We help IT Professionals succeed at work.

Virus kimchenyn

knollcompusoft
on
151 Views
Last Modified: 2017-12-06
We are hacked by a ransonware : KIMCHENYN. 
Encrypting files seems pretty simple.
The size does not change a series of binary bytes and the key in asci are added at the end. Help, do you have an idea?
Thank you.
Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
.kimchenyn is a variant of Global Imposter ransomware, currently there is no fix for this or means to decrypt, assume your data is lost and restore from a backup if you have one.  It's been in the field for only a matter of weeks.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
A rather new GlobeImposter Ransomware variant. It appends “..726” to every encrypted file name to identify that the file has been encrypted. It uses an RSA 2048-bit key to encrypt files, it’s very hard to decrypt them without the decryption key.

Suggest as expert mentioned, recover from backup, refurnish the machine, ask the victim to change password and harden the machine. Backup also the ransom notes amd encrypted files as in the future it will be used if decryptor tool is released.

You can try out idransomware ( https://id-ransomware.malwarehunterteam.com/index.php)  to see any futher resemblance and info on the malware and possible tool to decrypt..

Author

Commented:
thank you for your answer.
I suppose the key is in the file.
a crypted file contain the same size of the original file of bytes, plus a fixed size of byte and the "key" we found in the message html in ascii.
2 sames files are not encrypted in same manner.
2010-11-22-17-42-12-readme.txt
how_to_back_files.html
readme.txt.kimchenyn.txt
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
The Public Key is in the file but the Private key is on the ransomware server. The same AES encryption is used on all your data.

Author

Commented:
Thank you for your answer.
I replied to the pirate, I sent him an encrypted file to prove to me their ability to decrypt it, I have no answer.
What can I do?
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
They will do nothing without payment and there's no guarantee that you will get anything back if you do pay.  You should assume you've lost all your data and either restore from a backup or move on.
Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thank you for your message, unfortunately, the infection has spread, during backup, copies are encrypted.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
No better choice, the last resort as you shared then.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
For author advice.

Author

Commented:
Thank you all for your answer I was able to restore the machines with previous backups (3 weeks of work). With regard to the hacker I sent an email with an attached crypted file for me to prove his ability to the decrypt, I received answers but never the file. Of course, I have never sent money.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Thanks for sharing. Backup is critical and it is good that you have good ones available for recovery.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.