<

Decrypting Cryakl 1.4.0.0 / 1.4.1.0 FAIRYTAIL Ransomware

Published on
10,198 Points
3,298 Views
9 Endorsements
Last Modified:
Approved
Editor's Choice
Feeling responsible for an unfortunate ransomware infection on my parent's network, persistence paid off as I was able to decrypt a strain of ransomware that was not previously (or at least publicly) cracked. I hope this helps others out there affected by the same strain. CL 1.4.0.0 Fairytail

On December 9, my father asked me to open his computer up so he can connect in while on vacation. It was late and I was feeling a little bit too lazy to build a VPN solution. Instead, I forwarded port 3389 to his computer and enabled Remote Desktop.


As his computer had no password on it, I told him he had to use one. Unfortunately, his first name was not a very strong password. Two days later at 3:00 am, his computer was infected. By morning, everything was encrypted. This was also a very rare situation where his other computer was also turned on, which houses all of his important data. This was also encrypted.


The prognosis did not look good. Everywhere online said its Cryakl, impossible to decrypt. I tried the Rannoh Decrypter that hadn't been updated for about a year and wasn't surprised to see that it didn't work. There were no shadow copies to work with and no recent backups. I began running data recovery software with the hope that I could recover some files. While many pictures were found this way, other important files were not. I was still not satisfied. I took his computers to my house and worked on a small set of files for about a month. I was ultimately able to manually decrypt a file. Then I was able to refine and repeat the process on any file on his computer. I developed a tool to go through any drive or folder recursively and have now managed to decrypt his entire computer.

At this time, it is required to have a file as it existed before encryption. Its encrypted counterpart is also required. These files MUST be a match to work properly. I have built in some checks and balances, but I will not go as far as saying that it's perfect. ALWAYS do a backup of the encrypted data before using this tool. Please take your time and read the instructions. If you mess up the encrypted files, there's a good chance that the data will truly be forever lost.

If any researchers from the big security firms out there would like to know how the decryption works, I am happy to discuss it with you. I did briefly post the solution online but took it down as I did not want to tell the extortionists where to improve.

This tool is for files with filenames that look like this:

email-draggonblack@yahoo.com.ver-CL 1.4.0.0.id-#########-12@11@2017 3@23@45 AM7563453.fname-README.txt.fairytail

- or -

email-hola@all-ransomware.info.ver-CL 1.4.1.0.id-#########-12@11@2017 3@23@45 AM7563453.fname-README.txt.fairytail


On a final note, I just want to emphasize this one more time -- BACKUP YOUR FILES BEFORE USING THIS TOOL.


Here is a link to the decryption tool:

https://www.dropbox.com/s/3doqkwpr6hgwua0/Cryakl-Decoder.exe?dl=0


Updated Feb 27, 2018

- Fixed a bug that was leaving small files (less than 2 kb) encrypted

- Added some code to help ensure that fairydust files are not locked before attempting changes



For troubleshooting tips and past update details, see the notes at the end of the article.


Screenshots - Click to Enlarge




Troubleshooting Tips


**** If you require support please use the Ask a Question feature of Experts Exchange. Please be sure to include the term "Fairytail" in your question so I can find it easier. This will help keep the comments section clean and will allow me to work with each case in a separate space. If the tool is not decrypting your files properly, you may have a strain that I have not yet seen. Please include with your question a zip file containing your unencrypted original file, its encrypted counterpart and some other sample files that I can test with.


**** If you are having trouble finding an original, unencrypted file, see the tips below:

  • Review the files in your downloads folder. If you think you can download any of those files again, you will have an original file to use.
  • Go through your flash drives and external hard drives that were not connected at the time of infection. You may find a document that can serve as an original file if it was still on your PC and happened to get encrypted.
  • Check to see if the files in "C:\Windows\Media\" are encrypted on your PC. If they are, find the unencrypted file on any other computer with a matching operating system.
  • Log into your email in a web browser and check for sent messages with attachments. It's likely that one of those attachments is encrypted on your computer. This can serve as your unencrypted file. 


Previous Updates

Feb 11, 2018

- Updated interface to include a Job Summary which helps you to know what files and directories the application is set to work with.

- Added a feature to create a signature from the encryption fingerprint of encrypted analysis file. If a different signature is found during decryption, it will not modify the contents of that file. Attempting to decrypt files with different signatures will result in broken files.

