View topic - Ransomware all files .d3ad

Main » Forums home » Research and development

All times are UTC - 5 hours [ DST ]

Forum rules

Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...

Ransomware all files .d3ad

Page 1 of 1

[ 14 posts ]

Previous topic | Next topic

Author

Message

sempre

Post subject: Ransomware all files .d3ad

Posted: September 21st, 2023, 15:41

Joined: October 14th, 2005, 9:26
Posts: 1029

Hi to all!

No ID ransomware

SHA1: 3b3123bedd02b9f3137ec4db3d2eaef0aed6c4f5

https://id-ransomware.malwarehunterteam.com -> no identify

All files file.ext.d3ad

any known solution?

_________________
Нет ничего невозможного

Top

Arch Stanton

Post subject: Re: Ransomware all files .d3ad

Posted: September 21st, 2023, 18:11

Joined: May 13th, 2019, 7:50
Posts: 913
Location: Nederland

AFAIK, no.

What kind of files?

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service

Top

sempre

Post subject: Re: Ransomware all files .d3ad

Posted: September 22nd, 2023, 6:50

Joined: October 14th, 2005, 9:26
Posts: 1029

Arch Stanton wrote:

AFAIK, no.

What kind of files?

.mdf
.ldf

One file.

_________________
Нет ничего невозможного

Top

northwind

Post subject: Re: Ransomware all files .d3ad

Posted: September 22nd, 2023, 6:53

Joined: January 28th, 2009, 10:54
Posts: 3456
Location: Greece

It's D3adcrypt ransomware, no solution available.
I thought this strain is inactive, but it looks like it is activated again. I have last year's samples of encrypted files, could you upload an encrypted .pdf or .jpg to take a look? I'd need a large file, preferable larger than 2MB.
Just curious to see what they've changed in their encryption algo.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners

Top

sempre

Post subject: Re: Ransomware all files .d3ad

Posted: September 22nd, 2023, 8:46

Joined: October 14th, 2005, 9:26
Posts: 1029

northwind wrote:

Send PM.

Please look.

_________________
Нет ничего невозможного

Top

Arch Stanton

Post subject: Re: Ransomware all files .d3ad

Posted: September 22nd, 2023, 10:13

Joined: May 13th, 2019, 7:50
Posts: 913
Location: Nederland

Care to share a JPEG with me for research purposes?

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service

Top

sempre

Post subject: Re: Ransomware all files .d3ad

Posted: September 22nd, 2023, 11:00

Joined: October 14th, 2005, 9:26
Posts: 1029

Arch Stanton wrote:

Care to share a JPEG with me for research purposes?

sending to you!

Thanks!

_________________
Нет ничего невозможного

Top

northwind

Post subject: Re: Ransomware all files .d3ad

Posted: September 23rd, 2023, 14:33

Joined: January 28th, 2009, 10:54
Posts: 3456
Location: Greece

Wow, I've never seen anything like this.
Sempre sent me a 50GB sample image of the encrypted drive.
It looks like they're using some intelligent algo that messes up each file in its entity. They're encrypting the header and then they salt the main body of the file with something that looks like 256AES, or at least that's my quick impression. Out of 50GB I was able to re-create just 10 .jpg files, some useless .png files and some .pdf files that need repair in their main body (all sent to sempre). And a lot of .txt files that obviously couldn't be salted/messed up due to small file size.

To be honest, I doubt this can be decrypted even with the private encryption key.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners

Top

Arch Stanton

Post subject: Re: Ransomware all files .d3ad

Posted: September 23rd, 2023, 16:25

Joined: May 13th, 2019, 7:50
Posts: 913
Location: Nederland

sempre wrote:

Arch Stanton wrote:

Care to share a JPEG with me for research purposes?

sending to you!

Thanks!

How? My email is joep@disktuna.com.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service

Top

sempre

Post subject: Re: Ransomware all files .d3ad

Posted: September 23rd, 2023, 17:12

Joined: October 14th, 2005, 9:26
Posts: 1029

Arch Stanton wrote:

Care to share a JPEG with me for research purposes?

Sorry

Ok sending

PM

_________________
Нет ничего невозможного

Top

Arch Stanton

Post subject: Re: Ransomware all files .d3ad

Posted: September 24th, 2023, 4:46

Joined: May 13th, 2019, 7:50
Posts: 913
Location: Nederland

NVM, a 37 kilobytes JPEG isn't going to to do it.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service

Top

sempre

Post subject: Re: Ransomware all files .d3ad

Posted: September 25th, 2023, 9:02

Joined: October 14th, 2005, 9:26
Posts: 1029

Arch Stanton wrote:

NVM, a 37 kilobytes JPEG isn't going to to do it.

Hi!
Sorry for the larger 69kb .jpg
has interest?

_________________
Нет ничего невозможного

Top

Arch Stanton

Post subject: Re: Ransomware all files .d3ad

Posted: September 25th, 2023, 17:55

Joined: May 13th, 2019, 7:50
Posts: 913
Location: Nederland

No, probably not.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service

Top

sempre

Post subject: Re: Ransomware all files .d3ad

Posted: September 26th, 2023, 7:04

Joined: October 14th, 2005, 9:26
Posts: 1029

unsolved case
:roll:

_________________
Нет ничего невозможного

Top

Page 1 of 1

[ 14 posts ]

Main » Forums home » Research and development

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 42 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum