ID Ransomware - Identify What Ransomware Encrypted Your Files

ID Ransomware
 

 
 
ID Ransomware is a website I have created where a victim can identify what ransomware encrypted their files.
 
All too often after a ransomware attack, the first question is, "what encrypted my files?", followed by "can I decrypt my data?". This web service aims to help answer those questions, and guide a victim to the correct information relating to their infection.
 
By simply uploading a ransom note, and/or an encrypted file (preferably both for best results), the site will use several techniques to help identify what ransomware may have encrypted the files. This includes assessing the ransom note name, file name patterns of the encrypted file, and in some cases, even byte patterns in the encrypted file itself.
 
When the ransomware(s) has been identified, a clean-cut answer will be displayed on the current known status of decrypting the data, along with a link to more information on the particular ransomware.
 
Naturally, there are cases where multiple ransomwares could be detected, as some ransomware share signs. It is best to review the provided links for more information on manually determining which is the real infector. It is also possible there could be dual-infections. There is also the chance that no ransomware will be identified. Some ransomware show few, or very complicated signs, and cannot be determined simply from the ransom note and encrypted sample.
 
A current list of ransomware that are supported is displayed on the front page, with newest additions in bold (all will be bold at launch here naturally).
 
I will be continuously trying to keep the database as accurate as possible when new developments are found, and when new ransomware are discovered. I also have plans for new detection techniques in the future.
 
This project is technically in beta, so let me know if there are any bugs, or if you believe detection was not accurate for a case. I can be reached on this forum, and my Twitter handle is at the bottom of the page.
 
In a way, I see this as a spiritual successor of Nathan's IDTool, so I thank him for the inspiration.
 
The website is accessible at the following link: https://id-ransomware.malwarehunterteam.com/
 
Special thanks to @malwrhunterteam for usage of their sub-domain.
 

Please see the dynamic list on the front page of the website for a list of ransomwares that can currently be identified by ID Ransomware.

Edited by Demonslay335, 03 May 2017 - 08:06 AM.

Good job...it looks promising even as a beta.

The '?' need some formatting so that each entry is in a new line. (easy for reading)

 

I have a suggestion:

• Can you please add some description for 'Ransome note; like : the file when opened shows the ransom note / payment info.
• for 'Sample encrypted file' like :  your file which is now unable to be opened

Can the message telling the user if their file can be successfully recovered be in 'Green' , non-recognizable files as 'Grey' , un-recoverable files as 'Red' ?

 

Also,

 

You may post a new topic on BleepingComputer for further assistance and analysis.

May be you can redirect users to Security or Ransomware Tech Support and Help  subforums.

 

A good site and a great job!

@Nikhil_CV
 
Thanks for the feedback. I've added a bit of a description to the upload fields, and the link for support. I honestly didn't know this sub-forum existed until a few days ago, lol.
 
I'll look into tweaking the colors of the results. I'm rather new to Bootstrap styling, coming off the wheels of jQuery UI.
 
 

The '?' need some formatting so that each entry is in a new line. (easy for reading)

I'm not sure what you mean by this. Do you mean the '?' next to the upload fields, or the perhaps the FAQ?

May be you can redirect users to Security or Ransomware Tech Support and Help  subforums.

Just redirect them to the Ransomware Tech Support and Help forum. Anything in General Security is going to get moved here.

 

I'm not sure what you mean by this. Do you mean the '?' next to the upload fields, or the perhaps the FAQ?

Do you mean the '?' next to the upload fields?

Yes that is what I meant. Some extension specifications are broken into 2 lines. Can it be given a separate line?

 

And about FAQ listing, doesn't bulleted listing look better (so you may add the extensions to it too next to the names or may be you can divide the section into 3 or 4 columns)

 

I almost forgot about the site while I jumped in to the other topic . 

Edited by Nikhil_CV, 03 April 2016 - 07:10 AM.

BleepingComputer help me get rid of Cryptolocker virus but my files are still encrypted. I do not have the Cryptolocker ransom notice anymore. How do I decrypt my files. Please help.

BleepingComputer help me get rid of Cryptolocker virus but my files are still encrypted. I do not have the Cryptolocker ransom notice anymore. How do I decrypt my files. Please help.

