ID Ransomware - Identify What Ransomware Encrypted Your Files

This is a new variant of N3ww4v3/Mimic Ransomware.
 

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

• N3ww4v3/Mimic Ransomware ([random 5-15 char] or <email> ext) Support Topic

Thanks... could the data corrupt because we shutdown the server? And we cant encrypt the files?

Hello,
 

I recently became a victim of a ransomware attack, and many of my important files have been encrypted. I am a student and, unfortunately, I can't afford to pay the ransom being demanded. I’m reaching out to see if anyone here can help me recover these files.

I have attached a sample of the ransom note as well as a few of the encrypted files. Based on the extension and the note, I’m hoping someone may recognize the ransomware variant and possibly suggest a solution.

Contents of #Recovery.txt

The contents of your ransom note looks very similar to those we have seen Proton/Shinra Ransomware and #Recovery.txt is one of several names used by the criminals.
 
Any files that are encrypted with newer variants of Proton/Shinra Ransomware will have the original filename changed to a [random 10 character string] appended with another extension and typically leave files (ransom notes) named #Restore-files.txt, #Read-for-recovery.txt, #Recovery.txt. These are some examples.

NujOwF2blk.SHINRA3
7gTgMV7H6w.SHINRA2
kukAR2wJan.h0rus13
Jfcx6BBy2e.Datablack

Your encrypted files follow the same pattern.

7YOWoA2GNZ.dbrecover
g4CX7MqAbf.dbrecover
lkBtk8Z8VO.dbrecover
w6zgUeB7xf.dbrecover

Most Proton/Shinra ransom notes are known to include two attacker email addresses and a long string of hexadecimal characters comprising a personal ID.

ID: EE55EEFCCD20456BEAC1884B1E246367
Personal ID: D97ED7F82CED120F
Your id: - 54829582CBFBDF76C744AE4BABEDBB737YOWoA2GNZ
>>>>> Your personal ID: D997A6BB89E365E296A76EF03D527698 <<<<<

Your ransom note includes two attacker email addresses and a long string of hexadecimal characters comprising a personal ID.

ID: C2E5F089BFA2793AD0481346B1528A9A

However, these two emails have also been used before and can be found in the Attackers List compiled by rivitna (Andrey Zhdanov).

Email 1: dbrecover@onionmail.com
Email 2: dbrecover@cock.li

rivitna (Andrey Zhdanov) can inspect the encrypted files and confirm.

Hello quietman7

Thank you so much for your prompt response and analysis. I appreciate you identifying the ransomware as likely being a Proton/Shinra variant.

It makes sense, given the pattern of the encrypted files and the details you’ve mentioned, including the ransom note and the attacker emails. I’ll wait for further inspection and confirmation from rivitna regarding the encrypted files.

Thanks again for your assistance. I look forward to hearing more from the team soon.

Edited by Milind2602, 28 September 2024 - 06:17 PM.

You're welcome.
 
There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

• Proton/Shinra Ransomware (.[email].[random 4-10 char]) Support Topic

Milind2602

quietman7 is right! Your files are encrypted using Shinra ransomware

Hello
I have e problem with a ransom.  Crypt all my file

I can't find any information on this
 
Thanks to anyone who can help me
 

Contents of 8MNKRqUah.README.txt ransom note

All your files are encrypted!!![/quote]

You will not be able to decrypt on your own! The only way to recover your files is to get a decryptor and a unique decryption key.
Only with the help of a decryptor you can return all your data to its original state.
To make sure we have a decryptor and it works, you can send an email to: buydecoder@nerdmail.co and decrypt one file for free.
But that file doesn't have to be valuable!
Are you sure you want to recover the files?
Telegram: @data_decrypt
https://t.me/data_decrypt
Email: buydecoder@nerdmail.co
Reserved email: stop@onionmail.com
Warning.
       * Do not rename encrypted files.
       * Do not try to decrypt data with third-party software, it may cause irreversible data loss.
Your personal decryption ID: EFA665188FF58B9C10674ACF00C0453D

If .8MNKRqUah is the extension appended to your encrypted files, then this is a new variant of LockBit 3.0 Black / CriptomanGizmo ransomware (used by affiliate or non-LockBit affiliates) which will have a random 9 alpha-numerical character extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) which include the same [random 9 character].README.txt as part of its name. These are some examples.