Feb 10, 2018

- Fixed a bug that was leaving bytes 48000-49999 encrypted.

Feb 8, 2018

- Updated technique for parsing the filename structure to automatically handle slight variations
- Fixed a bug when decypting files larger than 2GB and choosing to keep encrypted files.

- When choosing to keep encrypted files, application will now copy the encrypted file into a new file called [original_filename].fairydust. Once that file has been fixed, it is renamed to the original file name.
- When decrypting a single file, you will now see the status dialog appear.
- If a file being decrypted already exists, it will append a timestamp to the end of the file name. This will be useful if you were able to partially restore some files from backup before decryption.

Feb 3, 2018

- Fixed a bug causing problems when choosing not keeping encrypted files

- Fixed a bug resulting from different filename structures that caused a problem decrypting a directory


If you found this article helpful, please endorse it by clicking the Thumbs Up icon below.

9
Comment
78 Comments
LVL 2

Author Comment

by:James-Gourley
A new variant was sent to me today, CL 1.4.1.0. I am happy to say that this tool appears to be successful in decoding that version as well. Of course, please follow all the same precautions and back up your encrypted files first. I had a very small sample of files provided to test with.

Good luck to everyone!
0

Expert Comment

by:alex telegaru
i love you !!! thanks thanks thanks
0
LVL 2

Author Comment

by:James-Gourley
Note to CL 1.4.1.0 victims: A bug has been identified when decrypting a folder and choosing not to keep encrypted files. It will affect some files recovered that are under 50kb. I am not able to fix the bug at the moment, so please keep the option selected to keep encrypted files after recovery. I will post an update when the bug is resolved.
1
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Expert Comment

by:Augusto Sousa
Hi
I´m trying to use this tool to decrypt a 1.4.1.0 version of Cryakl
However this tool appears not to work properly
I select an infected file, the same one clean and it reports to me te encryption key
I select a folder to decrypt, i choose to keep infected files, i press start decryption and .... just stay frozen and didn´t do anything.
Is there anything i´ve done the wrong way ? is there any "tool" or another program i could have to decrypt the infected files ?

I join 2 files. One with cryakl i´ve been "presented" and the other one that is the same file but not encrypted

 
JPE.DR-2016.pdf

email-blackdragon43-yahoo.com.ver-CL.pdf
0
LVL 2

Author Comment

by:James-Gourley
I haven't personally see it freeze up at that stage. What operating system are you running it on? It also requires .NET Framework 4.0 to run, though I don't think the program would launch at all without it.

When you click Start, a second window should open and begin scanning the directory. Does it work to decrypt a single file for you?
0

Expert Comment

by:Augusto Sousa
So Sorry !!
i reported your comment by mistake !!! Damn !! So sorry !!

I use Windows 10 .... I have .NET Framework 4.0 ..... and no, i cannot decrypt a single file .... but when i use a encrypted file a the same file without encryption, it gives me the entire Hex code ... so i think it can decrypt it but, as you say, it could be a variant using the file name
0
LVL 2

Author Comment

by:James-Gourley
Update for CL 1.4.1.0 Victims: The bug causing problems when choosing not keeping encrypted files has been fixed, You may now choose not to keep encrypted files while you restore you data.

A second issue was found due to a variation in file names. This has now been fixed, so if you were having problems similar to Augusto Sousa, that should be resolved now.
1

Expert Comment

by:Augusto Sousa
James ...
Thxs a lot !
Ruling fine !! Extremely fine !! more than 200.000 of 600.000 files restored to original status so far
Will report some more when finished
1
LVL 2

Author Comment

by:James-Gourley
Augusto, that is excellent news. Thanks for sharing!
0

Expert Comment

by:Rami Rand
Hello, i've been infected with the .fairy tail ransomware, but i don't get how you were able to find a file before encryption?, i have all the data just with encryption form but no prior to it. Is there any way to decrypt the file without the original file?
0
LVL 2

Author Comment

by:James-Gourley
The file from before encryption can come from several places. One example would be your Downloads folder. You may have an encrypted file here to which you can easily download the original again, either from the web or in your email inbox. If you go this route though, the files must be an exact match or they will not decrypt files properly. Always back up your encrypted data before using this tool, and test on a small number of files first.
0

