your files has been encrypted.

Have you already see that your files are encrypted and desktop locked?

Please don't panic and send us angry emails or scare us to send claims in police, fbi or others - this is useless.

Please read this instruction carefully, then you will get answers to most of your questions.

We don't answer to questions which already was answered in this instructions. Do not waste our and your time.

Our minimal price for your files is 3000$ USD.
Information to persons who believe that professionals can decrypt files:

**** Now only WE can get you the true password to decrypt all your files.

You can write to Dr.Web, Eset, Panda and other antivirus and security or datarestore companies, but now this is useless. This "Anti-Child Porn Spam Protection - 2.0 version" you have is from 22.03.2013 - more than 5 month passed and no one helped to get password or decrypt files. Yes, we know there was the vulnerability to generate password in previous version using our software folders names which was generated using the same pseudorandom generator which was generate passwords.

Now to generate folders names didn't using any generators. Also password generates using both generators pseudorandom plus cryptographic safe pseudorandom generator.

If you will not pay us forgot about your files forever. Password generation vulnerability fixed and there is using rar AES archives with very strong password and this is unreal to crack. If you don't believe read forums about rar - there are only one way to crack it - use bruteforce, but this is only in theory, because to brute passwords like used by us it's need trillions years even if you will use all computers in the World.

May be you think that you can find password on your server? No, password will be copied by us and securely deleted. Source files also secure deleted - data restore software will not help you.

Of course you don't believe in our words, so read forums or ask cryptologists. Now files encrypted using our software (winrar + very strong password using new right and safe generation method) is locked forever, no one will help you, all talks like - We can't help now but we will write you if we will found the method to generate password etc. is bullshit. If it was possible to get password and decrypt it was be already done, but more than 5 month passed and no results. They just does not want to recognize their full rout.

Also you can read on bleepingcomputer.com forum about multi-round sha-1 degradation method which was using to generate password in previous version this is bullshit post to deceive us, we already know the true vulnerability and was successefully fixed it.

P.S. Our software is don't like others encryptors which usually will be cracked and files will be decrypted within 1-2 weeks. Don't try to use decrypt tools for other encryptors, this is really bullshit to believe that this will be help. Our software is unique and now called: "Anti-Child Porn Spam Protection - 2.0 version from 22.03.2013" previous version called simple "Anti-Child Porn Spam Protection".

Other info about Why you locked, Our Guarantees about decrypt your files after payment, About payment and other info you can read below, just scroll down.

Latest Updates (lesson learned, bugs fixed).

You have Antichild Spam Porn Protection 2.0 from 22.03.2013. What's new?

1. Now we have 2 randomly generated cryptographic safe passwords, unlike the previous version when it will be a chance to generate passwords in certain circumstances. Now generating password is impossible in all cases.

2. Now files are encrypted using 2 randomly generated cryptographic safe passwords from 80 to 114 characters long, unlike one 55 characters long password and not cryptographic safe pseudorandom number generator in he previous version.

Now password look's like this:

First password: 9DF19AB897351C2A0A0FE18A6A73722EDM66BSAl3jBe2a3K8L275j34525b3&E=4RDP4-9y8Q1j3zDa9G9u3bD04t4dFuEO7M2%4zFT
( 104 characters long)

Second password: 6B1783B4656C5433B430F2CC28070B4E6^1HDq9JEV1+9L0SFr9(6aDu3rF8Cg6X7gC3F#D07LAxFgAD7&9G1%6S4k4YFzEm7^2g4PF*C%9y2T92
(112 characters long)

**** Now only WE can get you the true password to decrypt all your files.

You will read in this instructions about:

1. Why?

2. Our Guarantees

3. General Info

4. About Payment

5. How to get your data back

6. How decrypt process working

1. Why?

We have detected spam advertises illegal sites with child pornography from your computer.
This contradicts law and harm other network users and in this case we have to do next steps:

1. Block access to your desktop.

2. Encrypt your files using Advanced Encryption Standard and 256 symblols randomly generated password and delete source files using DOD 5220.22-M.
(DOD 5220.22-M is the Department of Defense clearing and sanitizing standard - You cant recover your files - NEVER).

