Follow
Click to Follow demonslay335
Michael Gillespie
@demonslay335
Loves cats, bunnies, and coding. #Ransomware Hunter. Creator of the service ID Ransomware. Views expressed are my own.
Michael Gillespie’s Tweets
🔒New CryptoTester v1.4.0.2 for #ransomware analysis 🔎: TONS of fixes/additions to hexboxes, grouped algorithms in dropdown, flip endianness of keys, AES XTS mode, HMAC key derives, raw RSA (provide n + d/e, no padding), redesigned bruteforce key tool, lots of bugfixes.
New release of CryptoTester v1.3.0.4 for #Ransomware Analysis. Key Finder can grab PEM stubs/chunks, plus lots of bug fixes. Have a ciphertext + plaintext + key, but don't know what encryption algorithm? Try "Bruteforce Algorithm" to automatically test all that the tool supports.
GIF
This #ransomware dev has either never heard of a loop, or really likes how this "code triangle" looks.
Fucking #ransomware developers... this seems like a perfectly fine little "BytesToHexString" function, right? When you see it... 🤦♂️
And this, ladies and gentlemen, is how you write some of the world's slowest #ransomware code. Read a byte, encrypt it, write it back. One. Byte. At. A. Time. Not the first time I've seen this... 🤦
🚨 #Exchange Servers Possibly Hit With #Ransomware 🚨
ID Ransomware is getting sudden swarm of submissions with ".CRYPT" and filemarker "DEARCRY!" coming from IPs of Exchange servers from US, CA, AU on quick look.
💡 Bit of advice for #ransomware devs... Use SetFilePointerEx, 🛑 NOT 🛑 SetFilePointer.
Don't be like AvosLocker, who fuck up tons of data in the middle of 4GB+ files because they ignore the high move value and return... Pays to read the damn documentation. 📚
If anyone has been hit by #Pendor #Ransomware (extension ".pnr"), please contact me. Just about able to crack those files now. 😉(don't worry, final decrypter will have a GUI as usual)
Hmm, someone released a decryptor for #STOP #Djvu?
Oh wait... it's more fucking #ransomware. Don't trust anything you find online saying it can decrypt Djvu unless it is from ME. This is just one example of the shaddy shit victims are falling for when they don't believe me.
New video: Analyzing Ransomware - Decrypting RC4 Config |
Something bigs going on. I'm told like a third of the US has Comcast outages, affecting Rackspace and others.
🔒CryptoTester v1.6.0.0 for #Ransomware Analysis🔍
Long overdue update with new algorithms, features, hashes, ECDH derives, Key Finder formats, ECC Validator, OAEP paddings... the changelog is 100 lines. 😅
Now hosted on GitHub w/ a readme!
Anyone infected with "Nefartanulo" #Ransomware (.nefartanulo@protonmail.com), please contact me for free decryption.
So I got a tech support scam and got them connected to 🤣. Can someone extract info from this run to report them to ?
🔒CryptoTester v1.5.0.0 for #Ransomware Analysis🔍
Soo many changes: GCM, custom padding, ECDH key exchanges, AutoIT RNG, RC4-DropN, Sosemanuk, new hashes, custom Salsa/ChaCha matrix, CNG RSA blobs, append/reverse input, new OAEP paddings... seriously check the changelog. 😅
Dear #SunCrypt #Ransomware authors: please add some kinda checksum/verification to your crypto scheme. Currently, if you give a victim the wrong private Curve25519 key, it just fucks files, since any point is valid on the curve. Just append a simple hash or HMAC of the original.
GIF
read image description
ALT
Vice Society (".v-society") == HelloKitty (".crypt") Linux #Ransomware using OpenSSL (AES256 + secp256k1 + ECDSA).
(Sorry can't share samples due to victim confidentiality)
📺 New video in my "Analyzing #Ransomware" 🔎 for beginners - continuing with the STOP Ransomware, we take a look at how it gets the victim's ID and keys (both offline and online) 🔐.
New CryptoTester v1.3.0.8 for #Ransomware #Analysis - input offset/len now accepts expressions, Key Finder detects ROT13/damaged keys in bins, bruteforce input with a list of keys, splice output, PHP mt_rand(), Blob Finder exports to clipboard and can generate keys... lots more!