.hZiV1YwzR
hZiV1YwzR.README.txt
.3WbzmF0CC
3WbzmF0CC.README.txt
.JxxLLpPns
JxxLLpPns.README.txt

In your case, the random 9 char naming format of your README.txt ransom note together with the same random 9 alpha-numerical char extension appended to your encrypted files are similar to what we have seen with this ransomware. 

.8MNKRqUah
8MNKRqUah.README.txt

Most LockBit 3.0 Black/CriptomanGizmo ransom notes are known to include a long string of hexadecimal characters comprising a personal Decryption ID.

Your personal DECRYPTION ID: 495927C9CC58D8A36B47827EAE1AEA72
»» Your personal DECRYPTION ID: 9FE85D4F9C7EA210F904E9BC55F74ECA
>>>> Your personal DECRYPTION ID: 8F2AC6FD69FFFB2BEF710F5010CA2763
Decryption ID: 9FE85D4F9C7EA210F904E9BC55F74ECA
YOU LOCK-ID: 7565BD6495000673051C5B6F24EE1B30

 Your ransom note contents are similar to what we have seen with this ransomware and includes a personal Decryption ID like those listed above.

Your personal decryption ID: EFA665188FF58B9C10674ACF00C0453D

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

• LockBit 3.0 Black / CriptomanGizmo ([random 9 chars]; README.txt) Support Topic

Good afternoon
I recently became a victim of encryptors, unfortunately I didn’t find any similar ones on your site. Please help me decrypt the files. We have a restaurant and the accounting program just crashed!

Unfortunately, for some reason I can’t upload files with their extensions, the site does not allow,

their extension .d3ad

All your files have been encrypted !

Hi. can u help me with this .mlap files decrypt?
i hope the ransomware virus iwas deleted from my pc but still have coded files...
 
 
Error: No key for New Variant online ID: APvb4XtoD3z2GOg2AHJKqjSVbLls2nd862ep775Y
Notice: this ID appears to be an online ID, decryption is impossible
 
thx for any ansver

You are dealing with a newer variant of STOP (Djvu) Ransomware as explained here by Amigo-A (Andrew Ivanov). Since switching to the new STOP Djvu variants (and the release of .gero) the malware developers have been consistent on using 4-letter extensions.
 
Please read the first page of the STOP (Djvu) Ransomware Support Topic for a summary of this infection and it's variants. Decryption of new STOP (Djvu) variants is impossible IF infected by an ONLINE KEY without paying the criminals for that victim’s specific private key...these keys are unique for each victim and randomly generated in a secure manner. Emsisoft cannot help decrypt files encrypted with the ONLINE KEY due to the type of encryption used by the criminals.

Hi. Any news abojt my problem with decrypting files. Virus is out of my comp, i just need something to decrypting...
Thx for info

There is nothing new to report. In the future you should reply in the STOP (Djvu) Ransomware Support Topic...that is where the most current information can be found.

Good afternoon
I recently became a victim of encryptors, unfortunately I didn’t find any similar ones on your site. Please help me decrypt the files. We have a restaurant and the accounting program just crashed!
 
Unfortunately, for some reason I can’t upload files with their extensions, the site does not allow,
 
their extension .d3ad

Unfortunately, there is no known method that I am aware of to decrypt files encrypted by D3adCrypt Ransomware without paying the ransom (not advisable) and obtaining the private encryption keys from those who created the ransomware unless they are leaked or seized & released by authorities. The criminal's master private key is needed for decryption. Without the criminal's master private key, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way (RSA, AES, Salsa20, ChaCha20, EDA2, ECDH, ECC) that cannot be brute-forced...the public key alone that encrypted files is useless for decryption.
 
There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

• D3adCrypt Ransomware (.d3ad) Support Topic

Hi Team,

Our customer recently became a victim of a ransomware attack and I'm reaching out to see if anyone can help to identify the ransomware.

Didn't succeed to identify with id-ransomware or nomoreransom.org.

Attaching a ransom note and an encrypted file sample.