ryuk RYUK Virus

[roshans10]

I searched the email and got here
can anyone help me decrypt my files
 

Addition.txt FRST.txt RyukReadMe.txt hrmlog.zip

[Sandor]

Hello and welcome,

 

Please attach in addition a few encrypted files (pictures or office docs). Pack them in archive and attach to your next post.

[roshans10]

Here is 2 files

files.zip

[Sandor]

Thanks, files are decryptable. But first of all lets clean your system to prevent new infection.

 

• Switch off any antivirus temporarilly
• Highlight following code:

  Start::
  CloseProcesses:
  SystemRestore: On
  CreateRestorePoint:
  HKLM\...\Winlogon: [Userinit] C:\WINDOWS\SYSTEM32\USERINIT.EXE,C:\wsession\logonsession.exe, <==== ATTENTION
  GroupPolicy: Restriction - Chrome <==== ATTENTION
  Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
  HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
  2023-03-07 22:45 - 2023-03-07 22:43 - 000002233 _____ C:\Users\sai\Downloads\hrmlog1
  2023-03-07 22:45 - 2023-03-07 22:43 - 000001103 _____ C:\Users\sai\Downloads\RyukReadMe.txt
  2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\sai\hrmlog1
  2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\sai\AppData\hrmlog1
  2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\Public\hrmlog1
  2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\office\hrmlog1
  2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\office\Desktop\hrmlog1
  2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\office\AppData\hrmlog1
  2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\admin\Desktop\hrmlog1
  2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\sai\RyukReadMe.txt
  2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\sai\AppData\RyukReadMe.txt
  2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\Public\RyukReadMe.txt
  2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\office\RyukReadMe.txt
  2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\office\Desktop\RyukReadMe.txt
  2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\office\AppData\RyukReadMe.txt
  2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\admin\Desktop\RyukReadMe.txt
  2023-03-07 22:43 - 2023-03-07 22:43 - 000002233 _____ C:\Users\sai\Desktop\hrmlog1
  2023-03-07 22:43 - 2023-03-07 22:43 - 000002233 _____ C:\Users\admin\hrmlog1
  2023-03-07 22:43 - 2023-03-07 22:43 - 000002233 _____ C:\Users\admin\AppData\hrmlog1
  2023-03-07 22:43 - 2023-03-07 22:43 - 000002233 _____ C:\ProgramData\hrmlog1
  2023-03-07 22:43 - 2023-03-07 22:43 - 000001103 _____ C:\Users\sai\Desktop\RyukReadMe.txt
  2023-03-07 22:43 - 2023-03-07 22:43 - 000001103 _____ C:\Users\admin\RyukReadMe.txt
  2023-03-07 22:43 - 2023-03-07 22:43 - 000001103 _____ C:\Users\admin\AppData\RyukReadMe.txt
  2023-03-07 22:43 - 2023-03-07 22:43 - 000001103 _____ C:\ProgramData\RyukReadMe.txt
  2023-03-07 22:43 - 2023-03-07 22:43 - 000000858 _____ C:\ProgramData\RyukReadMe.html.[vulcanteam@onionmail.org].RYK
  2023-03-07 22:43 - 2023-03-07 22:43 - 000000292 _____ C:\Users\sai\Desktop\hrmlog2
  2023-03-07 22:43 - 2023-03-07 22:43 - 000000292 _____ C:\ProgramData\hrmlog2
  2023-03-07 22:43 - 2023-03-07 22:43 - 000000008 _____ C:\Users\sai\Desktop\RYUKID
  2023-03-07 22:43 - 2023-03-07 22:43 - 000000008 _____ C:\ProgramData\RYUKID
  2023-03-07 22:43 - 2023-03-07 22:43 - 000000008 _____ C:\ProgramData\nons
  2023-03-07 22:43 - 2023-03-01 22:22 - 000906752 ___SH C:\ProgramData\ryuk.exe
  FirewallRules: [{F39C5DBC-9ABA-43C1-AF9A-8B1FF8EFB81C}] => (Allow) LPort=8454
  FirewallRules: [{C4F39B90-E1E2-4D18-982F-EA682461D09A}] => (Allow) LPort=8454
  FirewallRules: [{FC22A06A-41D4-4709-87CB-EAA98C9E7A30}] => (Allow) LPort=8454
  FirewallRules: [{CC57F4C8-F184-414D-A90B-A47B39D9348D}] => (Allow) LPort=80
  FirewallRules: [{6FFF15D9-BBAA-4288-9E69-DC56D37A97D5}] => (Allow) LPort=80
  FirewallRules: [{194FE846-D184-4DEE-8DC6-1788908EE3E1}] => (Allow) LPort=443
  FirewallRules: [{005F74F8-36B0-4417-B035-781405040486}] => (Allow) LPort=443
  FirewallRules: [{E86002E4-F444-49C3-97CD-75F32B9DF7E8}] => (Allow) LPort=80
  FirewallRules: [{2F4BE765-BC19-4FB2-A2F8-C1444E2E3BE2}] => (Allow) LPort=3389
  FirewallRules: [{FD16A6A1-F0CA-4ED0-B360-37329C17D751}] => (Allow) LPort=3389
  FirewallRules: [{C0EB2627-8AA7-4725-BB30-3600D2241257}] => (Allow) LPort=19955
  FirewallRules: [{75E72C4E-8430-4024-A42E-A2E37822B280}] => (Allow) LPort=19955
  FirewallRules: [{5D9C9BDF-6C10-49A1-BE70-5CAAFDA3D80B}] => (Allow) LPort=19955
  FirewallRules: [{C00B30B0-C3F1-4E07-A8D4-45DA23B121C0}] => (Allow) LPort=19955
  FirewallRules: [{574B6E18-4758-4022-8865-55A1358ABE2A}] => (Allow) LPort=8454
  FirewallRules: [{54611760-3571-48F9-B646-1013442267D0}] => (Allow) LPort=80
  FirewallRules: [{4CF9F7D4-4E59-47A3-81FB-0890C6F59A31}] => (Allow) LPort=80
  FirewallRules: [{A1561FBC-644F-4EB3-B4EB-B48DFC8B93E3}] => (Allow) LPort=443
  FirewallRules: [{0C90ADE2-CD75-404F-BE3C-5AD924C03E8D}] => (Allow) LPort=8454
  FirewallRules: [{A66DF675-630D-4105-A2A9-44DEE5140969}] => (Allow) LPort=443
  FirewallRules: [{C7F7E47F-4743-4617-80CD-8EFCD48A1175}] => (Allow) LPort=8454
  FirewallRules: [{795D6653-6649-43E5-9181-D689F9D1ACE0}] => (Allow) LPort=80
  FirewallRules: [{63B82AB3-22DC-45A1-AC72-C340661443DA}] => (Allow) LPort=81
  EmptyTemp:
  Reboot:
  End::

   

• Copy highlighted text.
• Run FRST64.exe as administrator
• Press Fix and wait. Tool will create its log named Fixlog.txt. Attach it to your next post.

PC will reboot.

[roshans10]

should i create .bat file with that code and run it?
 

[Sandor]

No you should not.

Simply follow described steps:

- highlight the code

- copy it to clipboard

- run FRST64.exe

- press Fix button

Script will run directly from the clipboard.

[roshans10]

Herre is fixlog.txt

Fixlog.txt

[Sandor]

You can use this tool for decryption. Be sure to run it as administrator.