Nullbyte (DetoxCrypto) Ransomware Help & Support (_nullbyte extension)

Hi everyone,
yesterday i ran an app and after that all my personal files were encrypted and cant find any solution or similar encryptions all over the internet.
any idea what to do?the id website couldnt identify the encryption

More information is needed to determine what infection you are dealing with since there are many variants of crypto malware ransomware. RSA-4096 is an encryption algorithm and not an explicit way of identifying a particular ransomware infection.

What is the actual name of the ransom note?
Are there any obvious file extensions appended to or with your data files?

Did you find any ransom notes? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data was encrypted.

I'm not sure what id website you used.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

You can also submit samples of encrypted files, ransom notes, email or/and website address you see in the RANSOM DEMAND to No More Ransom Crypto Sheriff for assistance with identification and possible decrypting solutions. If you are provided any information it would be helpful to post it here for Demonslay335 to review.

I saw the submissions to ID Ransomware last night and set out a hunt based on it.

 

The files had "_nullbyte" appended as an extension, e.g. "picture.jpg_nullbyte". They were also submitted with what looks like a decrypter from the criminals - this is very useful for writing a decrypter if we are able to find a weakness in the malware, but we will need the malware itself to assess.

 

If you have the malware that caused this, please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

If you have a ransom note too, I'd like to see that as well.

Apparently there really seems to be a new variation of cerber, called #cerber3. It is not clear, however, if this version of the ransowmare is a new impersonating virus or is actually Cerber ransomware. Some researchers are positive that it is the same Cerber, only using a new file extension and several "fixes".

Apparently there really seems to be a new variation of cerber, called #cerber3. It is not clear, however, if this version of the ransowmare is a new impersonating virus or is actually Cerber ransomware. Some researchers are positive that it is the same Cerber, only using a new file extension and several "fixes".

This has nothing to do with Cerber.
 
The malware sample has been found and hopefully we will be able to look into it, to figure out whether it's secure or not.
 
xXToffeeXx~

Good news, this ransomware is decryptable.

 

 

 

This decrypter requires the full path to the user profile that was infected, so please make sure it is correct. If decrypting files from another computer, you will need to provide the original path to the profile via Settings -> Set Profile Path (e.g. "C:\Users\yourusername").

 

https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip

 

 

For informational purposes, this ransomware uses AES to encrypt files, and appends "_nullbyte" to the filename of encrypted files. The following screen is displayed to the victim.

 

 

 

This ransomware is currently known to be spread via a repacking of the PokemonGo cheating program Necrobot, calling itself "Necrobot.Rebuilt". This program asks for credentials to an account to cheat with; it will actually take your credentials and upload them to an FTP server, then generously start encrypting your files.

Edited by Demonslay335, 31 August 2016 - 09:49 PM.

Symantec says that it CryptXXX.

 

https://www.virustotal.com/ru/file/f70abab659c6490b21164d91c0e262b11448c7bbf728a425b00fe832a95fc8f9/analysis/

Edited by Amigo-A, 01 September 2016 - 09:53 AM.

Symantec says that it CryptXXX.
 

https://www.virustotal.com/ru/file/f70abab659c6490b21164d91c0e262b11448c7bbf728a425b00fe832a95fc8f9/analysis/

Going off names is generally a bad idea unless multiple antiviruses all agree on one. This is definitely not CryptXXX, however.
 
xXToffeeXx~

Yes, especially since each security vendor uses their own naming conventions to identify various types of malware. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is. Since there is no universal naming standards, all this leads to confusion by the end user.

• Understanding virus names
• Microsoft Malware Naming Standards
• Computer Antivirus Research Organization (CARO) Malware Naming Convention
• Current Status of the CARO Malware Naming Scheme

Ya, it's quite annoying. CryptXXX and Genasom are most definitely not written in .NET.