Expert Comment

by:Arseniy Dugin
Hello,  i've been infected by cryakl 1.4.1.0, I can decrypt single file but I can't decrypt entire folder. It just searching nothing and write "Process Complete"
Files has names like email-hola@all-ransomware.info.ver-CL 1.4.1.0.id-3457440693-07.02.2018 9@58@158254985.fname-filename.docx.fairytail
I tested on 5 PCs with Win10 x64 and Win7 x64 with .NET Framework 4.0 and it work the same way.
0
LVL 2

Author Comment

by:James-Gourley
It looks like they've changed the filename structure again around the date. I will have to update the code to accommodate the change. I am a far cry from identifying as a software developer, so unfortunately these little things are all it takes to break the tool. I will update the code and let you know when to try again. I have to do the updates in the evenings as I work during the day, so you'll have to sit tight for a bit. My apologies for your trouble. At least it works to decode single files, so you can breathe a little easier knowing that decryption will be possible.
0

Expert Comment

by:Ale Tucci
Thank you a lot for the precious work!
Could  you make something for files bigger than 2gb?
0
LVL 2

Author Comment

by:James-Gourley
Hi Ale: To decrypt a file larger than 2GB, you currently have to choose not to keep the encrypted files. I have used the tool to decrypt a backup archive that was over 300GB in size. The difference is that when you choose to keep the file, it must read the entire file, fix it, and write it to a new file. The method in which I read the file in is limited to 2GB. When you choose not to keep the file, the program "fixes" the file in place, and only modifies the encrypted bytes. I hope that helps in the short term and I will try to learn how to read/write the file differently for a future update. I'm going to look at it tonight and should at least have a fix available for Arseniy Dugin. If there is time I will check into the >2GB issue as well.
1

Expert Comment

by:Ale Tucci
Thank you James-Gourley!
1

Expert Comment

by:Arseniy Dugin
Thanks a lot!
1
LVL 2

Author Comment

by:James-Gourley
Updated Decryption Tool Available
I have updated the file linked in the article above to address some bugs that have been reported. As always, back up your encrypted files before using this utility. Enjoy!

Changes:
- I've updated the way the program parses the filename. This should help handle slight variations in the file name automatically.
- When choosing to keep original files, a bug was present that prevented files over 2GB from being decrypted. This method has been updated and will now copy the encrypted file into a new file called [original_filename].fairydust. Once that file has been decrypted, it is renamed to the original file name.
- When decrypting a single file, you will now see the status dialog appear.
- If a file being decrypted already exists, it will append a timestamp to the end of the file name. This will be useful if you were able to partially restore some files from backup before decryption.
2

Expert Comment

by:Raul Rend
I have some issues with this tool, i haven't been able to get an original copy of the files before encryption and i have look all over the internet trying to find an alternative but looks like this is the only tool that works with .fairy tail ransomware. There isn't any other way of decrypting the files? Please if someone find something that could help me, i could use some help
0
LVL 2

Author Comment

by:James-Gourley
So far, without an original file I have not found a way. Here's a few tricks to finding an original file though: If your C:\Users\[username]\Downloads folder has files inside that are encrypted, see if you can find any of those files to download again from the source and use that as your original file. As a last ditch effort, see if your file "C:\Windows\Media\Alarm01.wav file is encrypted. If so, send it to me and I'll see if mine is a match.
0

Expert Comment

by:Raul Rend
There are 2 files that i found i change the .fairy tail one to pdf beacuse the site wont allow .fairy tail. There is the original and the encrypted one
files.zip
0
LVL 2

Author Comment

by:James-Gourley
Hi Raul,

Those files do not match. The original file is 152478 bytes and the encrypted file (ignoring the metadata at the end) is 153050 bytes.

Furthermore, the unencrypted data at the end of the file is not the same:
Unencrypted file ends with: /Prev 148336/XRefStm 147710>>..startxref..152296..%%EOF
Encrypted file ends with: endstream.endobj.startxref..116..%%EOF..

Unfortunately, they cannot be used to generate a key to decrypt the other files.
0

Expert Comment

by:Raul Rend
So, if i can get two similar files we will be able to decrypt everything?
0

Expert Comment

by:Pavel Hruschev
Hi James, new version can handle folder operations but have an issue with decryption. All decrypted files have a portion of garbage in the middle. It was reported by Arseniy but his comment was deleted. Anyway, thank you for this great tool.
0
LVL 2

Author Comment

by:James-Gourley
Raul, if you can find a file as it existed before it was encrypted, and the encrypted version of that file, it should be able to be used to decrypt everything.

