Skip to main content

Welcome to the "Decrypt Service"

Doesn't that sound way too brandy? Like those smiling guys from -let's suppose- Big Bob's Repair Service 24 Hours you see when you crash your car in the middle of the road? They sure become handy in situations like this, but Damn! Big Bob's guys did not destroy your car in the first place! That's like stabbing you in the neck and later offer you a medical service. WHAT?!

Anyway... The Decrypt Service is the server, the webpage that will provide you with the program you need to decrypt your files back to their original form (after payment). This server is hidden behind Onion.to, which means it's horrendously difficult to trace. Maybe their server is in Russia, China or even your at your neighbor's. One can't really tell because Onion.to creates a chain of randomly chosen computers as a path to the final server. This chain-route can go from Miami to Russia, then to Australia, then back to Miami and then finally to the crook's server.

The Onion.to address they use (at least one of them) is: https://rj2bocejarqnpuhm.onion.to/*** where three dumb alphanumeric characters are used to identify the victims.  When you visit that link, this is what you see:



So, you fill the blanks with the code in the image (CAPTCHA) and proceed to the REPAIR.. oh, sorry DECRYPT SERVICE... Thanks God!




So, what if you don't really believe in this site? What if that page content is FAKE and not about your computer? Oh, well there you have "My Screen" section, in which you can see YOUR ACTUAL COMPUTER SCREEN!




Isn't that enough? Well, then there you have the Test Decrypt section where you can upload just one small file (only once) and get it decrypted in order to check the "service" works.


The crooks...under the name of Victor Yanukovich also uploaded a video to YouTube that clearly shows you this shit is 100% REAL. 



He is also gentle enough to show you step by step how to pay for his "SERVICE".


Comments

Popular posts from this blog

CryptoDefense: Keys pair stored on disk!

This little detail slipped through their fingers... TOO LATE!

(I actually hid this post when I understood that it might alert the crooks. But SYMANTEC did!)

This is the exact path where your keys are:


Windows XP
C:\Documents and Settings\<USERNAME>\Application Data\Microsoft\Crypto\RSA\S-1-5-2... Windows 7
X:\Users\<USERNAME>\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21... (X stands for your hard-disk letter, which is commonly C in most computers)

The private key is encrypted via DPAPI (Data Protection API). There are many RSA keys in that folder though, but you can still find them by sorting these files by date. If you don't remember the date you got infected, see your screenshot at the crook's webpage or search for the oldest HOW_DECRYPT.TXT file in your system.
I'll update this blog soon!


You infected the wrong fool!

Yeah, I recovered all my files. ALL and EACH one of them without paying a PENNY. If that wasn't enough, we are also helping victims to recover their files without payment. 

Dear CryptoDefense Authors, if you are reading this: SCREW YOU. Your awful script kiddie skills led our team of true experts to THWART your evil plans, even though you used state-of-the-art RSA encryption. What a bunch of fools! that's like loosing a football match having Lionel Messi, Cristiano Ronaldo and Xavi on your team.

Next step is to report all your domain names (that you lamely use to infect more and more victims).

Now, if you are a victim, feel free to write us at howdecrypt@gmail.com


Wana Decryptor / WanaCrypt0r

Alright, guys. This is a tough one: However, there's no reason to claim it's impossible to decrypt victims data. These idiots always let something slip through their fingers. Their servers might be found and keys restored to their respective victims. Errors might be found in their code, their key encryption scheme may have some weakness, etc. Let's just let the experts find a way out.

By the way, if you want to temporarily protect your PC from this malware, you may do this.