🔒CryptoTester v1.7.0.0 for #Ransomware Analysis 🔍
Key Finder rewrite, new hashes, derive funcs, algorithms, padding modes, swap Hash and Derive process order, AES-CTR-LE, Encoding Param for RSA... another colossal update to read the changelog on. 😅
📺New video in my "Analyzing #Ransomware" 🔎 series for beginners - we get started on a mini-series dedicated to analyzing the STOP Ransomware, including unpacking it 📦.
Here's a free decrypter for some variants of STOP #Ransomware. Only works for extensions ".puma", ".pumas", and ".pumax". Requires encrypted and original file pair > ~150KB. Thanks to for PoC. Link: download.bleepingcomputer.com/demonslay335/S
Seriously, how the hell do people still look at my profile and reputation, and think that I CREATE #ransomware???
Hit by #Gibon #Ransomware with extension ".encrypt"? Here's a free decrypter. 😉 download.bleepingcomputer.com/demonslay335/G
Got a bit of a funny case with helping a #ransomware victim decrypt their files, where the only encrypted/original file pairs they have are straight up porn videos. I mean, hey, whatever works. 🤷♀️😅 Porn to the rescue! 🤣
Files encrypted with ".dcry" extension? Here's a free decrypter. Thanks to for cracking it with me. :) download.bleepingcomputer.com/demonslay335/D
Small anti-anti-debug tip for complete RE noobs like me. If you see this little function called "IsDebuggerPresent", change EAX on its return to zero to keep going. 😅
New update to CryptoTester for #Ransomware Analysis. Dumped a truncated private RSA key from memory? Blob Analyzer can do the math and repair it (as long as enough data is there to work with). Also added tab for decompression (Deflate/GZip/BZip2/LZW/Zip) | download.bleepingcomputer.com/demonslay335/C
GIF
🚨 ATTENTION STUDENTS. 🎓
👏 BACKUP 👏 YOUR 👏 DAMN 👏 SCHOOLWORK 👏
Oh you have this super-important-for-your-degree thesis you've slaved over for months? Why the hell can't you take 2 SECONDS to email it to someone? Back it up to a flash drive? PRINT IT for all I care.
CryptoTester v1.3.0.2 released for #ransomware analysis. Added PasswordDeriveBytes (had to rearrange key GUI), PCKS#1 PEM parsing, UTF-16 string detection for keys, new string input to accept newlines, other bugfixes in changelog. | download.bleepingcomputer.com/demonslay335/C
Here's a free decrypter for #Sepsis #Ransomware (extension: ".[<email>].SEPSIS"). Huge thanks to for cracking it. 🙂 download.bleepingcomputer.com/demonslay335/S. Padding bug in malware means last block is corrupted tho, cannot recover up to last 16 bytes of files.
When #ransomware encrypts its own damn ransom note so victims don't have their ID to give the criminals to get their key even if they pay.
GIF
Here's my script for extracting config from #GlobeImposter #ransomware samples. Supports any unpacked I've seen. gist.github.com/Demonslay335/8
Could it PLEASE be an industry AV practice to fucking log the HASH of what you detected/quarantined?
GIF
New video: Analyzing Ransomware - Reversing a CryptoAPI Decrypter -
New release of CryptoTester v1.2.0.1 for #ransomware analysis. Blob analyzer can accept base64 encoded blobs, and also added new tool Key Finder! Simply searches an exe for potential crypto keys (e.g. Crypto Blob, XML, PEM)
Oh great, we're teaching how to build #ransomware using #Jigsaw in school now? virustotal.com/#/file/0721c6d
So my take to keep everyone "grounded":
1. This is for an old version of Hive.
2. They require HUNDREDS of encrypted/original file pairs - most victims struggle to get ONE pair.
3. You'd need these filepairs PER master key - we've had clients with up to a HUNDRED master keys. twitter.com/campuscodi/sta
This Tweet is unavailable.
Can someone who has analyzed #Maze #Ransomware DM me? Is it really using "standard" ChaCha20? Got a victim with their private RSA key; can decrypt key/nonce, but not working on the files manually (criminal's tool works). Screenshot'd file, I'd expecting ASCII plaintext.