Pavel, can you send me some of these files that are having difficulties? I would also need an original/encrypted pair from you so I can test with it. I've only ever seen the first 50kb encrypted but there's a chance that they have changed something so that it encrypts more of the file, or different chunks of the file. I will certainly have a look for you.
0

Expert Comment

by:Tata Funk
Hi James
I´m having some difficults to decode a .mdb file.
First of all, I don't have the original file because, of course, we've been hacked. Anyway, I've renamed the email-blackdragon43@yahoo.com etc. file to the original one.
The decoder sends the file to an existing directory c:/users/James/desktop
Can you help us?

Screenshot
0
LVL 2

Author Comment

by:James-Gourley
You will have to find an original file to determine how the files were encrypted. Next, you have to select the file or directory that you would like to decrypt. Last, click start decryption. Without an original file, this tool will not be able to help unfortunately.
0

Expert Comment

by:Tata Funk
What a pitty. We only have the hacked file....
Can you do anything for us? We will be grateful to make a donation...
Thanks anyway
Bests
1
LVL 2

Author Comment

by:James-Gourley
All I can suggest is to search around for a file that didn't get encrypted. Check your flash drives, email, etc.

One other possibility is that you can send me your encrypted c:\windows\media\alarm01.wav file, if it is in fact encrypted. If it matches mine, maybe I can make a key out of it
1

Expert Comment

by:Pavel Hruschev
James, it's not a new variant, it's the same that was reported by Arseniy 2 days ago with names like email-hola@all-ransomware.info.ver-CL 1.4.1.0.id-3457440693-07.02.2018 9@58@158254985.fname-filename.docx.fairytail. Old version decodes these files perfectly, but one-by-one only. New version decodes them on folder basis but leaves garbage portions in files. I think it's a decoding algorithm problem.
0
LVL 2

Author Comment

by:James-Gourley
Note to all victims:

A bug has been fixed that was leaving some encrypted data in the middle of the file. If you have been affected, download the tool again and try again. Please feel free to send me a PM if you find any other bugs, and Ask a Question if you need support.

Thanks Everyone!
1

Expert Comment

by:Raul Rend
James you are a Hero man, thanks to you i was able to decrypt most of the data that i have encrypt, thanks so much. I found an old file and i was able to find the key. Thanks very very much 😆😆😆😆
3

Expert Comment

by:Arturo Orta
Hi,

   First. I want to thank you so much for this utility. Second, I found a bug. When I try to decrypt a file with a size lesser than 2kb it not decrypt it at all. Can you help us with that? Thanks a lot.
0
LVL 2

Author Comment

by:James-Gourley
Hi Arturo Orta, sorry for the delay. I was sick and didn't have the energy to troubleshoot this. Could you private message me some files under 2kb so that I can test? I would need your original file / encrypted file pair to test with as well. I think I know where the problem is but I just don't want to blindly release an update. Thanks for your help and for pointing out the bug.
1

Expert Comment

by:Bill Huynh
Maybe I'm doing something wrong. I have an original unencrypted file and (of course) the encyrpted file. Used the decryptor tool as instructed. Unfortunately, I am yielding a "encryption signature mismatch" message.

:-(
0
LVL 2

Author Comment

by:James-Gourley
Hi Bill, typically the first 1028 bytes of data following {encryptstart} at the end of each file is the same. I have seen one case where an individual had some files encrypted with one key and others with a different key. This seems to indicate that the attacker may have run the encrypt tool twice and may be the case with you. I added this encryption signature catch for this situation as attempting to decrypt with the wrong key will still leave your files broken. Are you affected by CL 1.4.0.0 or CL 1.4.1.0?
0

Expert Comment

by:宇 丁
I just say thank you, James. You tools help me to recovery my server files.
2

Expert Comment

by:Liz Ar
Hi,
I downloaded the decryption tool and it doesn´t show me VICTIM ID and the button START DECRYPTION is disabled.
I have the 2 files, the original and the encrypted.  They can help me if I'm doing something wrong please.
Thanks.
0
LVL 2

Author Comment

by:James-Gourley
Hi Liz, please send your source files (original and encrypted) in a PM to me and I'll have a look.
0

Expert Comment

by:CaribbeanBlues
Hi James, so far I have escaped ransomware.  Nonetheless, I want to say thank you for what you have done and are doing!  As a retired programmer myself, I understand the issues, and your willingness to do this, to provide it, to handle so patiently the comments, questions and pleas for help, is praiseworthy.  The more desperate each person feels, the more they should realize the size of the gift you have given them.  Thank you, thank you, thank you again!
3

