Michael Gillespie
@demonslay335
Followers
37,439
Following
66
Media
2,026
Statuses
14,873
Loves cats, bunnies, and coding. #Ransomware Hunter. Creator of the service ID Ransomware. Views expressed are my own.
United States
Joined April 2014
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#ปิ่นภักดิ์EP6
• 1045905 Tweets
ANILPIN WE ARE THE ONE
• 1037880 Tweets
Edmundo
• 378099 Tweets
Kendrick
• 142900 Tweets
#CLAP_for_SVTpalooza
• 141276 Tweets
Super Bowl
• 140302 Tweets
SEVENTEEN AT LOLLAPALOOZA
• 101762 Tweets
Giants
• 75145 Tweets
Drake
• 69959 Tweets
jeonghan
• 64540 Tweets
Wayne
• 61993 Tweets
New Orleans
• 53023 Tweets
Tyreek Hill
• 50841 Tweets
Infinite Love with Junkyu
• 49894 Tweets
Not Like Us
• 48419 Tweets
Cowboys
• 45937 Tweets
Steelers
• 42107 Tweets
Dolphins
• 33013 Tweets
NFL Sunday
• 30284 Tweets
#TransferYapmakZORUNDASINIZ
• 29831 Tweets
Bengals
• 27955 Tweets
Vikings
• 27570 Tweets
Dak Prescott
• 25246 Tweets
Falcons
• 23590 Tweets
Benzema
• 21860 Tweets
Panthers
• 20038 Tweets
Texans
• 19191 Tweets
Colts
• 19124 Tweets
seungkwan
• 17347 Tweets
Justin Fields
• 11878 Tweets
#NFLRedZone
• 10515 Tweets
Pinned Tweet
ID
#Ransomware
is live! Special thanks to
@malwrhunterteam
for the sub-domain.
285
132
435
🔒New CryptoTester v1.4.0.2 for
#ransomware
analysis 🔎: TONS of fixes/additions to hexboxes, grouped algorithms in dropdown, flip endianness of keys, AES XTS mode, HMAC key derives, raw RSA (provide n + d/e, no padding), redesigned bruteforce key tool, lots of bugfixes.
8
149
386
New release of CryptoTester v1.3.0.4 for
#Ransomware
Analysis. Key Finder can grab PEM stubs/chunks, plus lots of bug fixes. Have a ciphertext + plaintext + key, but don't know what encryption algorithm? Try "Bruteforce Algorithm" to automatically test all that the tool supports.
5
149
339
This
#ransomware
dev has either never heard of a loop, or really likes how this "code triangle" looks.
13
57
307
Fucking
#ransomware
developers... this seems like a perfectly fine little "BytesToHexString" function, right? When you see it... 🤦♂️
15
56
307
And this, ladies and gentlemen, is how you write some of the world's slowest
#ransomware
code. Read a byte, encrypt it, write it back. One. Byte. At. A. Time. Not the first time I've seen this... 🤦
13
86
247
Just recorded a video doing basic static analysis of
#ransomware
, aimed at beginners hopefully.
6
90
235
🚨
#Exchange
Servers Possibly Hit With
#Ransomware
🚨
ID Ransomware is getting sudden swarm of submissions with ".CRYPT" and filemarker "DEARCRY!" coming from IPs of Exchange servers from US, CA, AU on quick look.
8
115
190
💡 Bit of advice for
#ransomware
devs... Use SetFilePointerEx, 🛑 NOT 🛑 SetFilePointer.
Don't be like AvosLocker, who fuck up tons of data in the middle of 4GB+ files because they ignore the high move value and return... Pays to read the damn documentation. 📚
5
35
160
If anyone has been hit by
#Pendor
#Ransomware
(extension ".pnr"), please contact me. Just about able to crack those files now. 😉(don't worry, final decrypter will have a GUI as usual)
4
79
145
Hmm, someone released a decryptor for
#STOP
#Djvu
?