New release of CryptoTester for #ransomware analysis - v1.2.0.6 adds a custom Base Encoder (base64, more planned), RNG unit testing / corrections, export of RSA Calculator to private/public, plus extra RSA key validation and bugfixes (see changelog) | download.bleepingcomputer.com/demonslay335/C
Updated my decrypter for InsaneCrypt/DeusCrypt #Ransomware to not require 10MB+ files. Any encrypted file and its original will do now, can actually bruteforce the key directly. Thanks to for help with the analysis. 😃 bleepingcomputer.com/download/insan
Files encrypted by #InsaneCrypt #Ransomware with extension ".[<email>].insane"? Here's a free decrypter. 😀Requires an encrypted file and it's original over 10MB. download.bleepingcomputer.com/demonslay335/I
Interesting #ransomware using the "age encryption" library/binary (github.com/FiloSottile/ag by ). Renames files and uses extension ".sthd2", ransom note is 📨 EMAILED to the victim. 🤔
Note: pastebin.com/Q0NiMdMB
Victim on : bleepingcomputer.com/forums/t/72603
Here's a free decrypter for CryptoJoker / CryptoNar #Ransomware (extensions ".cryptojoker" / ".cryptoNar"). Just requires either an encrypted/original file, or one encrypted file of a common type (e.g. .jpg, .png, .pdf, .doc, etc). download.bleepingcomputer.com/demonslay335/C
GIF
#EvilCorp trying to sneak by with their #Hades #Ransomware, pretending to be REvil. Extension ".revil", note "revil.read.txt" (pastebin.com/JxKEc54Q) that points to a site with the most amazing ransomware logo ever. 🥷
Me: Why the fuck has my system been so slow all day, gah!
*Finds window minimized on the 3rd monitor with a ransomware test bruteforcer in debug mode running*
Me: Oh ya...
IMPORTANT ALL #STOP #Djvu #Ransomware VICTIMS: This is the FINAL RELEASE of STOPDecrypter v2.2.0.0, with OFFLINE keys for ".nuksus", ".cetori", ".stare", ".carote". Please read the announcement:
Anyone specifically tracking #Qakbot? Looks like it may be dropping #BlackByte #Ransomware according to forensics on a current case.
Files encrypted by #FilesLocker #Ransomware (extension ".[fileslocker@pm.me]")? Let's end 2018 with another free decrypter. 😉 Requires the ransom note (Settings -> Load Ransom Note). | download.bleepingcomputer.com/demonslay335/F
Fucking dumb #ransomware skid offences:
1. Educational MY ASS
2. Read whole file at once
3. Base64 -> String to Bytes -> AES -> Base64 again?
4. New key per file w/o saving ANY of them
5. Keep appending keys to global key variable
6. Multithread for race conditions on keygen
New video: Analyzing Ransomware - Decompiling Python Ransomware |
Hit by #hc6 #Ransomware and files have ".fucku" extension? Here's a free decrypter. 😉 Special thanks to of for help with analysis. download.bleepingcomputer.com/demonslay335/h
Small update to CryptoSearch, now shows how much data it found encrypted, and provides progress bar while archiving.
Welp, ID Ransomware just hit 600 #ransomware families it can currently identify. Currently over 1800+ extension patterns, 900+ ransom notes, 2400+ email addresses, 800+ BTC addresses, and growing...
🔒CryptoTester v1.4.0.0 for #Ransomware Analysis 🔍
New: Custom Spaces (' ') and Ascii Zeros ('0') padding modes (used by Python malware), CertUtilEncode algorithm, ASN.1 key usage, Add/Sub encryption detection, byte search in hex views, entropy display for RNG
New feature for ID Ransomware! Been hit by a #ransomware with no known way of decrypting? IDR will now ask if you'd like to opt-in for notification if there's good news in the future.
🔒CryptoTester v1.3.0.9 for #Ransomware Analysis 🔍
New: Import/export ASN.1 keys, XOR encryption detection, CTRL+A on hexboxes, Base58/Check encodings, hash iterations, added Misty1, Kasumi, and Fermet encryptions, plus fix for pasting hex to HxD.
download.bleepingcomputer.com/demonslay335/C
Any chance of adding drag/drop for uploading samples? Having to use the Browse button is sooo 2015. 😋
🔍Quick analysis notes on the Makop / Oled #ransomware (.makop) - TL;DR it's secure (AES-256 + RSA-1024, CryptGenRandom).
gist.github.com/Demonslay335/2
🚨Breaking: new #Sekhmet #Ransomware (spin-off?) calling itself #Egregor. Extension random but has an XOR'd filemarker. Note still "RECOVER-FILES.txt" (pastebin.com/tCnpRmJe) with a new site.
Have your files been "Striked" by #Ransomware w/ ext #<email>#id#<id>? Don't Cry! Here's a free decrypter! 😃 download.bleepingcomputer.com/demonslay335/S
There's a new variant of #Jigsaw #Ransomware using extension ".v316" that has been heavily modified... but it's still decryptable. Victims should contact me, as it involves some extra work to break.
