Avatar of knollcompusoft
knollcompusoft asked on

Virus kimchenyn

We are hacked by a ransonware : KIMCHENYN. 
Encrypting files seems pretty simple.
The size does not change a series of binary bytes and the key in asci are added at the end. Help, do you have an idea?
Thank you.
Encryption

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
☠ MASQ ☠

.kimchenyn is a variant of Global Imposter ransomware, currently there is no fix for this or means to decrypt, assume your data is lost and restore from a backup if you have one.  It's been in the field for only a matter of weeks.
btan

A rather new GlobeImposter Ransomware variant. It appends “..726” to every encrypted file name to identify that the file has been encrypted. It uses an RSA 2048-bit key to encrypt files, it’s very hard to decrypt them without the decryption key.

Suggest as expert mentioned, recover from backup, refurnish the machine, ask the victim to change password and harden the machine. Backup also the ransom notes amd encrypted files as in the future it will be used if decryptor tool is released.

You can try out idransomware ( https://id-ransomware.malwarehunterteam.com/index.php)  to see any futher resemblance and info on the malware and possible tool to decrypt..
ASKER
knollcompusoft

thank you for your answer.
I suppose the key is in the file.
a crypted file contain the same size of the original file of bytes, plus a fixed size of byte and the "key" we found in the message html in ascii.
2 sames files are not encrypted in same manner.
2010-11-22-17-42-12-readme.txt
how_to_back_files.html
readme.txt.kimchenyn.txt
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
☠ MASQ ☠

The Public Key is in the file but the Private key is on the ransomware server. The same AES encryption is used on all your data.
ASKER
knollcompusoft

Thank you for your answer.
I replied to the pirate, I sent him an encrypted file to prove to me their ability to decrypt it, I have no answer.
What can I do?
☠ MASQ ☠

They will do nothing without payment and there's no guarantee that you will get anything back if you do pay.  You should assume you've lost all your data and either restore from a backup or move on.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
knollcompusoft

Thank you for your message, unfortunately, the infection has spread, during backup, copies are encrypted.
btan

No better choice, the last resort as you shared then.
btan

For author advice.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
knollcompusoft

Thank you all for your answer I was able to restore the machines with previous backups (3 weeks of work). With regard to the hacker I sent an email with an attached crypted file for me to prove his ability to the decrypt, I received answers but never the file. Of course, I have never sent money.
btan

Thanks for sharing. Backup is critical and it is good that you have good ones available for recovery.