Oh wait... it's more fucking
#ransomware
. Don't trust anything you find online saying it can decrypt Djvu unless it is from ME. This is just one example of the shaddy shit victims are falling for when they don't believe me.
14
59
144
🔒CryptoTester v1.6.0.0 for
#Ransomware
Analysis🔍
Long overdue update with new algorithms, features, hashes, ECDH derives, Key Finder formats, ECC Validator, OAEP paddings... the changelog is 100 lines. 😅
Now hosted on GitHub w/ a readme!
7
53
144
New video: Analyzing Ransomware - Decrypting RC4 Config |
3
60
138
Anyone infected by
#ransomware
with extension ".obfuscated" - contact me for free decryption. 🙂
7
65
137
🔒CryptoTester v1.5.0.0 for
#Ransomware
Analysis🔍
Soo many changes: GCM, custom padding, ECDH key exchanges, AutoIT RNG, RC4-DropN, Sosemanuk, new hashes, custom Salsa/ChaCha matrix, CNG RSA blobs, append/reverse input, new OAEP paddings... seriously check the changelog. 😅
4
63
128
Anyone infected with "Nefartanulo"
#Ransomware
(.nefartanulo
@protonmail
.com), please contact me for free decryption.
9
64
125
So I got a tech support scam and got them connected to
@anyrun_app
🤣. Can someone extract info from this run to report them to
@LogMeIn
?
9
32
119
🔒CryptoTester v1.7.0.0 for
#Ransomware
Analysis 🔍
Key Finder rewrite, new hashes, derive funcs, algorithms, padding modes, swap Hash and Derive process order, AES-CTR-LE, Encoding Param for RSA... another colossal update to read the changelog on. 😅
5
45
125
Dear
#SunCrypt
#Ransomware
authors: please add some kinda checksum/verification to your crypto scheme. Currently, if you give a victim the wrong private Curve25519 key, it just fucks files, since any point is valid on the curve. Just append a simple hash or HMAC of the original.
3
29
121
Vice Society (".v-society") == HelloKitty (".crypt") Linux
#Ransomware
using OpenSSL (AES256 + secp256k1 + ECDSA).
(Sorry can't share samples due to victim confidentiality)
4
48
121
Something bigs going on. I'm told like a third of the US has Comcast outages, affecting Rackspace and others.
13
69
113
📺 New video in my "Analyzing
#Ransomware
" 🔎 for beginners - continuing with the STOP Ransomware, we take a look at how it gets the victim's ID and keys (both offline and online) 🔐.
4
47
111
New CryptoTester v1.3.0.8 for
#Ransomware
#Analysis
- input offset/len now accepts expressions, Key Finder detects ROT13/damaged keys in bins, bruteforce input with a list of keys, splice output, PHP mt_rand(), Blob Finder exports to clipboard and can generate keys... lots more!
4
49
103
📺New video in my "Analyzing
#Ransomware
" 🔎 series for beginners - we get started on a mini-series dedicated to analyzing the STOP Ransomware, including unpacking it 📦.
4
48
104
Here's a free decrypter for some variants of STOP
#Ransomware
. Only works for extensions ".puma", ".pumas", and ".pumax". Requires encrypted and original file pair > ~150KB. Thanks to
@AfshinZlfgh
for PoC. Link:
69
56
102
Got a bit of a funny case with helping a
#ransomware
victim decrypt their files, where the only encrypted/original file pairs they have are straight up porn videos. I mean, hey, whatever works. 🤷♀️😅 Porn to the rescue! 🤣
17
20
102
Files encrypted with ".dcry" extension? Here's a free decrypter. Thanks to
@FraMauronz
for cracking it with me. :)
0
84
101
Seriously, how the hell do people still look at my profile and reputation, and think that I CREATE
#ransomware
???
16
11
102
🚨 ATTENTION STUDENTS. 🎓
👏 BACKUP 👏 YOUR 👏 DAMN 👏 SCHOOLWORK 👏
Oh you have this super-important-for-your-degree thesis you've slaved over for months? Why the hell can't you take 2 SECONDS to email it to someone? Back it up to a flash drive? PRINT IT for all I care.
7
32
98
CryptoTester v1.3.0.2 released for
#ransomware
analysis. Added PasswordDeriveBytes (had to rearrange key GUI), PCKS
#1
PEM parsing, UTF-16 string detection for keys, new string input to accept newlines, other bugfixes in changelog. |
2
46
97
New update to CryptoTester for
#Ransomware
Analysis. Dumped a truncated private RSA key from memory? Blob Analyzer can do the math and repair it (as long as enough data is there to work with). Also added tab for decompression (Deflate/GZip/BZip2/LZW/Zip) |
1
40
89
Small anti-anti-debug tip for complete RE noobs like me. If you see this little function called "IsDebuggerPresent", change EAX on its return to zero to keep going. 😅
5
30
93
Here's a free decrypter for
#Sepsis
#Ransomware
(extension: ".[<email>].SEPSIS"). Huge thanks to
@FraMauronz
for cracking it. 🙂 . Padding bug in malware means last block is corrupted tho, cannot recover up to last 16 bytes of files.
3
72
88
So my take to keep everyone "grounded":
1. This is for an old version of Hive.
2. They require HUNDREDS of encrypted/original file pairs - most victims struggle to get ONE pair.
3. You'd need these filepairs PER master key - we've had clients with up to a HUNDRED master keys.
5
22
90
New video and tool release (download in description)! Analyzing
#Ransomware
- Using CryptoTester |
2
49
87
Could it PLEASE be an industry AV practice to fucking log the HASH of what you detected/quarantined?
7
16
85
New video: Analyzing Ransomware - Reversing a CryptoAPI Decrypter -
2
47
84
New release of CryptoTester v1.2.0.1 for
#ransomware
analysis. Blob analyzer can accept base64 encoded blobs, and also added new tool Key Finder! Simply searches an exe for potential crypto keys (e.g. Crypto Blob, XML, PEM)
3
43
83
New release of CryptoTester for
#ransomware
analysis - v1.2.0.6 adds a custom Base Encoder (base64, more planned), RNG unit testing / corrections, export of RSA Calculator to private/public, plus extra RSA key validation and bugfixes (see changelog) |
0
43
84
Here's my script for extracting config from
#GlobeImposter
#ransomware
samples. Supports any unpacked I've seen.
2
58
84
Can someone who has analyzed
#Maze
#Ransomware
DM me? Is it really using "standard" ChaCha20? Got a victim with their private RSA key; can decrypt key/nonce, but not working on the files manually (criminal's tool works). Screenshot'd file, I'd expecting ASCII plaintext.
6
37
79
When
#ransomware
encrypts its own damn ransom note so victims don't have their ID to give the criminals to get their key even if they pay.
3
39
86
Interesting
#ransomware
using the "age encryption" library/binary ( by
@FiloSottile
). Renames files and uses extension ".sthd2", ransom note is 📨 EMAILED to the victim. 🤔
Note:
Victim on
@BleepinComputer
:
1
44
81
#EvilCorp
trying to sneak by with their
#Hades
#Ransomware
, pretending to be REvil. Extension ".revil", note ".txt" () that points to a site with the most amazing ransomware logo ever. 🥷
6
23
83
Anyone specifically tracking
#Qakbot
? Looks like it may be dropping
#BlackByte
#Ransomware
according to forensics on a current case.
6
30
83
Files encrypted by
#InsaneCrypt
#Ransomware
with extension ".[<email>].insane"? Here's a free decrypter. 😀Requires an encrypted file and it's original over 10MB.
