Jump to content
Login new information ×
Login new information

Free Ouroboros Ransomware (Zeropadypt NextGen) Decryption Available

steven36

By steven36
in Security & Privacy News

Recommended Posts

steven36

steven36

Posted
Posted

Victims of the Ouroboros Ransomware, otherwise known as Zeropadypt NextGen, can get their files decrypted for free with the help of a security researcher and a decryptor that has been made for different variants.

 

123076521_7d62.jpg

 

 

Since August 2019, victims of this ransomware have been posting in our Ouroboros (Zeropadypt NextGen) Ransomware support topic to see if they can get help decrypting their files for free.

 

encrypted-files.jpg

 

Ouroboros Ransomware - Lazarus Variant

 

After almost a month, security researcher and ransomware expert BloodDolly announced that a method has been discovered that could allow victims obtain their file's decryption key. In order to do this, though, the researcher would need a couple of encrypted files and their unencrypted variants.

 

bd-post.jpg

Post about possible decryption

 

 

Currently BloodDolly's may be able to help victims who have been encrypted with variants that append the Lazarus, Lazarus+, or Kronos extensions like below: 

Supported extensions:
.[ID=*][Mail=*].Lazarus
.[ID=*][Mail=*].Lazarus+
.Email(*)(ID=.*
.Email=(*)ID=.*
.Email=[*]ID=[*].KRONOS

To receive help, BloodDolly told BleepingComputer that users can create a zip file containing files with their encrypted and unencrypted versions and share it on a file sharing service like Sendspace or WeTransfer. These files should not have any private or confidential information.

 

Victims can then send BloodDolly a link to the shared file or create a help request in the BleepingComputer support topic. If the decryption key can be obtained, it will be sent to the victim along with a link to the decryptor, which contains instructions on how to decrypt the encrypted files.

 

Ouroboros-decoder.jpg

Ouroboros Decoder

 

 

The researcher warns that the encryption process used by the ransomware is not fool proof and that some files cannot be fully decrypted properly. It is advised that encrypted files be backed up before using the decryptor.

"Encryption process of Ouroboros ransomware is not fool proof and decrypted files cannot be fully verified in some versions. There is a chance that up to 15 bytes can be cut off from decrypted file if original file ended with zeros. Also files of specific sizes can be wrongly decrypted and files bigger than 1MB cannot be automaticaly verified at all.


Ouroboros version 3 contains a bug that destroys 20 bytes located at offset 10000 in files bigger or qeual than 1MB.


Please backup your encrypted files before decrytpion."

 

Source

Link to comment
Share on other sites
  • Views 498
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...