0XXX (NAS) Ransomware (.0xxx) Support Topic

 

 

Hello everyone. I can tell you what I did to recover around 70% of the encrypted files I had (almost 40 TB). You'll need:

• A clean and ransomware-free operating system where you can run data recovery programs.
• One or more clean hard drives with a larger capacity than the encrypted files, where you can dump a multitude of files.
• Lots of patience and some programming knowledge (not too much).

The process I followed to recover the data is as follows:

1. Scan both the disks with the encrypted files and other disks I had at home where I might have had some of these files, searching for remnants of the original files. This can be done with programs like Recuva (on Windows), Photorec (Linux, and possibly Windows as well), and others (I can provide more information if needed).

2. These programs will often recover the files, but only partially or with overwritten parts, as well as a multitude of irrelevant files. It's like searching in a giant landfill... However, it is a fundamental step because we can then process them to recover the complete file.

3. To recover the original files, we need to search for each encrypted file (extension .0xxx) if we can identify the same file among the ones we have recovered, even if it's incomplete. The ransomware only encrypts the first 64 KB, but the rest remains intact. So, if we compare, for example, the 2nd or 3rd block of 64 KB and see that they match, it might be the same file. I have done this using Linux programs coded by myself, very simple ones, but they do the job for me.

It is a process that can take days, weeks, or even months. But some results can be achieved, and there's nothing to lose by trying... If someone is desperate enough to attempt this and needs help, let me know, and I'll see what I can do.

 

Of course, it would be much better if someone manages to decrypt the files properly, but as we can see, that is difficult nowadays...

 

Best regards.

 

This might be a stupid question, but if the first 64KB is currupted and the rest is intact, is it possible to just removed the only encrpted part of the video and have the rest work jsut fine? 

 

Ive recently become a victim, early days, cleaned my machines multiple times with multiple products, taken first look at Nas, made a duplicate of an encrypted mp3 file, renamed that duplicate to original .mp3, no issues playing the track, repeated on the next with the same result?

I changed the encrypted all mp3 files extension as mp3, no problem playing the tracks.

Would anyone bother to share the decryptor .exe so that we can tinker with it? Understand that you can make things worse, but it wouldn't hurt to make copies of the already encrypted files and test a few things...

Before you guys testing or modified the files, please BACKUP all of your encrypted files because you CAN damaged or make the things worse.

 

Hello from France.

As said previously here : NAS with SMB's 445 port open on the router...

Didn't encrypt all files though, as if it were stopped before.

Full backup ok 2 days before so lucky...

Hi all.

Any news about a decryptor for x000 ?

I've 512+ mkvs crypted...

Thanks!

There is nothing new to report that I am aware of.

There is nothing new to report that I am aware of.

Thanks!

I'm an experienced programmer.

Can I have a decryptor to disassemble with IdaPro/Ghidra ?

Cheers

We don't have access to a decryptor. Perhaps a previous victim who obtained one will read this topic and offer it to you.