SifreCozucu/TurkSifre Ransomware (PC ID: 0019D1B03EAE) Support Topic

Any files that are encrypted with the older variants of SifreCozucu/TurkSifre Ransomware will have a .__Mail_[<email>]__Site_[<email>] extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) written in Turkish with long names. These are some examples.

.__Mail_[sifre_cozucu@protonmail.com]__Site_[www.dosyacozd4iprkd7.onion]
.
_ONEMLI_LUTFEN_OKUYUNUZ_0019D1B03EEA.TXT
_SIFRE_COZME_ONEMLI_04D4C4211518.TXT

Any files that are encrypted with newer variants of SifreCozucu/TurkSifre Ransomware will have a random 12 hexadecimal character extension (comprised of a PC ID) appended to the end of the encrypted data filename and typically will leave files (ransom notes) written in Turkish with long names or which include the same [random 12 hexadecimal character.txt] as explained here by Amigo-A (Andrew Ivanov). These are some examples.

.E03F491BEF51
.04D4C4211518
.075000600000
.BB841E100AFB
.
_ONEMLI_LUTFEN_OKUYUNUZ_E03F491BEF51.txt
_SIFRE_COZME_ONEMLI_04D4C4211518.TXT
_075000600000.txt 
_BB841E100AFB.txt

SifreCozucu/TurkSifre ransomware notes are known to include a 12 character PC ID'NIZ (PC ID).

PC ID : 90CCDFAFE33F 'NIZ
PC ID'NIZ [E03F491BEF51]
PC ID'niz [04D4C4211518]
PC ID'NIZ [2C6E85DFD88D]
PC ID [BB841E100AFB]
PC ID : F81A670B0D1B 'NIZ

 
 
Hi guys
 
SHA1: a33d61fc7e59956dbcaa2c5192d8a99ff7bd9bb3[/size]
 
I guess this is new ransomware. Any body can help me to decrypt that ?[/size]
 
https://drive.google.com/file/d/1tKfnRv14i3DIv9aCK_6CoNSPCnHtu-Rx/edit
 
Thank you so much.

Edited by quietman7, 29 November 2023 - 06:22 AM.
fix link

Are there any obvious file extensions appended to your encrypted data files? If so, what is the extension and is it the same for each encrypted file or is it different? Is there an ID number with random hexadecimal characters (.id-A04EBFC2, .id[4D21EF37-2214]) preceding it?

Did you find any ransom notes? If so, what is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents in your next reply?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

If you can find the malicious executable that you suspect was involved in causing the infection, you can submit (upload) a sample to VirusTotal and provide a link to the results. Alternatively, it can be submitted here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                 DOSYA SIFRESINI COZMEK ICIN OKUYUNUZ..
DOSYALARINIZIN SIFRESINI COZECEK PROGRAMI SATIN ALMAK ISTERSENIZ EGER..

PC ID'NIZ [<redacted 12 uppercase hex>] ILE MAIL ATINIZ : sifre_cozucu@protonmail.com

MAIL ADRESIMIZDEN 3 SAAT ICINDE CEVAP ALAMAZSANIZ EGER

WEB SITEMIZI ZIYARET EDINIZ : http://www.dosyacozd4iprkd7.onion

SITE HATA VERIRSE TEKRAR DENEYINIZ..


WEB SITEMIZ SADECE TOR BROWSER ILE ACILMAKTADIR..

TOR BROWSER INDIRME ADRESI 	: https://www.torproject.org/tr/download
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

DATA KURTARMA SERVISLERI HAKKINDA BILMENIZ GEREKENLER.!!!
SIFRELEME ISLEMI SIRASINDA BILGISAYARINIZDAN SILINEN TEK BIR DOSYA BILE OLMADI..
SIFRELEME SIRASINDA BUTUN DOSYALARIN USTUNE YAZILDI...
YANI BU, GERI DONUSTURULECEK YADA KURTARILACAK BIR DOSYA YOK DEMEKTIR...
DATA KURTARMA SERVISLERI SADECE SILINEN DOSYALARI,
YADA BOZULAN HDD LERDE KI VERILERI KURTARABILIR.
BASITCE SOYLEMEK GEREKIRSE..
DATA KURTARMA SERVISLERININ BU DURUMA YAPABILECEGI BIR SEY YOK...

YINE DE DATA KURTARMA SERVISLERI YADA PROGRAMLARI KULLANMAK ISTERSENIZ
LUTFEN DOSYALARINIZIN YEDEGINI ALIN..
ALDIGINIZ BU YEDEKLER UZERINDEN ISLEM YAPINIZ VEYA YAPTIRINIZ.
DOSYALARINIZI SILMEYINIZ VE ISIMLERINI DEGISTIRMEYINIZ.
ASIL DOSYALARIN BOZULMASI,
VERILERINIZIN GERI DONULEMEZ SEKILDE ZARAR GORMESINE NEDEN OLACAKDIR.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
READ TO DESCRIPT THE FILE PASSWORD..
IF YOU WANT TO BUY THE PROGRAM THAT WILL DEcrypt YOUR FILES..

SEND AN MAIL WITH YOUR PC ID [<redacted 12 uppercase hex>]: sifre_cozucu@protonmail.com

IF YOU DO NOT RECEIVE AN ANSWER FROM OUR MAIL ADDRESS WITHIN 3 HOURS

VISIT OUR WEBSITE: http://www.dosyacozd4iprkd7.onion

IF THE SITE GIVES AN ERROR, TRY AGAIN..


OUR WEBSITE IS ONLY OPEN WITH TOR BROWSER..

TOR BROWSER DOWNLOAD ADDRESS: https://www.torproject.org/tr/download
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

THINGS YOU NEED TO KNOW ABOUT DATA RESCUE SERVICES.!!!
NOT A SINGLE FILE WAS DELETED FROM YOUR COMPUTER DURING THE ENCRYPTION PROCESS.
ALL FILES WERE OVERWRITTEN DURING ENCRYPTION...
SO THIS MEANS THERE IS NO FILE TO RECYCLE OR RECOVER...
DATA RECOVERY SERVICES ONLY RECOVER DELETED FILES,
OR IT CAN RECOVER DATA ON DEFECTED HDDs.
IF WE HAVE TO SAY SIMPLY..
THERE IS NOTHING DATA RESCUE SERVICES CAN DO IN THIS SITUATION...

IF YOU STILL WANT TO USE DATA RECOVERY SERVICES OR PROGRAMS
PLEASE MAKE A BACKUP OF YOUR FILES..
DO OR HAVE PROCESS DONE THROUGH THESE SPARES YOU RECEIVED.
DO NOT DELETE YOUR FILES OR CHANGE THEIR NAMES.
CORRUPTION OF ORIGINAL FILES,
IT WILL CAUSE IRREVERSIBLE DAMAGE TO YOUR DATA.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Edited by quietman7, 09 September 2023 - 05:59 AM.

B@H}!ER@ - it's very much like a muslim name Bahtier

maybe just a coincidence

Edited by Amigo-A, 05 May 2020 - 01:36 PM.

Hi!

http://prntscr.com/sp266s ransomware notes in my pc. I attached ransomware files picture and ransomware note. Please, help me! Thanks. Good working...

NOTE!

You may post a new topic in the BleepingComputer Ransomware Help forums for further assistance and analysis. Please reference this case number: f3cb05b0112042923ac1cd596f3ab2dbdc866acc1590623300

Edited by saviorcom, 27 May 2020 - 06:49 PM.

Did you submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) or Emsisoft Website for assistance with identification and confirmation of the infection? ID Ransomware can identify ransomwares which adds a prefix instead of an extension and more accurately identifies ransomwares by filemarkers if applicable so try that first. Uploading both encrypted files and ransom notes together along with any contact email addresses or hyperlinks provided by the criminals gives a more positive match with identification and helps to avoid false detections.

Please provide a link to the ID Ransomware results. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 (Michael Gillespie) to manually inspect the files and check for possible file markers.

Please upload the original ransom note and samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file for comparison to the following third-party file hosting service and provide a link or send a PM with a link to Amigo-A (Andrew Ivanov) so he can manually inspect them and add to his database.

• DropMeFiles

It is best to compress large files before sharing. When the file has been uploaded, you will see a screen stating that the upload was successful. Right-click on the filename link, select Copy Shortcut and paste the link in your next reply.

Seems to be a new variant of this: https://id-ransomware.blogspot.com/2020/05/sifrecozucu-ransomware.html + https://www.bleepingcomputer.com/forums/t/718631/new-model-ransomware-need-help/

We still need the malware itself to analyze.

Edited by Demonslay335, 28 May 2020 - 10:49 AM.

Seems to be a new variant of this: https://id-ransomware.blogspot.com/2020/05/sifrecozucu-ransomware.html + https://www.bleepingcomputer.com/forums/t/718631/new-model-ransomware-need-help/

 

We still need the malware itself to analyze.

Seems to be a new variant of this: https://id-ransomware.blogspot.com/2020/05/sifrecozucu-ransomware.html + https://www.bleepingcomputer.com/forums/t/718631/new-model-ransomware-need-help/

 

We still need the malware itself to analyze.

Hello.
To the attention of @Demonslay335 and @Amigo-A!

We have provided a solver program by negotiating with the ransom. As we hoped, we could not make all our files working, but to a large extent, our files became operational. Apart from that, we have determined which file is encrypting and we have the files.

I want to send them to you to analyze them and, if possible, not to harm other victims as well as to us, but how can I send them safely? I do not know.

Since the subject has been moved, I am not notified due to the newly written content. For this reason, I will visit the page daily as much as I can and check if a new answer has been written.

Thank you for your attention. I wish everyone healthy days...

Samples of suspicious executable's (installer, malicious files) that you suspect were involved in causing the infection can be submitted (uploaded) to VirusTotal and provide a link to the results. Alternatively, you can submit a sample here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

If you have a working decryptor, you can zip and submit it here with a link to this topic along with a few encrypted files, the private key and anything else the malware writers provided. Our crypto malware experts may be able to get some information to exploit by analyzing it further. While the decryption tool is not as good as analyzing the ransomware itself, it may still provide our experts some information about the encryption format used by the malware developers.

merhaba, arkadaşlar

dosyalarımın çoğu şifrelendi ve uzantılarına *.msop eklendi

nasıl şifre çözülür ne yapabilirim yardımınız bekliyorum,

teşekkür ederim

merhaba, arkadaşlar

dosyalarımın çoğu şifrelendi ve uzantılarına *.msop eklendi

nasıl şifre çözülür ne yapabilirim yardımınız bekliyorum,

teşekkür ederim

You are dealing with a new variant of STOP (DJVU) Ransomware.
 
If you need to discuss anything related to this ransomware, please post your comments in the STOP Ransomware (.STOP, .Puma, .Djvu, .Promo,....not here or read the first page (Post #1)  of that topic AND these FAQs for a summary of this infection, it's variants, any updates and possible decryption solutions using the Emsisoft Decryptor.

GOOGLE TRANSLATE

Yeni bir STOP (DJVU) Ransomware varyantıyla uğraşıyorsunuz.
 
Bu fidye yazılımı ile ilgili herhangi bir şeyi tartışmanız gerekiyorsa, lütfen yorumlarınızı STOP Ransomware'e (.STOP, .Puma, .Djvu, .Promo, ....) burada göndermeyin veya bunun ilk sayfasını (Post # 1) okuyun konu VE bu SSS bu enfeksiyonun bir özeti, Emsisoft Decryptor kullanarak varyantları, herhangi bir güncelleme ve olası şifre çözme çözümleri.