knollcompusoft
asked on
Virus kimchenyn
We are hacked by a ransonware : KIMCHENYN.
Encrypting files seems pretty simple.
The size does not change a series of binary bytes and the key in asci are added at the end. Help, do you have an idea?
Thank you.
Encrypting files seems pretty simple.
The size does not change a series of binary bytes and the key in asci are added at the end. Help, do you have an idea?
Thank you.
.kimchenyn is a variant of Global Imposter ransomware, currently there is no fix for this or means to decrypt, assume your data is lost and restore from a backup if you have one. It's been in the field for only a matter of weeks.
A rather new GlobeImposter Ransomware variant. It appends “..726” to every encrypted file name to identify that the file has been encrypted. It uses an RSA 2048-bit key to encrypt files, it’s very hard to decrypt them without the decryption key.
Suggest as expert mentioned, recover from backup, refurnish the machine, ask the victim to change password and harden the machine. Backup also the ransom notes amd encrypted files as in the future it will be used if decryptor tool is released.
You can try out idransomware ( https://id-ransomware.malwarehunterteam.com/index.php) to see any futher resemblance and info on the malware and possible tool to decrypt..
Suggest as expert mentioned, recover from backup, refurnish the machine, ask the victim to change password and harden the machine. Backup also the ransom notes amd encrypted files as in the future it will be used if decryptor tool is released.
You can try out idransomware ( https://id-ransomware.malwarehunterteam.com/index.php) to see any futher resemblance and info on the malware and possible tool to decrypt..
ASKER
thank you for your answer.
I suppose the key is in the file.
a crypted file contain the same size of the original file of bytes, plus a fixed size of byte and the "key" we found in the message html in ascii.
2 sames files are not encrypted in same manner.
2010-11-22-17-42-12-readme.txt
how_to_back_files.html
readme.txt.kimchenyn.txt
I suppose the key is in the file.
a crypted file contain the same size of the original file of bytes, plus a fixed size of byte and the "key" we found in the message html in ascii.
2 sames files are not encrypted in same manner.
2010-11-22-17-42-12-readme.txt
how_to_back_files.html
readme.txt.kimchenyn.txt
The Public Key is in the file but the Private key is on the ransomware server. The same AES encryption is used on all your data.
ASKER
Thank you for your answer.
I replied to the pirate, I sent him an encrypted file to prove to me their ability to decrypt it, I have no answer.
What can I do?
I replied to the pirate, I sent him an encrypted file to prove to me their ability to decrypt it, I have no answer.
What can I do?
They will do nothing without payment and there's no guarantee that you will get anything back if you do pay. You should assume you've lost all your data and either restore from a backup or move on.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your message, unfortunately, the infection has spread, during backup, copies are encrypted.
No better choice, the last resort as you shared then.
For author advice.
ASKER
Thank you all for your answer I was able to restore the machines with previous backups (3 weeks of work). With regard to the hacker I sent an email with an attached crypted file for me to prove his ability to the decrypt, I received answers but never the file. Of course, I have never sent money.
Thanks for sharing. Backup is critical and it is good that you have good ones available for recovery.