2
65
81
Updated my decrypter for InsaneCrypt/DeusCrypt
#Ransomware
to not require 10MB+ files. Any encrypted file and its original will do now, can actually bruteforce the key directly. Thanks to
@FraMauronz
for help with the analysis. 😃
1
45
76
Here's a free decrypter for CryptoJoker / CryptoNar
#Ransomware
(extensions ".cryptojoker" / ".cryptoNar"). Just requires either an encrypted/original file, or one encrypted file of a common type (e.g. .jpg, .png, .pdf, .doc, etc).
3
53
75
Me: Why the fuck has my system been so slow all day, gah!
*Finds window minimized on the 3rd monitor with a ransomware test bruteforcer in debug mode running*
Me: Oh ya...
2
4
79
Files encrypted by
#FilesLocker
#Ransomware
(extension ".[fileslocker
@pm
.me]")? Let's end 2018 with another free decrypter. 😉 Requires the ransom note (Settings -> Load Ransom Note). |
2
36
76
IMPORTANT ALL
#STOP
#Djvu
#Ransomware
VICTIMS: This is the FINAL RELEASE of STOPDecrypter v2.2.0.0, with OFFLINE keys for ".nuksus", ".cetori", ".stare", ".carote". Please read the announcement:
25
37
75
🔒CryptoTester v1.7.1.0 for
#Ransomware
Analysis 🔍
Explicit PKCS
#1
vs
#8
key exports, Key Finder finds new formats, new encrypt algorithms, endianness flipping (byte/int32/int64), generate ECC keys, new derives (including Tiny-ECDH support), bugfixes.
9
21
75
🔒CryptoTester v1.4.0.0 for
#Ransomware
Analysis 🔍
New: Custom Spaces (' ') and Ascii Zeros ('0') padding modes (used by Python malware), CertUtilEncode algorithm, ASN.1 key usage, Add/Sub encryption detection, byte search in hex views, entropy display for RNG
2
32
69
Welp, ID Ransomware just hit 600
#ransomware
families it can currently identify. Currently over 1800+ extension patterns, 900+ ransom notes, 2400+ email addresses, 800+ BTC addresses, and growing...
5
41
68
Small update to CryptoSearch, now shows how much data it found encrypted, and provides progress bar while archiving.
0
32
64
New video: Analyzing Ransomware - Decompiling Python Ransomware |
1
29
68
Hit by
#hc6
#Ransomware
and files have ".fucku" extension? Here's a free decrypter. 😉 Special thanks to
@fwosar
of
@emsisoft
for help with analysis.
4
38
66
Fucking dumb
#ransomware
skid offences:
1. Educational MY ASS
2. Read whole file at once
3. Base64 -> String to Bytes -> AES -> Base64 again?
4. New key per file w/o saving ANY of them
5. Keep appending keys to global key variable
6. Multithread for race conditions on keygen
3
33
67
🔍Quick analysis notes on the Makop / Oled
#ransomware
(.makop) - TL;DR it's secure (AES-256 + RSA-1024, CryptGenRandom).
5
33
63
New feature for ID Ransomware! Been hit by a
#ransomware
with no known way of decrypting? IDR will now ask if you'd like to opt-in for notification if there's good news in the future.
4
46
64
🚨Breaking: new
#Sekhmet
#Ransomware
(spin-off?) calling itself
#Egregor
. Extension random but has an XOR'd filemarker. Note still "RECOVER-FILES.txt" () with a new site.
10
29
62
🔒CryptoTester v1.3.0.9 for
#Ransomware
Analysis 🔍
New: Import/export ASN.1 keys, XOR encryption detection, CTRL+A on hexboxes, Base58/Check encodings, hash iterations, added Misty1, Kasumi, and Fermet encryptions, plus fix for pasting hex to HxD.