Expert Comment

by:Liz Ar
James-Gourley, CaribbeanBlues has all the truth!!  Thank you very much for this great tool and for the follow-up that you gave to my case.
Fortunately I found an original file and it was possible to recover what I needed.
Thank you very much for your great help and time!
3

Expert Comment

by:Alin M
Hello James,Thank you for this great tool.I was recovered all my files.All my best greetings from Romania!
4

Expert Comment

by:core asenov
Hi James,

I'm also affected and want first to thank you very much for your work. Your tool is the first that could possibly help me. I tried to run it, but I'm getting following error as per program log:

File Name,Path,Status
IMGP3064.AVI,G:\w,System.ArgumentException: Destination array is not long enough to copy all the items in the collection. Check array index and length.
   at System.BitConverter.ToString(Byte[] value, Int32 startIndex, Int32 length)
   at Cryakl_Decoder.Form2.getEncFileSignature(String strEncFile)
   at Cryakl_Decoder.Form2.Decrypt_File(String strEncFile, String strDestFile, Boolean boolKeepEncFile)
   at Cryakl_Decoder.Form2.Button5_Click(Object sender, EventArgs e)


The filename is  email-gruzinrussian@aol.com.ver-CL 1.4.0.0.id-5122680-3.1.2018 г. 19@55@343510125.fname-IMGP3064.AVI.fairytail

Your tools shows me following information:  Capture-Modified.png
I hope someone could advise me what I'm possibly doing wrong.

Thanks!
Pavel
0
LVL 2

Author Comment

by:James-Gourley
If possible, could you please send me your original / encrypted pair of files, along with a couple of the problem files. I'm happy to have a look and fix the bug. In the meantime, try running the tool with the option to keep encrypted files unchecked. Try it on a single file first, and of course make a backup first.
0
LVL 2

Author Comment

by:James-Gourley
Hi Pavel, if you are receiving the error when selecting your files in step 1,it may be the files are too large. If they are over 2gb, then the method I use to read them may fail. If you have smaller files try that.
0

Expert Comment

by:core asenov
Hi James,

thank you for your immediate answer. The file size is 225 Mb. I've uploaded both files and a folder with a couple of .doc files for decryption in my  cloud drive, please use following link:   FILES

Thank you for your support !!!

Pavel
0

Expert Comment

by:fsdagwaegwe hgwrgwegw
anyone infected by CL1.5?
0
LVL 2

Author Comment

by:James-Gourley
I haven't seen anything about 1.5 yet. If you are affected by it, I would be very interested in looking at some of your files. Along with an original / encrypted pair as well
0

Expert Comment

by:12334 123456
Hello, i can decode file 1.4.1 vercion with your decryption tool. PLS Helpp  https://www.sendspace.com/file/l16bjj
0

Expert Comment

by:alex sloboda
here files from version 1.5, is it possible to decrypt them? Thank you
https://cloud.mail.ru/public/Atkq/mS4zUQ4RT
1
LVL 2

Author Comment

by:James-Gourley
core asenov,

I have tested with your files and did not have any troubles. To keep the comments section clean, I will work on this issue in private messages with you. If we uncover a bug, I will fix it and post an update for everyone.
0
LVL 2

Author Comment

by:James-Gourley
12334 123456, I have sent you a private message to help you with your files. If we uncover a bug, I will post an update for everyone.
0

Expert Comment

by:Sri Balaji Computers
Hi i need urgent support guys. I am infected from Cryakl ransomware 1.5.1.0 ...i Have tried all decryptors kaspersky, emiset nothing helps.
i Want a decryptor for Cryakl ver 1.5...

Thanks in advance
Subhash kannan
0
LVL 19

Expert Comment

by:Andrew Leniart
Subhash,

Have you tried the excellent solution made by this author? Read the article and download the decryptor and see if that helps. Cryakl 1.5 is supported according to the author?

Hope that's helpful.

Andrew
0
LVL 2

Author Comment

by:James-Gourley
Hello All, my apologies for disappearing. I was working out of town a lot and was not in a position to assist with requests here. I have begun reviewing 1.5.0.0 files and believe I may be onto something. If anyone has any files affected by this variant, please send them to me in a private message (original and encrypted).

Thank you Mike for pointing out yet another variant (1.5.1.0) that will be coming as well. If anyone has files from this variant, please send them to me as well. Please include originals.
0

Expert Comment

by:mike1 mike1
Thank you Mike for pointing out yet another variant (1.5.1.0) that will be coming as well. If anyone has files from this variant, please send them to me as well. Please include originals.
Check PM. But I do not need a decryption. I just decided to help you. On Virustotal there is a link to the virus itself. ;)
0

Expert Comment

by:Pavel Hruschev
For the purposes of the experiment, I successfully decrypted the file from version 1.5.0.0 published by alex sloboda on 2018-03-05 with the latest version of the decryption tool.
0
LVL 2

Author Comment

by:James-Gourley
Pavel, it will work for some files but not all as the key changes with each file. I received  more files from Alex and noticed this. Two of them did use the same key but most will be different. I need more files to test with but I think I am getting close. If I'm right, there will not be a need for an original file for this variant.
0

Expert Comment

by:Scott K
James,
Are you still in need of encrypted files hit by the 1.5 version of Cryakl? I have plenty but not the original files to go with them...
0
LVL 2

Author Comment

by:James-Gourley
Sure Scott send them over. I don't have a lot of time lately but I'd be happy to have them and see if I can figure anything out.
2

Expert Comment

by:Gerardo Lovagnini
Hi ! I've a PC infected with version 1.5.1.0. I am trying to get some original files and will send them to you ASAP. Is current tool able to decrypt files for this version?
My encrypted files end up with "-doubleoffset", would it be the same than fairytail ???

Thanks a lot and good luck !!
0

Expert Comment

by:SIMON CHAN
Dear ALL,

 I've a PC infected with version 1.5.1.0. I am trying to get some original files and will send them to you ASAP. Is current tool able to decrypt files for this version?
My encrypted files end up with "-doubleoffset", would it be the same than fairytail ???

Thanks a lot and good luck !!
0

Expert Comment

by:Abror Lee
Hello. PLS can you help me with  file 1.5.1.0 version?? i have small organisation, all of my work files and databases were encoded, it's terible disaster for us. The attach program in this topic didn't recover files(
0

Expert Comment

by:SIMON CHAN
I have been used this 1.41 decrypt tool for 1.5.1.0 files. The tools said the decryption key was found, said the files was successful decrypt.
But when i want open the some files, like .doc, .xlsx..., the files was crashed, can't open. But some of the PDF can open and read.

Anyone of suggestion for that ?  infected with version 1.5.1.0. fiels, thanks a lot.
0
LVL 19

Expert Comment

by:Andrew Leniart
@Gerardo Lovagnini
@SIMON CHAN
@Abror Lee

Hi Guys,

With regards to your questions, may I suggest you use the "Ask a Question" function of Experts Exchange? (Big blue button at the top of your browser while logged into Experts Exchange) and then just post a link to your question in a further comment here.

I suggest this for a couple of reasons:

  1. James-Gourley will be further rewarded for all of his hard work if he helps you out with a Question, rather than just in comments here
  2. You will also have the benefit of having your difficulties considered and perhaps helped to be resolved by many other experts on this topic that don't monitor the comments made in this article

Just a suggestion for you (and any future folks) that log in to leave a comment here asking for additional help with their difficulties.

I hope that's helpful.

Regards, Andrew
0

Expert Comment

by:Augusto Sousa
HI James ..... I´m back here .... Sadly
I've another computer infected with Fairytail .... I think it´s the same version that i've cleaned earlier.
I´ve Just downloaded your decryptor but i think something went wrong with it.
The earlier version worked fine with me .... but this one seems to give me some trouble. I used it in 3 different PCs' and i received the same error. All of them were running Windows 10 64 bits.
I have a clean file and the same file encrypted to use in the decryptor.
But as soon i select the encrypted file, i receive the error i attach
Cryakl-error.jpg
0

Expert Comment

by:Abror Lee
Hi guys. For my opinion, there is no way to decode files with this software for new version of trojan(. I tried different ways,
and there was no result. I have DRWeb and kaspersky licenses, i asked for help in their Antivirus Labs, but the specialist after file
analysing told, that files couldn't be restored without original decoder. They say to me don't pay to hackers, but i have not
another way, i will lose my work, if information won't be restored.They asked 2000 USD in BTC((( I will collect last money(((
0
LVL 19

Expert Comment

by:Andrew Leniart
@Augusto and Abror,

I´m back here .... Sadly I've another computer infected with Fairytail
You've been hit a second time and caught without a backup again? Have you at least now backed up the first computer that was infected and you managed to recover?

I would strongly urge you to learn from this second experience and start a solid backup regime on all and any of the unaffected computers that you may still have. Clearly, either your security defenses are not up to scratch or your web surfing and file attachment habits are risky to say the least.

Whilst you search for a solution to this latest lesson, ask for help on how to set up a solid backup routine. Use the "Ask a Question" function at Experts Exchange to get advice and help on how to do that properly if you're unsure.

You can't just rely on there always being something available to get you out of trouble. What if it was a major hard drive disaster that 'will', not 'might', but will happen one day and your files turn out to be unrecoverable and lost forever?

I'm honestly not scolding you, especially during such a frustrating time for you, but at some point, you have to start taking responsibility for your own actions (and inactions). Please learn from this experience.

I have DRWeb and kaspersky licenses, i asked for help in their Antivirus Labs, but the specialist after file analysing told, that files couldn't be restored without original decoder.
Sure and they would have been saying the exact same thing about the version you were infected with the last time until James got lucky and proved that theory completely wrong. Eventually, what you're infected with will likely be recoverable as well, but it may take some time for someone to find a solution.

There is rarely such a thing as "cant" when it comes to this type of computing technology. Can't "at this time" would be far more accurate statement.

They say to me don't pay to hackers
Here they are giving you very sound and solid advice. I'd strongly suggest you heed and follow it.

but i have not another way, i will lose my work, if information won't be restored
You would be best off to consider it lost and go about restoring and/or recreating anything you can while continuing to search for a solution.

They asked 2000 USD in BTC((( I will collect last money(((
All I can say in response to that, is that I think you're making a huge mistake Abror. Consider the following questions;

  • Have the hackers given you a guarantee that their solution will work?
  • What if you pay the $2,000 USD and get nothing back in return?
  • What if after you pay, they demand even more money from you before they send you a decryption key?
  • What if you then pay even more and still get nothing back?
  • What if the hackers don't know how to decrypt the files themselves and don't even have a decryption key to give you?
  • The what if's ... can go on forever.

Not only are you taking a "huge" risk with your hard earned money, but you're also saying to the hackers, hey, this scheme you've launched works well with people like me. Keep it up and enjoy the benefits!

See what I mean?

Now all that out of the way, while James is apparently otherwise busy, (remember this is probably not his profession and he likely has a real job to concentrate on to be able to put food on his table too) and despite what I've said to you above, I too despise hackers and ransomware criminals with a passion so am very sympathetic to your plight.

I invite you both to zip up and send me two files via PM - an encrypted file and the same file in an unencrypted format. If you want me to try, please be sure the file(s) you send me do not have any of your confidential information in them.

I offer this because you've stated that you've tried the tool with 3 different computers, but all running Windows 10 64bit operating systems. I have a variety of other systems I can try decryption with while you wait for more help from the author. All the way back from Windows 98 to Windows 10, both 32bit and 64bit installs where available. If I get lucky and succeed, then I'll let you know exactly what type of install the tool didn't crash in.

In the meantime, "please" do yourselves a huge favor and create a full backup of any still unaffected systems, immediately.

I hope that's helpful.

Regards, Andrew
Private Message Me
1

Expert Comment

by:Abror Lee
Hello, i will tell some news. Hackers gived me guarantees, thay decode 3 test files, that i sent them with email. I tried to have a
dialog with them, they made little discount for me, i paid on their BTC wallet, and after 30 minutes they gave decoder. Now it is working
and files are restoring. Also during dialog, i understand, that hackers know about decoder to the last versions. The hacker told,
that they fix decoding hole, and improved encryption. So, i don't call everyone to pay, but if you have no way, as my situation, i inform,
that they did not deceive me and fulfilled their obligations.
About backups - i had local backups, and backup on another pc (backupserver). But they hacked all network, i thought they used VULN in 445 port,
because one VM was not updated(
0

Expert Comment

by:Augusto Sousa
Damn ..... I understand you are in a  hurry Arbor Lee ..... but that way you are financing hackers.
Destroying just for fun isn´t the way. If they are very good, they should use that in a good way.
There´s lots of other ways to make money than steeling BTC that way
1