3. Sent this randomly generated password to our secure server and delete this password from your computer. (you cant get this password -NEVER)

This password is unique for each computer and stored on our secure server(and then erasing from this server and sending to us) and in each encrypted file.

**** Warning! Don’t delete any our software config files, because it can start encrypt process again and we can’t get you warranty that we will decrypt all your files! In this case you may be loose part of your files forever. If you dont know what to do - better do nothing. ****

2. Our Guarantees

You can send one encrypted file (jpg or bmp or other picture, no a document or not any important file for you) to us and as soon as we decrypt them we send them to you and it will proof that we are able to decrypt them all. Please don't send us important data like databases etc. to decrypt, because if we will decrypt it and send to you - you will pay us 0$.

We had decrypt databases files to some people and after this they did not pay us any money.
After you will pay us, sure we give you passwords and decrypt tool and of course you can decrypt all your files including databases files.

To send file to us better use sendspace.com (just upload and send link to us) because gmail can block any .exe extensions.

Our guarantee is your decrypting file.

So we dont need to lock your files forever, we just need a money for our work.

Also send us your ID number.

3. General Info

You will need to buy some ecurrency (equal 3000$ USD) in some internet payment system. 3000$ USD is a minimal price and cannot be less, no any discounts even if you need only 1 file. When we get payment we will send you passwords and decryption tool to unlock all your files.

You can send files or your computer to any experts or antivirus companies, recovery companies but you just lose your time, money and nerves.

You can go to the police or fbi or other departments - but this is will not help you, we are working about 12 month and no one can trace us, because we are working using chain of servers in different countries and using only offshore ecurrency internet payment systems as payment method (We will not accept Western Union or Bank transfer directly to us, because this is not secure for us.) and withdrawal money using anonymous offshore bank accounts and ATM cards belong to other people.

4. About Payment

You will need to buy some ecurrency (equal 3000$ USD) in some internet payment system. We will not accept Western Union or Bank transfer directly to us, because this is not secure for us. Contact us and we will give you payment instructions.

5. How to get your data back

You have already see files like for example database.mdb(!! to decrypt email id 1111111 to ouremail@gmail.com !!).exe
This is about 256 symbols password protected AES archive contains your file.

You just need password to decrypt it and get your original file from this archive.

How encrypt process working:

1. For example database.mdb is source file wich will encrypted to database.mdb(!! to decrypt email id 1111111 to ouremail@gmail.com !!).exe

2. Then original file database.mdb secure deleted from your disk drive using sectors owerwriting.

3. Original file database.mdb now in AES password protected archive.

This is impossible to crack archive with password like this (this is NOT 6-8 symbols simple password, and have trillions combinations to bruteforce and 1000000's years to brute it).

This passwords is unique and randomly generated for each computer.

We also take care to secure delete password from your system, previously had copy password to our database of course.

After payment (and once again, ONLY after payment) we will get you passwords and decrypt tool, so you will not need to decrypt each file manualy. Just run it on your server and your files will be decrypted on all disk drives.

6. How decrypt process working

1. You will put 2 passwords given by us in decrypt tool and start it.

2. Our decrypt tool scan your disk drives for files like database.mdb(!! to decrypt email id 1111111 to ouremail@gmail.com !!).exe

3. Encrypt files like database.mdb(!! to get password email id 1111111 to ouremail@gmail.com !!).exe, so you will get unencypted original file database.mdb

4. Delete decrypted database.mdb(!! to get password email id 1111111 to ouremail@gmail.com !!).exe because you will not need more decrypted file, you will have your original source file database.mdb

Also we will get you desktop unlock code and you can run decrypt tool.

Thank You.

Your ID Number and our contacts (please write down this data):

Your Id #: XXXXXXXXXXXX Our special service email: afsecinfo@gmail.com