The Latest in IT Security

Ransomcrypt Decryption Script

19
Apr
2012

Last week, we wrote about a ransom trojan called Trojan:W32/Ransomcrypt which encrypts documents, images, videos, et cetera and holds the files hostage for ?50.

CRYPTED!

Ransomcrypt encrypts files using Tiny Encryption Algorithm (TEA). The key is formed from a “base key” which is modified based on the first character of the name of the file that is being encrypted to form a “file specific key”. Both the base key and the file specific key are 16 bytes long.

Our analysts have created a decryption script, written in Python, for our support team. Fortunately, we’ve only seen a small number of customer cases. The decryption script works with two variants of Ransomcrypt.

  •  Trojan:W32/RansomCrypt.A, SHA1: b8f60c64c70f03c263bf9e9261aa157a73864aaf
  •  Trojan:W32/RansomCrypt.B, SHA1: 1e41e641e54bb6fb26b5706e39b90c93165bcb0b

fs_randec.zip

Read the EULT here.

Download: fs_randec.zip, SHA1: 9ab467572691f9b6525cc8f76925757a543a95d8

Pay particular attention to the directive that you should first attempt to use this script on a copy of the encrypted files.

Do not use the “originals”.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments