ThanosDecryptor is an project to decrypt files encrypted by Thanos ransomware.

Overview

License: MIT made-with-Go

Prometheus-Decryptor

Prometheus-Decryptor is an project to decrypt files encrypted by Prometheus ransomware.

Command Arguments

Usage of ./bin/prometheus_decrypt:
  -b string
        Custom search with byte value. (i.e. \xde\xad\xbe\xef -> deadbeef)
        Please use ?? to match any byte (i.e. de??beef)
  -c    Use current tickcount. (only support in Windows)
  -e string
        Search file extension.
  -f int
        Found candidate. (default 1)
  -i string
        Input encrypted file.
  -k string
        Decrypt with this key.
  -m int
        Move backward m minutes from the current decrypted seed when guessing the next sample. (default 30)
  -o string
        Output decrypted file.
  -p int
        Use n thread. (default 1)
  -r    Reversed tickcount.
  -s string
        Custom search with regular expression.
  -t int
        Start tickcount.

Usage

Guess password

Guess the password of a png image from tickcount 0.

./prometheus_decrypt -i ./sample/CyCraft.png.PROM\[[email protected]\] -o ./output/CyCraft.png -e png -p 16

In this command, there are 4 arguments:

  • i: input encrypted file
  • o: output file
  • e: search file format
  • p: thread count

Reversed Tickcount

Guess the password of a png image from tickcount 100000 in reversed order.

./prometheus_decrypt -i ./sample/CyCraft.png.PROM\[[email protected]\] -o ./output/CyCraft.png -e png -p 16 -t 100000 -r

There are 2 additional arguments:

  • t: start from 100000
  • r: reversed order (100000...0)

Guess from current tickcount (only for Windows)

Guess the password of a png image from the current tickcount in reversed order. This feature is usually used with reversed order.

./prometheus_decrypt -i ./sample/CyCraft.png.PROM\[[email protected]\] -o ./output/CyCraft.png -e png -p 16 -c -r

There is an additional argument:

  • c: start from the current tickcount

Decrypt (Encrypt) with a key

Decrypt (Encrypt) a file with a provided key.

./prometheus_decrypt -i ./sample/CyCraft.png.PROM\[[email protected]\] -o ./output/CyCraft.png -k "[email protected][%T-mZSh+E[^^i{W:dpwnhdL4"

There is an additional argument:

  • k: provided key

Guess password with custom format (regular expression)

Guess the password of a text file with a known string "we had another great".

./prometheus_decrypt -i ./sample/test.txt.enc -o ./output/test.txt -p 16 -s "we had another great"

There is an additional argument:

  • s: regular expression to match the decrypted file

Guess password with custom format (bytes pattern)

Guess the password of a png file with its header in hex.

./prometheus_decrypt -i ./sample/test.txt.enc -o ./output/test.txt -p 16 -b '89??4e??0d??1a0a??00'

There is an additional argument:

  • b: PNG header in hex format.
    • The full bytes are "8950 4e47 0d0a 1a0a 0000".
    • We can use ?? to match any byte.

Custom search with bytes pattern is much more convenient than regular expression, since there are lots of file format that it can't be performed by visible characters.

Guess password for a directory

Guess the password of a png file with its header in hex.

./prometheus_decrypt -i ./sample -o ./output -p 16 -m 1 -f 2

There are two additional arguments:

  • m: Move backward m minutes from the current decrypted seed when guessing the next sample. (default 30)
    • Use seed-m*60*1000 as the start tickcount.
  • f: Found candidate. (default 1)
    • Limit the candidates found. There may be several candidates to a file, limit its candidates can save time.

Since there are lots of files to decrypt, you can press Ctrl-c to skip the current guessing file.

Output

The output should like this. Since we match the file with magic number, it might be matched even a wrong key is provided. Therefore, we keep the decryption process continued to guess. You can terminate it anytime if you find the correct decrypted file.

 % ./prometheus_decrypt -i ./sample/test.txt.enc -o ./output/test.txt -p 16 -s "we had another great"
 Decrypt file with seed 615750, key: [email protected][%T-mZSh+E[^^i{W:dpwnhdL4<b8D4, path: ./output/615750_test.txt
 2795306...

GUI

We provide a GUI version for windows users. All features is supported in the GUI version. If you know nothing about programming, please follow the steps below to decrypt your files:

  1. Choose a file or folder to decrypt.
  2. Choose the output file name or output folder.
  3. Select "Use thread" and fill in 2-4 for PC. (Threads usually make the decryption routine faster, but it actually depends on amount of your cpu cores)
  4. Click decrypt.
  5. There is a counter, which shows the current guessing tickcount.
  6. The decrypting result will show in the text block below. (There may be multiple possible key, so the decryption routine will continue to decrypt even find a possible key. You can press "Next one" to skip the current file).

GUI

Build

make win32    # windows 32 bits
make win64    # windows 64 bits
make linux    # linux
make win32GUI # windows 32 bits GUI (built on windows)
make win64GUI # windows 64 bits GUI (build on windows)

Supported File Format

We match the magic number with https://github.com/h2non/filetype. Here is the file type we currently support:

Image

  • jpg - image/jpeg
  • png - image/png
  • gif - image/gif
  • webp - image/webp
  • cr2 - image/x-canon-cr2
  • tif - image/tiff
  • bmp - image/bmp
  • heif - image/heif
  • jxr - image/vnd.ms-photo
  • psd - image/vnd.adobe.photoshop
  • ico - image/vnd.microsoft.icon
  • dwg - image/vnd.dwg

Video

  • mp4 - video/mp4
  • m4v - video/x-m4v
  • mkv - video/x-matroska
  • webm - video/webm
  • mov - video/quicktime
  • avi - video/x-msvideo
  • wmv - video/x-ms-wmv
  • mpg - video/mpeg
  • flv - video/x-flv
  • 3gp - video/3gpp

Audio

  • mid - audio/midi
  • mp3 - audio/mpeg
  • m4a - audio/m4a
  • ogg - audio/ogg
  • flac - audio/x-flac
  • wav - audio/x-wav
  • amr - audio/amr
  • aac - audio/aac

Archive

  • epub - application/epub+zip
  • zip - application/zip
  • tar - application/x-tar
  • rar - application/vnd.rar
  • gz - application/gzip
  • bz2 - application/x-bzip2
  • 7z - application/x-7z-compressed
  • xz - application/x-xz
  • zstd - application/zstd
  • pdf - application/pdf
  • exe - application/vnd.microsoft.portable-executable
  • swf - application/x-shockwave-flash
  • rtf - application/rtf
  • iso - application/x-iso9660-image
  • eot - application/octet-stream
  • ps - application/postscript
  • sqlite - application/vnd.sqlite3
  • nes - application/x-nintendo-nes-rom
  • crx - application/x-google-chrome-extension
  • cab - application/vnd.ms-cab-compressed
  • deb - application/vnd.debian.binary-package
  • ar - application/x-unix-archive
  • Z - application/x-compress
  • lz - application/x-lzip
  • rpm - application/x-rpm
  • elf - application/x-executable
  • dcm - application/dicom

Documents

  • doc - application/msword
  • docx - application/vnd.openxmlformats-officedocument.wordprocessingml.document
  • xls - application/vnd.ms-excel
  • xlsx - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
  • ppt - application/vnd.ms-powerpoint
  • pptx - application/vnd.openxmlformats-officedocument.presentationml.presentation

Font

  • woff - application/font-woff
  • woff2 - application/font-woff
  • ttf - application/font-sfnt
  • otf - application/font-sfnt

Application

  • wasm - application/wasm
  • dex - application/vnd.android.dex
  • dey - application/vnd.android.dey

How it work ?

Prometheus ransomware use salsa20 with a tickcount-based random password to encrypt. The size of the random password is 32 bytes, and every character is visible character. Since the password use tickcount as the key, we can guess it brutally.

You might also like...
LightRPC Encrypted reliable components RPC

light LightRPC Multi-protocol encryption RPC Multi-protocol TCP KCP UNIX HTTP MQTT QUIC Encoding JSON MessagePack Protobuf Compress RawData Snappy GZI

🔐 Share end-to-end encrypted secrets with others via a one-time URL
🔐 Share end-to-end encrypted secrets with others via a one-time URL

If you use this repo, star it âœĻ 🔐 Share end-to-end encrypted secrets with others via a one-time URL Use to securely share API Keys, Signing secrets,

🔐 Share end-to-end encrypted secrets with others via a one-time URL
🔐 Share end-to-end encrypted secrets with others via a one-time URL

If you use this repo, star it âœĻ 🔐 Share end-to-end encrypted secrets with others via a one-time URL Use to securely share API Keys, Signing secrets,

Bare Bones Encrypted File Uploading Service

eggnog Basic file uploading service in Go. Files are XOR encrypted server side, and are only accessible with the key. It's not perfect encryption, but

minimal implementation of secured encrypted tcp/ip connection without tls / ssl.

go-secure-transport Demo implementation of secured encrypted TCP connection without TLS / SSL. See ./example for server & client using the transport t

An end-to-end encrypted secret messaging service.

Nimie An End-to-end encrypted Anonymous Messaging Service. In a nutshell This service basically empowers you to have short anonymous conversations wit

Peer-to-peer encrypted message exchange

Constellation Constellation is a self-managing, peer-to-peer system in which each node: Hosts a number of NaCl (Curve25519) public/private key pairs.

Money-transfer-project-template-go - A simple project for demonstrating Temporal with the Go SDK
Money-transfer-project-template-go - A simple project for demonstrating Temporal with the Go SDK

Temporal Go Project Template This is a simple project for demonstrating Temporal

Crypto-project - Personal project for learning TLS

crypto-project My personal attempt to implement this cipher suite using the Go l

Comments
  • update decRoutine() to check only bytes of file header

    update decRoutine() to check only bytes of file header

    It is sufficient to decrypt only the file header (max 262 bytes supported by github.com/h2non/filetype) in decRoutine() to match the file type. If it matches we decrypt the whole file. This speeds up the process.

    opened by sa-ru 1
Releases(1.3)
Owner
CyCraft
CyCraft
Age-encrypted-notebook - Age encrypted notes saved in a bolt DB

Age Encrypted Notebook (aen) Disclaimer: This project has the sole purpose of ge

Nils Kuhnert 18 Sep 15, 2022
Ransomware: a type of malware that prevents or limits users from accessing their system

Ransomware Note 1: This project is purely academic, use at your own risk. I do not encourage in any way the use of this software illegally or to attac

null 1 Nov 17, 2021
🌰 encrypt/decrypt using ssh keys

ssh-vault ?? encrypt/decrypt using ssh private keys Documentation https://ssh-vault.com Usage $ ssh-vault -h Example: $ echo "secret" | ssh-vault -u

ssh-vault 361 Nov 22, 2022
Decrypt passwords/cookies/history/bookmarks from the browser.

hack-browser-data is an open-source tool that could help you decrypt data ( passwords|bookmarks|cookies|history ) from the browser. It supports the most popular browsers on the market and runs on Windows, macOS and Linux.

áīáīáīÉīD4ʀáī‹ 6.7k Dec 7, 2022
hack-browser-data is an open-source tool that could help you decrypt data from the browser.

hack-browser-data is an open-source tool that could help you decrypt data ( password|bookmark|cookie|history|credit card|download

idiotc4t 113 Nov 30, 2022
Sign, verify, encrypt and decrypt data with GPG in your browser.

keygaen Sign, verify, encrypt and decrypt data with GPG in your browser. ⚠ïļ keygaen has not yet been audited! While we try to make keygaen as secure a

Felix Pojtinger 78 Nov 22, 2022
sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP

sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. (demo)

Mozilla 11.5k Dec 6, 2022
Cross-platform application for easy encrypted sharing of files, folders, and text between devices.

wormhole-gui Wormhole-gui is a cross-platform application that lets you easily share files, folders and text between devices. It uses the Go implement

Jacob 713 Nov 28, 2022
A simple and lightweight encrypted password manager written in Go.

Osiris Password Manager A simple and lightweight encrypted password manager written in Go

null 32 Jun 16, 2022
go seof: Simple Encrypted os.File

Encrypted implementation of golang' os.File. It handles WriteAt, Seek, Truncate, etc. Can deal with huge files, random access, etc.

Ed Riccardi 44 May 11, 2021