X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remove BitCrypt Virus and Decrypt Infected Files

    BitCrypt virus is a dangerous ransomware which was made to lock your computer and deny access to your own files. Just like the unpopular and widely-spread Cryptolocker, this new threat will encrypt certain files on the computer and demand payment before you can gain access to the said files. However, it seems that BitCrypt demands higher than other ransomware. It demands user to pay 0.4BTC ($220) via BitCoin Wallet.
    Normally, BitCrypt virus attacks a computer with the help of another malware, trojan, or virus. It find flaws on the system which it will utilized as an entry point so that the process is hidden to most antivirus programs. In fact, once BitCrypt is inside the PC, it instantly disables any security function running on the target computer. The lock window contains the following messages:


    Attention!!!


    How to Remove BitCrypt Ransomware

    Stage 1: Scan the Computer with ESET Rogue Application Remover (ERAR)

    1. Download the free scanner called ESET Rogue Application Remover.
    Download Link for ERAR (this will open a new window)
    2. Choose appropriate version for your Windows System. Save the file to a convenient location, preferably on Desktop.
    3. After downloading the file, Windows will prompt that download has completed. Click Run to start the program. Another option is to browse the location folder and double click on the file ERARemover_.exe.




    4. On ESET Rogue Application Remover SOFTWARE LICENSE TERMS, click Accept to continue.
    5. The tool will start scanning the computer. It will prompt when it finds BitCrypt and other malicious entities. Follow the prompt to proceed with the removal.




    1. Download the free scanner called Malicious Software Removal Tool.
    Malicious Software Removal Tool Download Link (this will open a new window)




    2. The tool automatically checks the operating system and suggest appropriate download version. Click on Download button to begin. Save the file to a convenient location, preferably on Desktop.
    3. After downloading the file, Windows will prompt that download has completed. Click Run to start scanning for BitCrypt. Another option is to browse the location folder and double click on the file to run.




    4. The tool will display Welcome screen, click Next. Please note the message You must understand that this program is made specifically to find and remove malware, viruses, Trojans, and other harmful elements on the computer. It was not designed to protect the computer.




    5. Next, you will see Scan Type. Please choose Full Scan to ensure that all BitCrypt entities and other harmful files left on the computer will be found and removed. For advanced computer user, you can opt for Customized Scan, if there are other drives or folders you wanted to include in this scan.




    6. Full scan may take a while, please wait for Malicious Software Removal Tool to complete the tasks. However, you may cancel the scan anytime by clicking on the Cancel button.




    7. After scanning, the tool will reveal all identified threats. There may be other threats that our first scan fails to detect. Please remove/delete all detected items.
    8. When removal procedure is complete, you may now close Malicious Software Removal Tool. We hope that BitCrypt have been completely deleted from the computer. Please restart Windows to proceed with the normal operation.
    Stage 3 : Unlocking files that were encrypted by BitCrypt

    1. Download the program Panda Ransomware Decrypt.
    pandaunransom.exe Download Link (this will open on a new window)
    2. Save the file to your hard drive, Desktop, or any location.
    3. Once the download completed, double-click on the file pandaunransom.exe to run it.
    4. You will see Panda Ransomware Decrypt program. Please refer to the image below.




    PandaTestSelect Folder button. Select the newly created folder PandaTest.
    7. Click on START button to begin. Process may take a while, please wait until it is completed.
    8. If you were able to decrypt contents of the PandaTest folder, you may run the tool on all the affected files and folders on the computer.


    Source

  • #2
    METHOD 2: Here is a post from bleepingcomputer.com describing a Decryption procedure:



    Well, I'll explain this as easily as I can. Just follow the steps and you'll be fine.


    I hope you can access a Linux box or virtual machine, because you'll most probably need one. (Maybe a Mac will do either, but I don't know because I'm not a Mac user).

    First of all, install Python 3.2 or greater. If your Linux distribution does not install the sqlite3 module, you must locate it and also install it by hand.

    Then, RIGHT CLICK on this link and select download destination as... "decrypt.py":

    https://bitbucket.org/cybertools/mal...ypt/decrypt.py

    Run the script on any of your encrypted files:

    python ./decrypt.py "MY ENCRYPTED PICTURE.jpg.bitcrypt"
    This will show you an error, because your key is not known yet. It will provide your decoded key so you can break it using another tool.

    How? Download this:

    https://gforge.inria.fr/frs/download...nfs-2.0.tar.gz

    Decompress: Open a shell prompt, go to wherever the downloaded file is, and then run the following command:

    tar zxvf cado-nfs-2.0.tar.gz
    This will extract all the files to a new cado-nfs-2.0 folder.

    Go to that folder and compile:

    cd cado-nfs-2.0
    make
    Run the key cracker. This will take several HOURS (maybe DAYS) to complete:

    ./factor.sh YOUR_KEY_WHICH_IS_A_VERY_LONG_SERIES_OF_DIGITS_PRO VIDED_BEFORE_BY_THE_DECRYPTING_SCRIPT -s 4 -t 6
    If all goes well, the output will read as follows:

    Info:Complete Factorization: Total cpu/real time for everything: xxxx/yyyy
    LONG_NUMBER_1 LONG_NUMBER2

    Open decrypt.py in a TEXT EDITOR.

    Locate the block:

    known_keys = { many long numbers
    }

    Add, before that "}" the following lines:

    YOUR KEY, as provided by the previous call, a COLON, OPEN PARENTHESIS, FIRST LONG NUMBER, COMMA, SECOND LONG NUMBER, CLOSE PARENTHESIS.

    For instance, let's figure out that your key is 123, the first number "456" and the second "789". You'll add this:

    123456,789)

    Don't worry. You're almost done. This needs to be performed only ONCE.

    Now, you are ready to decode ANY file in your computer (not others, which will have different keys which will need to be cracked as well):

    python ./decrypt.py "MY ENCRYPTED PICTURE.jpg.bitcrypt"
    This should work and generate "MY ENCRYPTED PICTURE.jpg.bitcrypt.clear"

    RENAME the output:

    mv "MY ENCRYPTED PICTURE.jpg.bitcrypt.clear" "MY ENCRYPTED PICTURE.jpg"
    Try to open it. It should be fully decrypted and working now. Repeat the process.

    Comment


    • #3
      This is a pretty long process but to be honest with you these steps have really assisted my recovery of the problems that a been going on with my system for a long period of time. You have step-by-step instructed me on exactly how to get rid of some issues that have been really plaguing me over the years.

      Comment


      • #4
        thank you so much this nice post,

        Comment


        • #5
          Hello everybody,

          I tried to do this test to find my key but i have some issue:
          - i have installed python 3.3
          - i have obtain my "first" key which i must decrypt --> 28294842346946754253441284682071965178121161822518 34472704594899635283482646111856242752652867966060 4017419662385752217889000567

          When i return in "cado-nfs-2.0" folder and enter "make" command, i have an error message "access denied". If i continue and enter following command "./factor.sh mykey", i have the same error message.

          Could you help me please?

          I try since one weeks, i have tried several solution but still this problem.

          Could you tell me why i have this error message?

          I hope you help me

          Best regards,
          Will

          Comment


          • eugene
            eugene commented
            Editing a comment
            Try to start your command with 'sudo'. sudo will instruct the operating system to execute the following command as a super user (i.e. root). I hope you know your own administrator (root) password, it will be necessary. If this doesn't work, just type 'su' and press ENTER. This way you are going to be a super user for the whole session, not just for a command.
        Working...
        X