• Внимание. Восстановление баз 1С7, 1C8 и Mssql после атаки шифровальщика, подробности и отзывы читайте в профильной теме.

    Внимание. Восстановление архивов RAR и ZIP, образов Acronis и виртуальных машин, баз почтовых программ после атаки шифровальщика, подробности и отзывы читайте в профильной теме.

Решена без расшифровки CryLock Helpme! Email phandaledr@onionmail.org

Hello,

Please wait for a while. We are trying to define the type of ransome. It is different from the one we could easily decrypt.
 
While you wait please get us logs:

Dowload Farbar Recovery Scan Tool (or from the mirror) and save it to your Desktop. Rename file FRST64.exe to FRST64English.exe and run it.

Press Scan button and wait.
At the end of scan you'll get FRST.txt and Addition.txt in the same folder you start program from. Attach these logs to your next post.
 
If you can find this file
C:\Users\IEUser\Documents\B6\svchost.exe
please pack it (or zip it) with password and send it me in privat message.

After that please do following:

  • Disable any antivirus until reboot.
  • Hilight following code (or just press "Copy" button in right corner):
    Код:
    Start::
    HKLM\...\Run: [svchost] => C:\Users\IEUser\Documents\B6\svchost.exe [669696 2022-10-26] () [File not signed] <==== ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
    HKLM\...\Policies\system: [legalnoticecaption] WARNING!!!
    HKLM\...\Policies\system: [legalnoticetext] YOUR SYSTEM IS ON THE OUTER EDGES OF THE GALAXY. YOU HAVE BEEN HACKED, CONTACT US FOR ASSISTANCE.
    HKU\S-1-5-21-3362513661-1936243222-2702562252-500\...\Run: [4238336F0BB9109014556D0C84BF5B81] => C:\Users\IEUser\Documents\B6\svchost.exe [669696 2022-10-26] () [File not signed] <==== ATTENTION
    HKU\S-1-5-21-3362513661-1936243222-2702562252-500\...\Run: [6E0E9B22BDC52B2BD8286071E6E4B56E] => c:\Users\Administrator\AppData\Local\Temp\1\how_to_decrypt.hta [12357 2022-11-22] () [File not signed] <==== ATTENTION
    IFEO\utilman.exe: [Debugger] C:\Windows\system32\cmd.exe
    2011-10-10 00:11 - 2011-10-10 00:11 - 000012303 _____ () C:\Program Files\how_to_decrypt.hta
    2011-10-10 00:22 - 2011-10-10 00:22 - 000012303 _____ () C:\Program Files (x86)\how_to_decrypt.hta
    2011-10-10 00:00 - 2011-10-10 00:00 - 000012303 _____ () C:\Program Files\Common Files\how_to_decrypt.hta
    2011-10-10 00:11 - 2011-10-10 00:11 - 000012303 _____ () C:\Program Files (x86)\Common Files\how_to_decrypt.hta
    2011-10-10 00:24 - 2011-10-10 00:24 - 000012303 _____ () C:\Users\Administrator\AppData\Roaming\how_to_decrypt.hta
    2011-10-10 00:24 - 2011-10-10 00:24 - 000012303 _____ () C:\Users\Administrator\AppData\Roaming\Microsoft\how_to_decrypt.hta
    2011-10-10 00:23 - 2011-10-10 00:23 - 000012303 _____ () C:\Users\Administrator\AppData\Local\how_to_decrypt.hta
    FirewallRules: [{FCCC6065-B87E-4907-949F-CAA074E00D03}] => (Allow) LPort=1755
    FirewallRules: [{A8C2C7CD-1E7E-42B6-8F7A-12869B26FE53}] => (Allow) LPort=41775
    FirewallRules: [{AD9CB65D-2BCF-466C-A7C0-06CB8C6F3C14}] => (Allow) LPort=1750
    End::
  • Copy highlighted code.
  • Run FRST64English as administrator.
  • Press Fix button and wait. Program will create Fixlog.txt. Attach it to your next post after system restart.
Reboot system manually.

Read details in this guide.
 
As I suggest before this is not CryLock, but it is WaspLocker.
Unfortunately there is no decryption for this.
 
I'm very sorry, but yes - there is no known other way to decrypt without privat key.
If you need to get back Data Bases, you can contact people from S.lab, see this topic:
 
Just clarification about the type of ransom - this is CryLock generic. And it is not decryptable, unfortunately.
 
Назад
Сверху Снизу