hashcat Forum
Ransomware attack veracrypt@foxmail.com - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Ransomware attack veracrypt@foxmail.com (/thread-8068.html)



Ransomware attack veracrypt@foxmail.com - gunnie101 - 01-13-2019

Hi everyone,

we have been hit with a ransomware attack where essentially every server file was encrypted with veracrypt and an added file extension of .veracrypt@foxmail.com.adobe

Obviously I am far from happy - I have fault found everything down to clutching at straws and having the opportunity to learn some new skills with hashcat.

I must say that the wiki articles are excellent & noted all the veracrypt hashtypes 13711, 12, 13, 13721,22,23,13731,32,33,13751,52,53,13771,72,73


My first attempt with hashcat is below

hashcat -a 3 -m 13773 Backup.bat.[veracrypt@foxmail.com].adobe -o recovered.txt --force

Can someone please run a eye over my first attempt and point me in the direction to where I can make it better??

thanks in advance, I will keep reading the wiki's and hope for a reply.

Jase


RE: Ransomware attack veracrypt@foxmail.com - undeath - 01-13-2019

you first need to extract the KDF data from the veracrypt volume. See https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_do_i_extract_the_hashes_from_veracrypt_volumes

Why are you using --force?

You only need to run the veracrypt modes ending in 3. Those are wildcard modes and a little faster if you don't know anything about the encryption settings used.


RE: Ransomware attack veracrypt@foxmail.com - gunnie101 - 01-13-2019

(01-13-2019, 01:57 PM)undeath Wrote: you first need to extract the KDF data from the veracrypt volume. See https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_do_i_extract_the_hashes_from_veracrypt_volumes

Why are you using --force?

You only need to run the veracrypt modes ending in 3. Those are wildcard modes and a little faster if you don't know anything about the encryption settings used.

I am using the --force as my The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) linux install would not run due to a error message that I have memory dumped - that fix was --force.

Thanks for the advice re the modes ending in 3 - greatly appreciated by a neebie............

Jase


RE: Ransomware attack veracrypt@foxmail.com - carmitchel - 01-13-2019

Hi Jase,
It looks like you are making a good effort to brute-force files encrypted with this trojan. Some others here may be helping you but let me know if you'd like my opinion. My company (datarecovery.com) does this daily. I would not charge anything to check out a file or two since you're on here.
Best,
Ben


RE: Ransomware attack veracrypt@foxmail.com - royce - 01-13-2019

Jase, you might consider consulting with your local law enforcement. They often have access to tools to help you narrow down the variant and might be able to tell you more about how this particular variant selects VeraCrypt passphrases or other details. Otherwise, you're really shooting in the dark. Any smart ransomware operator isn't going to pick a crackable password, but there may be known weaknesses in that variant that can be exploited.

If cracking does end up being feasible ... with stuff like ransomware, you don't want to go halfway. I'd get K a l i out of the equation entirely, and work instead from a dedicated OS install of a fully supported OS (full Ubuntu or modern Windows would be fine choices).