ID #Ransomware milestone: the service now can identify 800 ransomware families. 😶
Also, passed the 1M submissions milestone awhile ago.
Dear #ransomware authors... please stop fucking using zero (0x00) padding. Just leave the damn defaults and let PKCS#7 be your lord and savior.
New release of CryptoTester for #ransomware analysis. v1.3.0.0 brings fixed copy, ability to paste/edit input hex, display generated key, find PGP keys in exe, and addition of SharpAESCrypt. .NET 4.6.1+ required now. Check changelog for details. | download.bleepingcomputer.com/demonslay335/C
French #Jigsaw #Ransomware w/ extension ".evil" spotted by .
We still got you covered with free decryptor from . 😉
Updated CryptoTester for 🔒 #Ransomware Analysis 🔎. v1.3.0.7 adds decoded view of hex views, OpenSSL-compat derives (EVP_BytesToKey w/ MD5 or SHA256), preset crypto schemes (HiddenTear / OpenSSL), hex inputs now ignore: \t\r[]{}h, plus bugfixes. | download.bleepingcomputer.com/demonslay335/C
New video, bit of a long one: Analyzing Ransomware - Completing a FULL Analysis |
Alrighty, here's the decrypter for #Pendor #Ransomware (extension ".pnr"). Just need any encrypted file and its original. Victim ID exponentially helps if provided too. Huge thanks to for analysis. download.bleepingcomputer.com/demonslay335/P
Seriously people, you can't just say "I need help" and give me NO DAMN CONTEXT. I am getting dozens of these a week. Start off the conversation with SOMETHING. Not just "I need help"... you don't go to the doctor and only say "I hurt"...
Update to decrypter for #STOP #Djvu #Ransomware - added OFFLINE keys for extensions .cosakos, .nvetud, .kovasoh, .brusaf, .londec, .krusop |
I really need to question 's security model when I get this for verifying access to an account. Are you seriously saving customer's passwords unhashed for support to see? Even part of the password?
I'm surprised my computer hasn't caught fire by now; probably hates me tho. Been crackin' #ransomware keys roughly 24/7 for the last 2 years
Thread: Let's take a look at the bullshit "Fast Data Recovery" is advertising about the #STOP #Djvu #Ransomware.
As perhaps the #1 world-expert who has analyzed and followed this particular ransomware for over a year, I feel obligated to respond to this absolute horse manure. 💩
Need help finding out what files were encrypted by #ransomware? CryptoSearch can list and archive them for you! bleepingcomputer.com/forums/t/63746
So spotted a new sample of DCry #ransomware few days ago using extension ".dian". Nice little message for me as well. 😀
New release of CryptoTester for #ransomware analysis. Added Rijndael 192/256 bit, and RC5 64 bit algorithms, Key Finder now searches for ANY kind of BLOB and also outputs the RSA keylength. Also a button to extract the first blocksize of input as the IV. download.bleepingcomputer.com/demonslay335/C
#Lock2Bits #Ransomware seems to be rebranding as "LuckyDay". Extension ".luckyday", note "File Recovery.txt" (pastebin.com/D4jPFuGf).
DXF confirmed in their chats.
Update to #STOP #Djvu #Ransomware decrypter, added OFFLINE keys for .nelasod, .mogranos, .lotej, .prandel, .zatrov, .masok | bleepingcomputer.com/forums/t/67147
Updated #STOP #Ransomware decrypter with a bunch of OFFLINE IDs/keys for extensions .kroput1, .charck, .kropun, .doples, .luces, .luceq, .chech, .pulsar1, and .proden. bleepingcomputer.com/forums/t/67147
New release of CryptoTester for #ransomware analysis. v1.2.0.5 is mostly bugfixes, but also adds base64 input, corrected Delphi RNG algorithm, ANSI C rand algorithm (LCG variant), and access RSA Calculator from main window. | download.bleepingcomputer.com/demonslay335/C
Ok, updated my STOPDecrypter to support the newer .djvu*-variants. ONLY SUPPORTS THE OFFLINE KEY or if you have been provided a key. Please check the BleepingComputer post for more info. I'm off to bed. 😴| bleepingcomputer.com/forums/t/67147
PSA: If you are hit by #ransomware DO NOT WIPE THE SYSTEM until you know what you're dealing with! If in doubt, full image system first.