Proxima/BlackShadow Ransomware (.proxima, .BlackShadow, .X) Support Topic

Hello;

we've been hit by Proxima Ransomware. anyone has help in decrypting the files?

all files encrypted with .proxima and the sender's domain is onionmail.org and cyberfear.com

Did you find any ransom notes? If so, what is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents in your next reply?
 
Proxima Ransomware uses the .proxima extension and leaves ransom notes named Proxima_Readme.txt.

[~] Proxima Ransomware

>>> What's happened?
    ALL YOUR FILES ARE STOLEN AND ENCRYPTED.
    To recovery your data and not to allow data leakage, it is possible only through purchase of a private key from us.

>>> What guarantees?
    Before paying you can send us a small-sized file (a non-important file), and we will decrypt it for free as guarantee.

>> How will the decryption process proceed after payment?
    After payment, we will send you our decryption program + detailed instructions for use. With this program, you will be able to decrypt all your files.
    If some files has encrypted but not renamed; these files will be restored after the decryption procedure is completed.

>>> CONTACT US:
    Please write an email to: XXX@onionmail.org and XXX@cyberfear.com
    Write this ID in the title of your message: XXXX

>>> ATTENTION!
    Do not rename or modify encrypted files.
    Do not try to decrypt using third party software, it may cause permanent data loss.
    Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
    We use hybrid encryption, no one can restore your files except us.
    remember to hurry up, as your email address may not be available for very long.
    All your stolen data will be loaded into cybercriminal forums/blogs if you do not pay ransom.

 

Edited by zjdaher, 13 February 2023 - 08:56 AM.

There is no known method that I am aware of to decrypt files encrypted by Proxima Ransomware without paying the ransom (not advisable) and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the criminal's master private key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way (i.e. RSA, AES, Salsa20, ChaCha20, ECDH, ECC) that cannot be brute-forced.

on one of the servers the readme file has a key in it. Assuming it is the key, how can it be used to try and decrypt?

i know it's a long shot and perhaps it's not the key, but you never know,

The public key alone that encrypted files is useless for decryption. 
 
If feasible, your best option is to restore from backups, try file recovery software to recover (not decrypt) some of your original files or backup/save your encrypted data as is and wait for a possible solution at a later time.

sorry to post again, below is the readme from one of the servers that has the key in it. in all the messages i saw online for ransomware, none had a key at the bottom of the readme. that is why I suspect it might be an issue in the actual ransomware program displaying the private key used. i replaced XXX below

[~] Proxima Ransomware

>>> What's happened?
    ALL YOUR FILES ARE STOLEN AND ENCRYPTED.
    To recovery your data and not to allow data leakage, it is possible only through purchase of a private key from us.

>>> What guarantees?
    Before paying you can send us a small-sized file (a non-important file), and we will decrypt it for free as guarantee.

>> How will the decryption process proceed after payment?
    After payment, we will send you our decryption program + detailed instructions for use. With this program, you will be able to decrypt all your files.
    If some files has encrypted but not renamed; these files will be restored after the decryption procedure is completed.

>>> CONTACT US:
    Please write an email to: XXX@onionmail.org and XXX@cyberfear.com
    Write this ID in the title of your message: XXX

>>> ATTENTION!
    Do not rename or modify encrypted files.
    Do not try to decrypt using third party software, it may cause permanent data loss.
    Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
    We use hybrid encryption, no one can restore your files except us.
    remember to hurry up, as your email address may not be available for very long.
    All your stolen data will be loaded into cybercriminal forums/blogs if you do not pay ransom.

======
KEY: 4OlYWpvbfH/BhH9bYdVsnr8h4Aq6FP9NeAz0EEKvz6I2JdRR1OM5fWJNGjdFVldsQwWvEzRvayF8oqkemzEANCkabVBndxioiyk9F9+XuMxpcvuqZVvm93wzLXIie5cjXDeZ5g==

Malware developers typically use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key is stored on a central server maintained by the cyber-criminals ensuring it is much harder to break unless at some point, law enforcement authorities track down, arrest the criminals, seize the C2 server, find and release the private RSA decryption keys to the public.

i have attached the readme and some encrypted file, perhaps someone has the expertise in identifying the variant or a decryption tool

thanks

....Hello

...Really this kind of encryption requires a powerful algorithm without the online key...because it is not necessary...and it is useless...!

Hi Everyone,

We are just a small family business, basically NFP...

We have received the following on our server along with all files having a .OFF extension and encrypted. 

We have tried a few ransomware decrypt tools and looked around, but there is very little about this extension of ransomware. 

//Extract from Off_Help.txt file

Please submit (upload) samples of encrypted files, ransom notes and any contact email addresses provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. ID Ransomware can identify ransomware which adds a prefix instead of an extension and more accurately identifies ransomware by filemarkers if applicable. Uploading both encrypted files and ransom notes together along with any email addresses provided gives a more positive match with identification and helps to avoid false detections. Please provide a link to the ID Ransomware results. 
 
Please attach the original (unedited) ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file in a "zip file" for comparison so Amigo-A (Andrew Ivanov) or Demonslay335 (Michael Gillespie) can manually inspect them and possibly confirm the infection if either of them see this topic.

Thank you for your reply. 

I am trying to find more encrypted vs decrypted files. 
In the mean time. 

Attached is the original ransomware request file

Attached is original and decrpypted image files as examples. 

Thank you for your time...

I will look for more.