CHKLST.RU

Дешифраторы от компании Emsisoft

отредактировано June 2017 Раздел: Шифровирусы шумной толпою
emsisoft_logo.png
дешифраторы от компании Emsisoft
https://decrypter.emsisoft.com/

Emsisoft Decrypter for Nemucod
Используйте этот Decrypter, если файлы были переименованы в * .crypted и вы нашли ransomnote с именем DECRYPT.txt на рабочем столе. Для использования Decrypter вам потребуется зашифрованный файл, по меньшей мере, 510 байт, а также его незашифрованный версию. Для запуска Decrypter выбрать как зашифрованное и незашифрованный файл и перетащите их на исполняемый файл Decrypter.
Emsisoft Decrypter for DMALocker2
Emsisoft Decrypter for HydraCrypt
Используйте этот Decrypter, если файлы были зашифрованы и переименован либо * .hydracrypt * или * .umbrecrypt *.
Emsisoft Decrypter for DMALocker
Emsisoft Decrypter for CrypBoss
Emsisoft Decrypter for Gomasom
Emsisoft Decrypter for LeChiffre
Используйте этот Decrypter, если ваши файлы были зашифрованы и переименован в * .LeChiffre и ransomnote просит вас связаться с [email protected] по электронной почте.
Emsisoft Decrypter for KeyBTC
Emsisoft Decrypter for Radamant
Use this decrypter if your files have been encrypted and renamed to either *.rdm or *.rrk.
Emsisoft Decrypter for CryptInfinite
Use this decrypter if your files have been encrypted and renamed to *.CRINF.
Emsisoft Decrypter for PClock
Emsisoft Decrypter for CryptoDefense
Используйте этот Decrypter, если вредоносная программа идентифицирует себя как CryptoDefense и оставляет выкупов ноты названные HOW_DECRYPT.txt позади.
Emsisoft Decrypter for Harasom
Emsisoft Decrypter for Stampado
Emsisoft Decrypter for ApocalypseVM
Emsisoft Decrypter for Apocalypse
Emsisoft Decrypter for BadBlock
Emsisoft Decrypter for Xorist
Используйте этот Decrypter, если файлы были зашифрованы с помощью вымогателей Xorist. Типичные расширения, используемые Xorist включают * .EnCiPhErEd, * .0JELvV, * .p5tkjw, * .6FKR8d, * .UslJ6m, * .n1wLp0, * .5vypSa и ​​* .YNhlv1. Ransomnote обычно можно найти на рабочем столе с названием "КАК дешифровать files.txt". Для использования Decrypter вам потребуется зашифрованный файл, по меньшей мере, 144 байт, а также его незашифрованный версию. Для запуска Decrypter выбрать как зашифрованное и незашифрованный файл и перетащите их на исполняемый файл Decrypter.
Emsisoft Decrypter for 777
Emsisoft Decrypter for AutoLocky
Тэги темы:

Комментарии

  • отредактировано December 2016 PM
    добавился дешифратор
    [Nov, 29, 2016] - Version: 1.0.0.8
    Emsisoft Decrypter for NMoreira
    NMoreira, also known as XRatTeam or XPan, is a file encrypting ransomware. It uses a mix of RSA and AES-256 to encrypt your files. Encrypted files have either the extension *.maktub or *.__AiraCropEncrypted!. In addition, the ransomware will create one of the following ransom notes.

    https://decrypter.emsisoft.com/nmoreira

    проверил расшифровку файлов на единственном пока примере.
    Starting decryption ...

    Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\1\Бух.rar.__AiraCropEncrypted!
    Decryption: Trying to reconstruct encryption key, this will take a bit ...
    Destination file: E:\deshifr\_AiraCropEncrypted!\01\1\Бух.rar
    Status: Successfully decrypted!

    Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\2\1sys_buh 2016-08-31 19;21;16 (Full).zip.__AiraCropEncrypted!
    Decryption: Successfully recovered encryption keys based on previous key.
    Destination file: E:\deshifr\_AiraCropEncrypted!\01\2\1sys_buh 2016-08-31 19;21;16 (Full).zip
    Status: Successfully decrypted!

    Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\3\Бух.rar.__AiraCropEncrypted!
    Decryption: Trying to reconstruct encryption key, this will take a bit ...
    Destination file: E:\deshifr\_AiraCropEncrypted!\01\3\Бух.rar
    Status: Successfully decrypted!

    Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\4\04-2016_подр_6606087 (1).txt.__AiraCropEncrypted!
    Decryption: Trying to reconstruct encryption key, this will take a bit ...
    Could not guess key. Most likely the original file format is not supported.

    Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\4\1sys_buh 2016-08-31 19;21;16 (Full).zip.__AiraCropEncrypted!
    Decryption: Successfully recovered encryption keys based on previous key.
    Destination file: E:\deshifr\_AiraCropEncrypted!\01\4\1sys_buh 2016-08-31 19;21;16 (Full).zip
    Status: Successfully decrypted!

    Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\4\Выгрузка каталога и коммерческих предложений на сайт в формате CommerceML версии 2.docx.__AiraCropEncrypted!
    Decryption: Successfully recovered encryption keys based on previous key.
    Destination file: E:\deshifr\_AiraCropEncrypted!\01\4\Выгрузка каталога и коммерческих предложений на сайт в формате CommerceML версии 2.docx
    Status: Successfully decrypted!

    Finished!

  • отредактировано January 2017 PM
    добавился дешифратор Globe3


    [Jan, 4, 2017] - Version: 1.0.0.12
    Emsisoft Decrypter for Globe3
    Globe3 is a ransomware kit that we first discovered at the beginning of 2017. Globe3 encrypts files and optionally filenames using AES-256. Since the extension of encrypted files is configurable, several different file extensions are possible. The most commonly used extensions are .decrypt2017 and .hnumkhotep. To use the decrypter, you will require a file pair containing both an encrypted file and its non-encrypted original version. Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory. If file names are encrypted, please use the file size to determine the correct file. The encrypted and the original file will have the same size for files greater than 64 kb.

    Due to a bug in the ransomware, decrypted files smaller than 64 kb will be up to 15 bytes larger than the originals. This file size increase is due to the fact, that the ransomware rounds file sizes up to the next 16-byte boundary without saving the original file size. For most file formats this is unlikely to cause problems. However, if your applications complain about corrupted file formats, you may have to manually remove trailing zero bytes at the end of the file using a hex editor.

    https://decrypter.emsisoft.com/globe3


    Decryption key found
    The decrypter detected the following key to be a match for the given file:

    Key:
    C6DE117389F107D2579B10030848DFE8D07419DCA1AA271C861DDC96D9C4A328

    Extension:
    True

    File name encryption:
    [email protected]

    Please keep in mind that there is a slight chance that this key might be wrong. We suggest trying decrypting a few files first to check whether it is working correctly.
    ОК

    Looking for active infection ...
    No active infection was found!


    Encrypted file: E:\deshifr\encode_files\Globe\globe3\10\sample\encode_files\[email protected]
    Destination file: E:\deshifr\encode_files\Globe\globe3\10\sample\encode_files\Hotel.dll
    Status: Successfully decrypted!

    Finished!


  • отредактировано January 2017 PM
    добавился дешифратор MRCR

    [Jan, 12, 2017] - Version: 1.0.0.45
    Emsisoft Decrypter for MRCR

    MRCR or Merry X-Mas is a ransomware family that first appeared in December last year. It is written in Delphi and uses a custom encryption algorithm. Encrypted files will have either ".PEGS1", ".MRCR1", ".RARE1", ".MERRY", or ".RMCM1" as an extension. The ransom note is named "YOUR_FILES_ARE_DEAD.HTA" or "MERRY_I_LOVE_YOU_BRUCE.HTA" and asks victims to contact either "[email protected]" or "comodosecurity" via the secure mobile messenger Telegram.

    To start the decryption process you will need a file pair consisting of an encrypted file and the non-encrypted version of the same file. The files need to be between 64 KB and 100 MB in size. Select both and drag and drop them onto the decrypter executable to start the process.
    [/email]

    https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/

    https://decrypter.emsisoft.com/mrcr
    в данной версии дешифратор неудовлетворителен, по крайней мере не для всех заявленных расширений (в частности для *.RARE1) работает корректно.
  • DDoS attacks hit Emsisoft over the weekend
    Three days later, on Saturday, January 28, Emsisoft suffered a similar fate, when a DDoS attack hit a specific section of the company's portal, the place where Emsisoft hosts ransomware decrypters.