The original CryptoLocker Ransomware which first appeared in the beginning of September 2013...does not exist anymore and hasn't since June 2014. There are many copycat ransomware variants which pretend to be or use the CryptoLocker name but those infections are not the same. Any references to CryptoLocker and retrieving keys for it will not work anymore.

In order for anyone to assist you, we need to identify specifically want ransomware infection you are dealing with.

Please read and follow these instructions.

• How to Post a Topic Asking for Help With Ransomware

Hi, here is one ransomware that might not exist on id-ransomware:

 

Question:
http://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-etc-files-decryption-support-requests/page-205#entry3979333

Answer:
http://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-etc-files-decryption-support-requests/page-205#entry3979335
@slstaut,
It is not Teslacrypt,
write in this topic: Filecoder.NFY / Genasom
http://www.bleepingcomputer.com/forums/t/607680/troldeshshade-extensionid-numberemailxtbl-support/

User to answer: al1963

File location:
https://www.sendspace.com/file/rwg3n8
 

I have no more information about this.

 

Regards

Hello I was scammed now locked out of my Asus. I have black screen the box startup password. Asus can't Microsoft can't help. I called the person and was told the can't help me unless pay $200....what can I do? I don't know a lot about computers.

Hello I was scammed now locked out of my Asus. I have black screen the box startup password. Asus can't Microsoft can't help. I called the person and was told the can't help me unless pay $200....what can I do? I don't know a lot about computers.

Please do not hijack another thread with an unrelated topic. It can be considered rude. You are already being helped by others in another topic, where you have been requested to share a picture numerous times in order to help further. Others have also already given you suggestions. If you are unable to follow them, I would suggest bringing the computer to a local expert or computer shop. Your data is most likely safe if it is what they are suspecting.

Hi. My name is Brent. I have used the ID Ransomware site by uploading an encrypted file. The site identified the malware as CryptXXX and told me that the file is decryptable. I have already used Malwarebytes Antimalware to remove the virus. I now need to "decrypt" all the affected files and I was hoping someone could tell me how to do that. Thank you very much in advance for any help you can provide. Brent.

Hi. My name is Brent. I have used the ID Ransomware site by uploading an encrypted file. The site identified the malware as CryptXXX and told me that the file is decryptable. I have already used Malwarebytes Antimalware to remove the virus. I now need to "decrypt" all the affected files and I was hoping someone could tell me how to do that. Thank you very much in advance for any help you can provide. Brent.

 
The service will have given you a link to the appropriate topic for support with CryptXXX, where you may ask for help, and read other victim's testimonies on how they recovered their data.

• CryptXXX Ransomware Support and Help Topic (.crypt ext, de_crypt_readme.html)

Kaspersky recently released a tool that may decrypt your files. Check post #140.

Edited by Demonslay335, 26 April 2016 - 04:16 PM.

Hello,

ID Ransomware is not able to identify my encrypted files

"Please reference this case SHA1: 0c2fd8ed5906b57b3f60d20703758a1bcbe1aeca"

No tool was able to decypt. Only jpeg-preview is shown after decryption.

Th files are in my dropbox

https://www.dropbox.com/sh/tee9c9tj5ay06kg/AABga2e2nmQQN_FI5hQfY2aIa?dl=0

 

Please Help

Josef

Edited by wiserhaus, 02 May 2016 - 07:14 AM.

Hello,

ID Ransomware is not able to identify my encrypted files

"Please reference this case SHA1: 0c2fd8ed5906b57b3f60d20703758a1bcbe1aeca"

No tool was able to decypt. Only jpeg-preview is shown after decryption.

Th files are in my dropbox

https://www.dropbox.com/sh/tee9c9tj5ay06kg/AABga2e2nmQQN_FI5hQfY2aIa?dl=0

 

Please Help

Josef

 

It looks like you were hit by KEYHolder, which does not appear to have been decrypted from what I've seen. Some may have had luck using ShadowExplorer or Recuva, always worth a shot. Looks like a rather old one. I'll add detection for that one soon here (missed my spreadsheet somehow).

 

You can read more in this topic: http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml