Please see the first page (Post#1) of this topic.
The same(
Got files on Synology station encrypted on April 11th, 2023.
Link an order id from README_FOR_DECRYPT.txtt :Paid the ransom, got decoder. It don't work (neither on linux nor on windows,I use virtual machines), decrypted files all unreadable.
ECh0raix Decoder - 1.0.6 with "key from file option" - logs the same messages: WARNING - Marker not found. Keeping original file. Decrypted file is probably corrupted.Wrote to "chat", asked the KEY - no reply.Baby photos also, don't have even printed copies, completely in despair((Сolleagues, @blooddolly any thoughts pleasePS have pairs of encrypted/original files if it can be somehow usefull
Check if all ransom notes have the same BTC address in the link to TOR page. It is quite common that files were encrypted with different keys, because the NAS was restarted. Each time ECh0raix starts it will call home for new key.
Godannys' problem is that his files were encrypted with another ransomware on top of ECh0raix encryption. His files started with marker "Salted__" and ECh0raix is not using any marker at the start of the file. If you want to check if your files were encrypted by ECh0raix, pick any block of 6+ bytes from the first half of the file and the same block must be located in the second half of the file.
I work in DFIR.
Are you still accepting the malware sample if available for the version currently out there? I may be able to have access to a machine that has a persistent mechanism on it. payment page is dead since it was back in 2021. but the user wants to have the personal files decrypted, files do not have salted_ header . I'm just not sure if the privkey they used for encryption is still even there.
Edited by Snowman3848, 21 March 2024 - 04:40 PM.
Back to top
Do you have other suggestions?
