7ev3n is yet another ransomware about which I wrote some time ago (for Malwarebytes – you can read more here). It uses custom cryptography and I managed to decrypt several variants. In this thread you can find my decryptors (and all the updates about them).
WARNING: 7ev3n ransomware has many variants. Check your ransom note and compare with the examples given below, in order to find what is your variant. Then, download appropriate decryptor. In case of any problems, feel free to contact me.
[Python scripts – PoCs]
[sourcecode of GUI versions – assembler]
A. For sample: 52517f419e78041f8e211428b8820dfb
DECODERS:
GUI version: [download executable]
Python version: seven_decoder1.py
This variant comes with NO ransom note.
In order to use this decryptor need to know the original path, where the file was stored when it got attacked by the 7ev3n ransomware. Example:
B. For sample: 08a53eb5d54c6829cf6ea29bd61ea161
DECODERS:
GUI version: [download executable]
Python version: seven_decoder2.py
In order to use this decryptor you need to copy your unique ID from the ransom note – FILES_BACK.txt
Ransom note example:
hello, If you have Standart locker interface (green window) on desktop for decryption follow the instructions. If you delete it, and want to decrypt your files you need decryptor, you can buy it by contact through email contact email : JessMalibu@protonmail.com reserve email : martingarrix@nonpartisan.com your unique id : 73118178525283953643921210931031 6. If you want try to decrypt your files with software from anti-malware websites please make copies of this files once you understand that it's not working, you will still have clear copies of the files that be decrypted after payment
And paste it in the appropriate place in the GUI:
see it in action: https://www.youtube.com/watch?v=RNZvsEMBfJs
C. For samples: 7e6af09baf19bc03c4a3b9078546a7c1, 5cce8bbe88dd6e95b8a89dd78a6b082e
This variant requires knowing the original path AND the Unique ID.
Ransom note example (FILES_BACK.txt):
hello, if standart cryptolocker interface was blocked or deleted by Antivirus or Firewall and you want back your files, contact : backcontent@contractor.net your unique id : 49b517551928275244272ca5da1f
DECODERS:
GUI version: [download executable]
Python version: seven_decoder3.py
see it in action: https://www.youtube.com/watch?v=RDNbH5HDO1E
hasherezade's 1001 nights 
Good job 🙂
Thank you! And I am very grateful for your support in testing 🙂
Pingback: Ransomware Authors Flunk Again and Again - InfoSec Resources
Hasherezade,
I need your help. I’m try to use decoder for 7ev3n GUI, but I have not the original file name, I mean, any back up file. So, is there any way to recovry the files back with out it.
Can I send you the shotscreens?
sure, you can send me e-mail [hasherezade at gmail] and I will try to help you. this ransomware have many variants so I will also need your sample (the malware executable). please upload it on https://virustotal.com/ and send me the link.
I checked your file, and as far as I can see your variant does not require knowing the path, only the ID. Try to use my decryptor B (https://drive.google.com/file/d/0Bzb5kQFOXkiSYlN2cGdMb01qTXc/view) and paste the ID from the ransom note as I described in the small tutorial. Good luck, let me know if it helps! Check your e-mail, I sent you the decoded file.
Hasherezade,
Thanks for the great information on 7ev3n Hone$t malware. Based on this information I tried decrypting my files and surprisingly I succeeded for few files but not all files. It works well for all txt files and few bmp files but it does not work for doc, xls, pdf, jpg, psd etc.
If possible for you please help me regarding this. my sample executable analysis is available here
https://virustotal.com/en/file/46bbec1451c81d77c44de8b814d352fa110d4ccfb68186c83b31472e77a82de3/analysis/
Please let me know if I can send you details thru email.
Feel free to send me an e-mail. 7ev3n have many variants, so probably your sample is a bit different than the samples that I analyzed. But don’t worry – it looks it still can be cracked. Unfortunately, I can take care of this after next week, because now I am very busy.
I made a decoder for you, please try the variant C
I am terrible sorry dear, still doesn’t work, the output are still unreadable and corrupt, but thanks anyway 😦
don’t worry, it will work. I have to figure out more details to check where is the problem, but this variant is decryptable for sure. I guess you just supplied wrong used id or wrong original path – this data is very important for the decryption process. please send me your ransom note and one file in encrypted and unencrypted version. I will try to solve it for you.
Hi, I tested this tool in some of my affected files, but the final output files appears to be corrupt
Tested with some pictures, pdf, and some documents, but no success
What I can do?
Please upload the sample on Virus Total and paste me the link in the comment. I will try to get back to you whenever I will get some free time. Probably you will need a new variant of the decryptor. You can also send me via e-mail some samples of the encrypted files.
Ok, Here is the URL for the malware sample
https://virustotal.com/es/file/dd5f853ead7663dcb0819314033018f8cb998794aff8925c50b59a2a13cce46c/analysis/1475360861/
Any news, just emeail me…
Cheers 🙂
Here is a new link with some sample files
https://drive.google.com/open?id=0B7IU-CzcCmp_d3h2OXcxVThjWXc
I made a decoder for you, please try the variant C
More samples here
https://drive.google.com/open?id=0B7IU-CzcCmp_UzZBUlAwSzQySTg
Sorry for the delay
thanks, but it cannot help you as long as I don’t have your ID from the ransom note and the path of at least one file. if you don’t have the path, I will need one of the files in it’s original, decrypted form. please provide me this essential information.
Hasherezade:
Thank you very much for your time and support, I got my files back.
🙂
hurray! thanks for the info, I am happy to hear it! 🙂
Pingback: October 2016: The Month in Ransomware