ryuk RYUK Virus

13 марта, 2023

I searched the email and got here
can anyone help me decrypt my files

Addition.txt FRST.txt RyukReadMe.txt hrmlog.zip

14 марта, 2023

Hello and welcome,

Please attach in addition a few encrypted files (pictures or office docs). Pack them in archive and attach to your next post.

14 марта, 2023

Here is 2 files

files.zip

14 марта, 2023

Thanks, files are decryptable. But first of all lets clean your system to prevent new infection.

Switch off any antivirus temporarilly

Highlight following code:

Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
HKLM\...\Winlogon: [Userinit] C:\WINDOWS\SYSTEM32\USERINIT.EXE,C:\wsession\logonsession.exe, <==== ATTENTION
GroupPolicy: Restriction - Chrome <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
2023-03-07 22:45 - 2023-03-07 22:43 - 000002233 _____ C:\Users\sai\Downloads\hrmlog1
2023-03-07 22:45 - 2023-03-07 22:43 - 000001103 _____ C:\Users\sai\Downloads\RyukReadMe.txt
2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\sai\hrmlog1
2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\sai\AppData\hrmlog1
2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\Public\hrmlog1
2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\office\hrmlog1
2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\office\Desktop\hrmlog1
2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\office\AppData\hrmlog1
2023-03-07 22:44 - 2023-03-07 22:43 - 000002233 _____ C:\Users\admin\Desktop\hrmlog1
2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\sai\RyukReadMe.txt
2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\sai\AppData\RyukReadMe.txt
2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\Public\RyukReadMe.txt
2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\office\RyukReadMe.txt
2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\office\Desktop\RyukReadMe.txt
2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\office\AppData\RyukReadMe.txt
2023-03-07 22:44 - 2023-03-07 22:43 - 000001103 _____ C:\Users\admin\Desktop\RyukReadMe.txt
2023-03-07 22:43 - 2023-03-07 22:43 - 000002233 _____ C:\Users\sai\Desktop\hrmlog1
2023-03-07 22:43 - 2023-03-07 22:43 - 000002233 _____ C:\Users\admin\hrmlog1
2023-03-07 22:43 - 2023-03-07 22:43 - 000002233 _____ C:\Users\admin\AppData\hrmlog1
2023-03-07 22:43 - 2023-03-07 22:43 - 000002233 _____ C:\ProgramData\hrmlog1
2023-03-07 22:43 - 2023-03-07 22:43 - 000001103 _____ C:\Users\sai\Desktop\RyukReadMe.txt
2023-03-07 22:43 - 2023-03-07 22:43 - 000001103 _____ C:\Users\admin\RyukReadMe.txt
2023-03-07 22:43 - 2023-03-07 22:43 - 000001103 _____ C:\Users\admin\AppData\RyukReadMe.txt
2023-03-07 22:43 - 2023-03-07 22:43 - 000001103 _____ C:\ProgramData\RyukReadMe.txt
2023-03-07 22:43 - 2023-03-07 22:43 - 000000858 _____ C:\ProgramData\RyukReadMe.html.[vulcanteam@onionmail.org].RYK
2023-03-07 22:43 - 2023-03-07 22:43 - 000000292 _____ C:\Users\sai\Desktop\hrmlog2
2023-03-07 22:43 - 2023-03-07 22:43 - 000000292 _____ C:\ProgramData\hrmlog2
2023-03-07 22:43 - 2023-03-07 22:43 - 000000008 _____ C:\Users\sai\Desktop\RYUKID
2023-03-07 22:43 - 2023-03-07 22:43 - 000000008 _____ C:\ProgramData\RYUKID
2023-03-07 22:43 - 2023-03-07 22:43 - 000000008 _____ C:\ProgramData\nons
2023-03-07 22:43 - 2023-03-01 22:22 - 000906752 ___SH C:\ProgramData\ryuk.exe
FirewallRules: [{F39C5DBC-9ABA-43C1-AF9A-8B1FF8EFB81C}] => (Allow) LPort=8454
FirewallRules: [{C4F39B90-E1E2-4D18-982F-EA682461D09A}] => (Allow) LPort=8454
FirewallRules: [{FC22A06A-41D4-4709-87CB-EAA98C9E7A30}] => (Allow) LPort=8454
FirewallRules: [{CC57F4C8-F184-414D-A90B-A47B39D9348D}] => (Allow) LPort=80
FirewallRules: [{6FFF15D9-BBAA-4288-9E69-DC56D37A97D5}] => (Allow) LPort=80
FirewallRules: [{194FE846-D184-4DEE-8DC6-1788908EE3E1}] => (Allow) LPort=443
FirewallRules: [{005F74F8-36B0-4417-B035-781405040486}] => (Allow) LPort=443
FirewallRules: [{E86002E4-F444-49C3-97CD-75F32B9DF7E8}] => (Allow) LPort=80
FirewallRules: [{2F4BE765-BC19-4FB2-A2F8-C1444E2E3BE2}] => (Allow) LPort=3389
FirewallRules: [{FD16A6A1-F0CA-4ED0-B360-37329C17D751}] => (Allow) LPort=3389
FirewallRules: [{C0EB2627-8AA7-4725-BB30-3600D2241257}] => (Allow) LPort=19955
FirewallRules: [{75E72C4E-8430-4024-A42E-A2E37822B280}] => (Allow) LPort=19955
FirewallRules: [{5D9C9BDF-6C10-49A1-BE70-5CAAFDA3D80B}] => (Allow) LPort=19955
FirewallRules: [{C00B30B0-C3F1-4E07-A8D4-45DA23B121C0}] => (Allow) LPort=19955
FirewallRules: [{574B6E18-4758-4022-8865-55A1358ABE2A}] => (Allow) LPort=8454
FirewallRules: [{54611760-3571-48F9-B646-1013442267D0}] => (Allow) LPort=80
FirewallRules: [{4CF9F7D4-4E59-47A3-81FB-0890C6F59A31}] => (Allow) LPort=80
FirewallRules: [{A1561FBC-644F-4EB3-B4EB-B48DFC8B93E3}] => (Allow) LPort=443
FirewallRules: [{0C90ADE2-CD75-404F-BE3C-5AD924C03E8D}] => (Allow) LPort=8454
FirewallRules: [{A66DF675-630D-4105-A2A9-44DEE5140969}] => (Allow) LPort=443
FirewallRules: [{C7F7E47F-4743-4617-80CD-8EFCD48A1175}] => (Allow) LPort=8454
FirewallRules: [{795D6653-6649-43E5-9181-D689F9D1ACE0}] => (Allow) LPort=80
FirewallRules: [{63B82AB3-22DC-45A1-AC72-C340661443DA}] => (Allow) LPort=81
EmptyTemp:
Reboot:
End::

Copy highlighted text.
Run FRST64.exe as administrator
Press Fix and wait. Tool will create its log named Fixlog.txt. Attach it to your next post.

PC will reboot.

14 марта, 2023

should i create .bat file with that code and run it?

15 марта, 2023

No you should not.

Simply follow described steps:

- highlight the code

- copy it to clipboard

- run FRST64.exe

- press Fix button

Script will run directly from the clipboard.

15 марта, 2023

Herre is fixlog.txt

Fixlog.txt

16 марта, 2023

You can use this tool for decryption. Be sure to run it as administrator.

ryuk RYUK Virus

Рекомендуемые сообщения

roshans10

Ссылка на комментарий

Поделиться на другие сайты

Sandor

Ссылка на комментарий

Поделиться на другие сайты

roshans10

Ссылка на комментарий

Поделиться на другие сайты

Sandor

Ссылка на комментарий

Поделиться на другие сайты

roshans10

Ссылка на комментарий

Поделиться на другие сайты

Sandor

Ссылка на комментарий

Поделиться на другие сайты

roshans10

Ссылка на комментарий

Поделиться на другие сайты

Sandor

Ссылка на комментарий

Поделиться на другие сайты

Пожалуйста, войдите, чтобы комментировать

Похожий контент

Сайт

Активность

Магазин

Поддержка

Kaspersky Support Forum