    Looks like someone DDoSes our decrypter site. Coincides with MRCR devs showing up in our forums. Guess I pissed someone off again. ¯\_(ツ)_/¯
    — Fabian Wosar (@fwosar) January 28, 2017

    Speaking to Bleeping Computer, Emsisoft's CTO Fabian Wosar said the attack clocked in at around 80 Gbps, and its defenses held up just fine, with no downtime to its website.

    "They didn't manage to take the site down," Wosar said. "According to our provider it was a smaller attack of about 80 GBit. It was [...] kinda slow."

    https://www.bleepingcomputer.com/news/security/emsisoft-website-hit-by-ddos-attack-as-company-releases-ransomware-decrypter/
  • отредактировано March 2017 PM
    добавлены дешифраторы Emsisoft Decrypter for CryptON, for Damage


    [Mar, 7, 2017] - Version: 1.0.0.33
    Emsisoft Decrypter for CryptON
    Today, Emsisoft CTO and Malware researcher Fabian Wosar released a free decrypter for the CryptON ransomware family, allowing those that have been infected to free their encrypted files without having to pay a ransom.

    Variants of the Russian-originated CryptON ransomware, such as X3M and Nemesis, started to appear on the Bleeping Computer forums from December 2016. All of them seem to be put together using the same “builder”, a term that describes a software application which automates the process of customizing a malware executable.

    http://blog.emsisoft.com/2017/03/07/emsisoft-releases-free-decrypter-for-crypton-ransomware/

    [Mar, 11, 2017] - Version: 1.0.0.12
    Emsisoft Decrypter for Damage

    дешифратор (for Damage) рабочий, ключ в итоге по паре чистый - зашифрованный был вычислен, и все файлы были корректно расшифрованы.
    Encrypted file: E:\deshifr\encode_files\damage\10\encode_files\бесхозяйные вещи исковое заявление.doc.damage
    Destination file: E:\deshifr\encode_files\damage\10\encode_files\бесхозяйные вещи исковое заявление.doc
    Status: Successfully decrypted!

    Finished!
  • отредактировано May 2017 PM
    Emsisoft Releases a Decryptor for the Amnesia Ransomware
    On Saturday, Emsisoft's CTO and malware researcher Fabian Wosar released a decryptor for the Amnesia Ransomware. This ransomware was first spotted in early May and has had one other variant released called CryptoBoss. This family of ransomware was named Amnesia based on the extension appended to encrypted files by the first variant.

    https://www.bleepingcomputer.com/news/security/emsisoft-releases-a-decryptor-for-the-amnesia-ransomware/

    [May, 6, 2017] - Version: 1.0.0.25
    Emsisoft Decrypter for Amnesia
  • отредактировано November 2017 PM
    decrypt_Xorist обновился до версии 1.0.0.33
    https://decrypter.emsisoft.com/xorist

    расшифровка вариантов значительно улучшена.

    tdw4bdj7nq76.jpg

    тестирую расшифровку на примере шифратора *.id70915

    Emsisoft:
    ключ самостоятельно вычислен по паре чистый - зашифрованный
    Key : DAC1055D494221DB36287C849183EEE2
    Encryption Rounds: 32 
    Start Offset: 62 
    Encryption Limit: 1371077
    Algorithm: TEA
    
    расшифровка тестовой папки - отлично (100%)

    ESET (ESETFilecoderQCleaner.exe v. 3.2.0.7):
    (ключ предварительно был получен от вирлаба).
    расшифровка теcmовой папки - отлично (100%),
    - ("минус") в том, что опция "/a" вычисления ключа по группе зашифрованных документов не работает в ESETFilecoderQCleaner.exe. Т.е. ключ расшифровки для данной утилиты можно получить только в вирлабе.
    2017.09.16 15:17:15.648] -
    [2017.09.16 15:17:15.648] - ....................................
    [2017.09.16 15:17:15.648] - ..::::::::::::::::::....................
    [2017.09.16 15:17:15.664] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Win32/Filecoder.Q
    [2017.09.16 15:17:15.664] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 3.2.0.7
    [2017.09.16 15:17:15.664] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: Dec 11 2015
    [2017.09.16 15:17:15.664] - .::EE:::::::::::::SS:.EE..........TT......
    [2017.09.16 15:17:15.664] - .::EEEEEE:::SSSSSS::..EEEEEE.....TT..... Copyright (c) ESET, spol. s r.o.
    [2017.09.16 15:17:15.664] - ..::::::::::::::::::.................... 1992-2015. All rights reserved.
    [2017.09.16 15:17:15.664] - ....................................
    [2017.09.16 15:17:16.241] -
    [2017.09.16 15:17:16.241] - INFO: 26 infected files found.
    [2017.09.16 15:17:16.241] - INFO: 26 file(s) cleaned.
    [2017.09.16 15:17:21.966] - End

    LK v2.5.1.0:
    отключил проверку жестких дисков (только съемные), но утилита на это почему то не реагирует.
    15:27:22.0960 0x06dc Can't init decryptor on file Z:\test_decrypt\keygpg.rar.id70915

    Trend Micro v 1.0.1667 даже не шевельнулся, после того как я указал пару файлов: зашифрованный - оригинал
  • отредактировано 5 Apr PM
    +

    [Mar, 9, 2019] - Version: 1.0.0.0
    Emsisoft Decrypter for BigBobRoss
    BigBobRoss is a ransomware written in C++ using QT. It uses AES-128 ECB to encrypt files, and adds the extension ".obfuscated". Some variants also prepend the victim ID to the filename. The ransom note "Read Me.txt" asks the victim to contact "[email protected]".

    https://decrypter.emsisoft.com/bigbobross

    +
    update:

    Version: 1.0.0.2
    Emsisoft Decrypter for BigBobRoss
    BigBobRoss is a ransomware written in C++ using QT. It uses AES-128 ECB to encrypt files, and adds the extension ".obfuscated". Some variants also prepend the victim ID to the filename. The ransom note "Read Me.txt" asks the victim to contact "[email protected]".

    видим, что интерфейс дешифраторов от Emsisoft изменился, и теперь брутфорсер запускается через GUI. (видимо результат сотрудничества М.Гиллеспи и F.Wosar)

    собственно, так есть:
    Written by Michael Gillespie - Emsisoft Ltd - www.emsisoft.com

    2ic2qqz9fldv.jpg

    видим, что в возможно вычисление ключа по записке о выкупе.

    eh74i0t7kmyx.jpg

    Результат:
    Starting...

    Starting...

    File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Chrysanthemum.jpg.obfuscated
    Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Chrysanthemum.jpg

    File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Desert.jpg.obfuscated
    Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Desert.jpg

    File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Hydrangeas.jpg.obfuscated
    Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Hydrangeas.jpg

    File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Jellyfish.jpg.obfuscated
    Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Jellyfish.jpg

    File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Koala.jpg.obfuscated
    Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Koala.jpg

    File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Lighthouse.jpg.obfuscated
    Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Lighthouse.jpg

    File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Penguins.jpg.obfuscated
    Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Penguins.jpg

    File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Tulips.jpg.obfuscated
    Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Tulips.jpg

    Finished!

    Finished!

    +

    Version: 1.0.0.3
    Written by Michael Gillespie - Emsisoft Ltd - www.emsisoft.com
    +
    Update: The BigBobRoss decrypter has been updated for the extension ‘.encryptedALL’
    Version: 1.0.0.4
    Written by Michael Gillespie - Emsisoft Ltd - www.emsisoft.com




  • отредактировано 20 Mar PM
    +

    [Mar, 19, 2019] - Version: 1.0.0.0
    Emsisoft Decrypter for PewCrypt
    PewCrypt is a ransomware written in Java that uses AES and RSA to encrypt a victim's files, adding the extension ".PewCrypt". The malware then asks the victim to subscribe to PewDiePie.

    The author supposedly released this as a "joke" in 2019 - but be assured, ransomware is no joke, ever.

    To use the decrypter, you will require the "AES.key" file left on the desktop by the malware.

    6lx4v01bipyn.jpg

    https://decrypter.emsisoft.com/pewcrypt
  • отредактировано 5 Apr PM
    +

    [Mar, 25, 2019] - Version: 1.0.0.0
    Emsisoft Decrypter for HKCrypt
    HKCrypt (also known as "Hacked Ransomware") first appeared in late 2017, and encrypts a victim's files using the RC4 algorithm, then adds the extension ".hacked" to files. The malware pretends to be running a Windows update, then shows a lock screen telling the victim to contact "[email protected]".

