Please note, this is a STATIC archive of website hashcat.net from October 2020, cach3.com does not collect or store any user information, there is no "phishing" involved.

hashcat Forum

Full Version: Ransomware attack [email protected]
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi everyone,

we have been hit with a ransomware attack where essentially every server file was encrypted with veracrypt and an added file extension of [email protected]

Obviously I am far from happy - I have fault found everything down to clutching at straws and having the opportunity to learn some new skills with hashcat.

I must say that the wiki articles are excellent & noted all the veracrypt hashtypes 13711, 12, 13, 13721,22,23,13731,32,33,13751,52,53,13771,72,73


My first attempt with hashcat is below

hashcat -a 3 -m 13773 Backup.bat.[[email protected]].adobe -o recovered.txt --force

Can someone please run a eye over my first attempt and point me in the direction to where I can make it better??

thanks in advance, I will keep reading the wiki's and hope for a reply.

Jase
you first need to extract the KDF data from the veracrypt volume. See https://hashcat.net/wiki/doku.php?id=fre...pt_volumes

Why are you using --force?

You only need to run the veracrypt modes ending in 3. Those are wildcard modes and a little faster if you don't know anything about the encryption settings used.
(01-13-2019, 01:57 PM)undeath Wrote: [ -> ]you first need to extract the KDF data from the veracrypt volume. See https://hashcat.net/wiki/doku.php?id=fre...pt_volumes

Why are you using --force?

You only need to run the veracrypt modes ending in 3. Those are wildcard modes and a little faster if you don't know anything about the encryption settings used.

I am using the --force as my The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) linux install would not run due to a error message that I have memory dumped - that fix was --force.

Thanks for the advice re the modes ending in 3 - greatly appreciated by a neebie............

Jase
Hi Jase,
It looks like you are making a good effort to brute-force files encrypted with this trojan. Some others here may be helping you but let me know if you'd like my opinion. My company (datarecovery.com) does this daily. I would not charge anything to check out a file or two since you're on here.
Best,
Ben
Jase, you might consider consulting with your local law enforcement. They often have access to tools to help you narrow down the variant and might be able to tell you more about how this particular variant selects VeraCrypt passphrases or other details. Otherwise, you're really shooting in the dark. Any smart ransomware operator isn't going to pick a crackable password, but there may be known weaknesses in that variant that can be exploited.

If cracking does end up being feasible ... with stuff like ransomware, you don't want to go halfway. I'd get K a l i out of the equation entirely, and work instead from a dedicated OS install of a fully supported OS (full Ubuntu or modern Windows would be fine choices).