Category Archives: Security

Ransomware: id-3509099450_[].0oxr4

UPDATE 6/8/2017: This is a CRyPTON Variant, see below.

A new variant of Dharma CryptON (CryptON 36 variant, to be precise), seems to have hit a server;  here are some of the details I’ve been gathering.

Ransom Note

A file named ### DECRYPT MY FILES ###.txt is placed in each directory where encrypted files are located with the following content.


To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email:
Your personal ID: 3509099450

Encrypted Files

Encrypted files have the following appended: .id-3509099450_[].0oxr4

Registry Entry

An interesting Registry entry is observed:

Windows Registry Editor Version 5.00


Google search for any parts of .0oxr4 comes up short as well as any of the information in the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KJ8CvJIB1H5nRcJZ


Searching for the email indicates this may be a ransomware that can be decrypted, according to ID Ransomware website.  However, I have found nothing that works for decrypting.

I have attached two sample files, an original Informant SNMP zip file pulled from a backup as well as the encrypted file.

Still a work in progress…

Update: 6/8/2017


Any files that are encrypted with the newest variant of CryptON (Cry9, Cry36, Cry128, X3M, Nemesis) will have a random 5 character hexadecimal extension appended to the end of the encrypted data filename (i.e. .id-1163283255_[].08c85, .id-1163283255_[].830s7) and leave files (ransom notes) named ### DECRYPT MY FILES ###.txt.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

This is a cry36 variant and apparently not decrypted at this time, see:

Fail2ban + fail2sql + Ban Hammer + PHP7

I recently revisited a project from some time ago that I found and modified the code to support PHP7 which dropped support for mysql extension in favor of mysqli.

If you’re interested, I’ll attach the zip file   I mainly just hacked it up and added “i” to mysql_ functions.  Modified mysql_numrows to mysqli_num_rows and also fixed the constant MYSQL_NUM to MYSQLI_NUM and a few other tweaks in fail2sql.

Note that these are just the ban hammer HTML/PHP files, not fail2sql, so you’ll need to still grab fail2sql and get that setup. I do include fail2sql in my repo with the modified PHP now.

CrySiS Reborn, Not Decryptable: [].wallet

Break-fix call on a CrySiS Ransomware infection.  It’s actually not CrySiS, but a fork of it, which is not decryptable at this time.  CrySiS shut down its operation a month or so ago and dumped the master encryption key so victims could decrypt their files.  Not so much with this variant.

After infection, it drops a JPEG file in the user’s folder C:\Users\Victim\INFORMATION HOoW TO DECRYYPT FILES.jpg.

It encrypts files and renames them with .[].wallet

It drops a file on the desktop named STOPPER.txt:

All your filess are encrypted!
To decrypt your files, please contact us by

The method of infection was from unauthorized access (brute-force) RDP connection.

It also drops AnonCrpt.exe on the desktop, 274KB file size;  A quick analysis from VirusTotal shows the results below:

VirusTotal detection results from AnonCrpt.exe

As mentioned earlier, there is not a way to decrypt this currently.

Stay safe.