6
28
62
Updated CryptoTester for 🔒
#Ransomware
Analysis 🔎. v1.3.0.7 adds decoded view of hex views, OpenSSL-compat derives (EVP_BytesToKey w/ MD5 or SHA256), preset crypto schemes (HiddenTear / OpenSSL), hex inputs now ignore: \t\r[]{}h, plus bugfixes. |
4
26
62
ID
#Ransomware
milestone: the service now can identify 800 ransomware families. 😶
Also, passed the 1M submissions milestone awhile ago.
5
17
62
@virusbay_io
Any chance of adding drag/drop for uploading samples? Having to use the Browse button is sooo 2015. 😋
2
4
64
There's a new variant of
#Jigsaw
#Ransomware
using extension ".v316" that has been heavily modified... but it's still decryptable. Victims should contact me, as it involves some extra work to break.
1
18
62
New video, bit of a long one: Analyzing Ransomware - Completing a FULL Analysis |
0
34
62
French
#Jigsaw
#Ransomware
w/ extension ".evil" spotted by
@malwrhunterteam
.
We still got you covered with free decryptor from
@emsisoft
. 😉
5
16
59
5
30
59
Thread: Let's take a look at the bullshit "Fast Data Recovery" is advertising about the
#STOP
#Djvu
#Ransomware
.
As perhaps the
#1
world-expert who has analyzed and followed this particular ransomware for over a year, I feel obligated to respond to this absolute horse manure. 💩
4
19
54
New release of CryptoTester for
#ransomware
analysis. v1.3.0.0 brings fixed copy, ability to paste/edit input hex, display generated key, find PGP keys in exe, and addition of SharpAESCrypt. .NET 4.6.1+ required now. Check changelog for details. |
2
34
57
Dear
#ransomware
authors... please stop fucking using zero (0x00) padding. Just leave the damn defaults and let PKCS
#7
be your lord and savior.
0
15
55
Have your files been "Striked" by
#Ransomware
w/ ext #<email>
#id
#<id>? Don't Cry! Here's a free decrypter! 😃
10
57
57
Update to
#STOP
#Djvu
#Ransomware
decrypter, added OFFLINE keys for .nelasod, .mogranos, .lotej, .prandel, .zatrov, .masok |
46
19
57
Seriously people, you can't just say "I need help" and give me NO DAMN CONTEXT. I am getting dozens of these a week. Start off the conversation with SOMETHING. Not just "I need help"... you don't go to the doctor and only say "I hurt"...
11
5
57
Alrighty, here's the decrypter for
#Pendor
#Ransomware
(extension ".pnr"). Just need any encrypted file and its original. Victim ID exponentially helps if provided too. Huge thanks to
@FraMauronz
for analysis.
0
52
56
🔒
#Ransomware
Hunt: "White Rabbit" with extension ".scrypt", drops note for each encrypted file with "<filename>.scrypt.txt" with victim-specific information:
"Follow the White Rabbit..." 🐰🤔
6
30
55
CryptoTester v1.3.0.6 update for
#ransomware
#analysis
. Added basic support for CNG blobs! More support for these as I learn about the format/algorithms later. 😉 Also some extra RSA math - calculate primes from private exp, generate key, etc. |
2
28
54
Ok, updated my STOPDecrypter to support the newer .djvu*-variants. ONLY SUPPORTS THE OFFLINE KEY or if you have been provided a key. Please check the BleepingComputer post for more info. I'm off to bed. 😴|
69
29
50
Wanted: victims of
#STOP
#Djvu
#Ransomware
who 💰PAID THE CRIMINALS💰 for the following extensions - .coharos, .domn, .boot, .leto, .nakw, .toec, or .lokf
Please contact me ⚠️ONLY IF YOU PAID THEM⚠️
20
29
51
I really need to question
@bluehost
's security model when I get this for verifying access to an account. Are you seriously saving customer's passwords unhashed for support to see? Even part of the password?
7
20
55
So
@PolarToffee
spotted a new sample of DCry
#ransomware
few days ago using extension ".dian". Nice little message for me as well. 😀
3
29
53