    524dusl8zz17.jpg

    https://decrypter.emsisoft.com/hkcrypt

    p.s.
    1. пример шифрования на ANY.RUN
    https://app.any.run/tasks/34adc1cd-3b88-43a5-8853-00f42cd614a0
    2.после некоторого перерыва, Emsisoft вновь активен в создании новых дешифраторов.
    3. лог расшифровки:
    Starting...

    File: G:\DATA\shifr\encode_files\HKCrypt\AdobeID.pdf.hacked
    Decrypted: G:\DATA\shifr\encode_files\HKCrypt\AdobeID.pdf

    File: G:\DATA\shifr\encode_files\HKCrypt\autoexec.bat.hacked
    Decrypted: G:\DATA\shifr\encode_files\HKCrypt\autoexec.bat

    File: G:\DATA\shifr\encode_files\HKCrypt\Click on _Change_ to select default PDF handler.pdf.hacked
    Decrypted: G:\DATA\shifr\encode_files\HKCrypt\Click on _Change_ to select default PDF handler.pdf

    File: G:\DATA\shifr\encode_files\HKCrypt\DefaultID.pdf.hacked
    Decrypted: G:\DATA\shifr\encode_files\HKCrypt\DefaultID.pdf

    File: G:\DATA\shifr\encode_files\HKCrypt\Leame.htm.hacked
    Decrypted: G:\DATA\shifr\encode_files\HKCrypt\Leame.htm

    File: G:\DATA\shifr\encode_files\HKCrypt\license.html.hacked
    Decrypted: G:\DATA\shifr\encode_files\HKCrypt\license.html

    Finished!

  • отредактировано 5 Apr PM
    +

    [Apr, 1, 2019] - Version: 1.0.0.0
    Emsisoft Decrypter for Aurora
    Aurora is a ransomware family that encrypts files using XTEA and RSA, and may also be known as "Zorro", "Desu", or "AnimusLocker". Known extensions include ".Aurora", ".aurora", ".animus", ".ONI", ".Nano", and ".cryptoid".

    The malware leaves many ransom notes, examples include "!-GET_MY_FILES-!.txt", "#RECOVERY-PC#.txt", and "@[email protected].txt".

    z79qgxzqcwjw.jpg

    https://decrypter.emsisoft.com/aurora

    p.s. и здесь видим, что новый дешифратор, есть результат сотрудничества M.Gillespie и Emsisoft

    https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/
  • отредактировано 8 Apr PM
    +

    [Apr, 4, 2019] - Version: 1.0.0.0
    Emsisoft Decrypter for Planetary
    Written by Michael Gillespie - Emsisoft Ltd - www.emsisoft.com
    Planetary is a ransomware family that uses AES-256 to encrypt files, adding the extension ".mira", ".yum", ".Neptune", or ".Pluto" to files - the latter of which give this ransomware its name. The ransom note "!!!READ_IT!!!.txt" then asks the victim to contact "[email protected]".

    y52hbix4hhbg.jpg

    https://decrypter.emsisoft.com/planetary
    +
    интересное наблюдение:
    На этой неделе Emsisoft выпустил расшифровщик для семейства Planetary Ransomware, который позволяет жертвам бесплатно расшифровывать свои файлы. Это семейство вымогателей называется Planetary, потому что оно обычно использует имена планет для расширений, добавляемых к зашифрованным именам файлов.

    При шифровании файлов к имени зашифрованного файла добавляется расширение .mira, .yum, .Pluto или .Neptune. Например, если файл с именем test.jpg был зашифрован, он будет переименован в test.jpg.Pluto.

    В последнем варианте добавлено расширение .mira, названное в честь вымышленной планеты из видеоигры...

    https://www.bleepingcomputer.com/ransomware/decryptor/planetary-ransomware-decryptor-gets-your-files-back-for-free/
  • отредактировано 12 Apr PM
    +
    [Apr, 11, 2019] - Version: 1.0.0.0
    Emsisoft Decrypter for CryptoPokemon
    Written by Michael Gillespie - Emsisoft Ltd - www.emsisoft.com


    CryptoPokemon uses SHA256 and AES-128 to capture victim's files, and adds the extension ".CRYPTOPOKEMON". The victim is then presented a ransom note and website claiming to be "PokemonGO".

    The ransom note "!INFO.CRYPTOPOKEMON.log"

    https://decrypter.emsisoft.com/cryptopokemon
Войдите или Зарегистрируйтесь чтобы комментировать.