Expert Comment

by:Gerardo Lovagnini
+Abror +Augusto the speech about ethics and moral is very nice for a college auditorium, but in real time business time is money, so if you already have the problem you have to solve it, and if it implies risks its on you if you want to take them, that's the truth. Last year a frind of mine got a server encrypted with Arena Ransomware, a rare version that was not decryptable. She has a big hardware store and no external backup. She decided to pay about 1,000 usd and we got the files back next day. Not everything is about what is right or wrong. Quick decitions are also very valuable in this cases. Each case is a world....
0
LVL 19

Expert Comment

by:Andrew Leniart
Abror,
About backups - i had local backups, and backup on another pc (backupserver). But they hacked all network, i thought they used VULN in 445 port, because one VM was not updated(
What you should have learned from that is that your backup regime is totally inadequate. My system(s) back up to a local NAS drive but also transfer those backups to a cloud server once a day, every day.

So my own worst case scenario is that I could lose 24 hours worth of data, and the vast majority of that would be email data that I've downloaded in Outlook using POP3 from my host. Now, since my host also backs up his entire system (not once a day, but once an hour), he could also retrieve any lost email information for me as well.

So now my worst case scenario has just dropped from a potential of 24 hours data loss, to 1 hour. No big deal and I will never have to even consider rewarding criminal scum for unleashing their stupidity on my data or system(s).

As I said earlier, I  strongly urge you to either get some professional help in creating a "proper" backup regime or ask for help here where there are many experts that can guide you in creating "proper" backups so that you are fully protected in the event that this happens to you again.

that they did not deceive me and fulfilled their obligations.
Read that quote of your words a few times and think about what you've just said. You're now praising the criminals for being so kind as to provide you with a decryption key, at considerable cost, in order to fix the damage that they did to you. I'm glad you're getting your data back but your thinking appears to be skewed and way off here.

My last word on this topic to you Arbor is that I *still* think you made a huge mistake. I would rather spend 10 times the amount you paid in helping to get this criminal caught and placed behind bars where he belongs.

Cheers...
1
LVL 2

Author Comment

by:James-Gourley
Apologies for my lack of presence regarding 1.5.0.0 and 1.5.1.0.

I have some samples of files but I need a lot more if I'm going to break this. I have access to the virus itself and can always let it go in a vm but I would really rather not. I have found a pattern in the encryption and developed a method that works on roughly 5 out of 6 files and original files are not needed.

Since I was personally infected with 1.4.0.0 I had no shortage of data to work with. 1.4.1.0 was a slight variation but overall not too different. 1.5.0.0 uses the same encrypting method but the key is derived differently. If everyone reading this can upload a good number of encrypted files to dropbox and share the link with me I will commit to spending some time on this.

I hate to see these people profiting from this but can understand both sides of the argument. Hopefully I can make a difference for the next person.

Abror, I would be interested in seeing the decrypt tool if you are willing to share it.

Thanks everyone for the patience.
6

Expert Comment

by:Germ Furnie
Hi James. I’ve been crypted by version 1.5.1.0 and I have a lot of files (original and crypted) to help you find the key. ufile.io/iy1xt
2

Expert Comment

by:Alexander Kamenev
Hi James. I’ve been crypted by version 1.5.1.0 doubleoffset and I have a files (original, crypted and virus) to help you create new version of decryptor. Crypted file https://yadi.sk/d/fx7LVJHV3ZA4SU , origina file https://yadi.sk/i/mBWf1OW-3ZA4Tv, virus in rar->zip-archive (password: 12345) https://yadi.sk/d/2H-6p9hg3ZA4Xk
0

Expert Comment

by:Виктор Морозов
Hello, James! My files were also encrypted. Some files have been restored from backup.
https://yadi.sk/d/3hzKHlvU3ZGC3F
I hope this helps create a decryptor.
0

Expert Comment

by:Виктор Морозов
Interesting observation.
I have two encrypted identical files in different folders (for example C:\1\Encrypted.doc and C:\2\Encrypted.doc).
And I have two original identical files in different folders in backup (for example H:\backup\1\Original.doc and H:\backup\2\Original.doc)

"H:\backup\1\Original.doc" EQUAL "H:\backup\2\Original.doc"
but
"C:\1\Encrypted.doc" NOT EQUAL "C:\2\Encrypted.doc"

Two identical files in different directories are encrypted with different keys?
0

Featured Post

What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Join & Write a Comment

With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month