Author Topic: Domino ransomware (variant of HiddenTear) .domino and Avast Decryptor HiddenTear  (Read 1488 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
My PC was infected by Domino Ransomware. The virus was removed without big problems, but most of the files like JPG, PDF, DOC, … on all my drives (also on the back-up drives GoogleDrive, Dropbox,… because they was also connected) are encrypted and the files have now extension .domino

Because the Domino Ransomware should be some variant of Hidden Tear ransomware, I tried to decrypt the encrypted files with the free Avast Ransomware decription tool for HiddenTear (with one encrypted and one good file).
The problem is, that the Avast HiddenTear Deryptor doesn't know the .domino extension.
I simply changed the .domino extension to some for the decryptor known extension (.locked, .kratos, …) and the decryption could be then started.

Is it possible to change the extension of the encrypted file this way (changing the extension) and start the decryption of this HiddenTear variant, or it is necessary to make some changes in the program Avast HiddeTear decryptor to adapt it specific to this evidently unknown HiddenTear variant?

If is it possible, how can I speed up the decryption? The descryptor is running now about 5 days (without success) on my old hardware with some old AMD dual core CPU with the speed about 400/sec, which is nice speed, but for the decryptor calculated number of combination 4,3+09 (I don’t know why this number; it’s 2^32) it will take about 120 days to match the encryption password. Maybe better CPU will bring something, but is it possible to involve somehow also the GPU?

Thank you for any help and hints in advance!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user

REDACTED

  • Guest
Thank you for the hint!  I already know these sites  and I tried them...

ID Ransomware:
  • Recognized one my encrypted sample file as a Domino Ransomware (based on .domino extension), with the message "This ransomware is decryptable"
  • Proposed solution: because it's Hidden Tear, for decrypting can be used Hidden Tear Brute Forcer created by Michael Gillespie
  • This decrypter is running on my infected notebook already some days, but it's too slow (only max 38/sec)

No more ransome:
  • Doesn't recognize my encrypted files; message "Unknown ransomware until now" or something like that
  • But in the "Decryption tools" is tool for Hidden Tear ransomware available => Avast Decryptor HiddenTear
  • Therefore I have here on Avast Forum concrete question regarding the Avast Ransomware decryption tool for HiddenTear

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Quote
But in the "Decryption tools" is tool for Hidden Tear ransomware available => Avast Decryptor HiddenTear
Therefore I have here on Avast Forum concrete question regarding the Avast Ransomware decryption tool for HiddenTear
You may have a encryption from a new version?

Then i guess your best option is to store your crypted files somwhere and try again when/if a decryptor is awaiable for it

Always keep backup of your files at a place where ransomware cant get it   ;)


Maybe the guys at Geeks to Go have some ideas  http://www.geekstogo.com/forum/


« Last Edit: November 12, 2017, 10:45:14 PM by Pondus »