Virus kimchenyn

We are hacked by a ransonware : KIMCHENYN. 
Encrypting files seems pretty simple.
The size does not change a series of binary bytes and the key in asci are added at the end. Help, do you have an idea?
Thank you.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

☠ MASQ ☠Commented:
.kimchenyn is a variant of Global Imposter ransomware, currently there is no fix for this or means to decrypt, assume your data is lost and restore from a backup if you have one.  It's been in the field for only a matter of weeks.
btanExec ConsultantCommented:
A rather new GlobeImposter Ransomware variant. It appends “..726” to every encrypted file name to identify that the file has been encrypted. It uses an RSA 2048-bit key to encrypt files, it’s very hard to decrypt them without the decryption key.

Suggest as expert mentioned, recover from backup, refurnish the machine, ask the victim to change password and harden the machine. Backup also the ransom notes amd encrypted files as in the future it will be used if decryptor tool is released.

You can try out idransomware (  to see any futher resemblance and info on the malware and possible tool to decrypt..
knollcompusoftAuthor Commented:
thank you for your answer.
I suppose the key is in the file.
a crypted file contain the same size of the original file of bytes, plus a fixed size of byte and the "key" we found in the message html in ascii.
2 sames files are not encrypted in same manner.
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

☠ MASQ ☠Commented:
The Public Key is in the file but the Private key is on the ransomware server. The same AES encryption is used on all your data.
knollcompusoftAuthor Commented:
Thank you for your answer.
I replied to the pirate, I sent him an encrypted file to prove to me their ability to decrypt it, I have no answer.
What can I do?
☠ MASQ ☠Commented:
They will do nothing without payment and there's no guarantee that you will get anything back if you do pay.  You should assume you've lost all your data and either restore from a backup or move on.
btanExec ConsultantCommented:
The private key is with the cybercriminal, not in the encrypted files or in your machine. This why they asked for the files and ID. During the infection, the public key encrypts a file encryption key, that in term encrypt the plain files, and the latter are securely erased such that recovery is not possible. There is no decryption key in plain that is why the cybercriminal say you need their decryptor. Each file has its unique encryption key though it is encrypted by the same public key.

Regardless as the expert has shared, there is no guarantee even though the cybercriminal provides even an alternative email account. You shpuld even be more wary getting anything feom the cybercriminal. I strongly discouraged payment as it indirectly support their ill doing. If no backup, then just move on as I earlier say on can report to your authority.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
knollcompusoftAuthor Commented:
Thank you for your message, unfortunately, the infection has spread, during backup, copies are encrypted.
btanExec ConsultantCommented:
No better choice, the last resort as you shared then.
btanExec ConsultantCommented:
For author advice.
knollcompusoftAuthor Commented:
Thank you all for your answer I was able to restore the machines with previous backups (3 weeks of work). With regard to the hacker I sent an email with an attached crypted file for me to prove his ability to the decrypt, I received answers but never the file. Of course, I have never sent money.
btanExec ConsultantCommented:
Thanks for sharing. Backup is critical and it is good that you have good ones available for recovery.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.