Decoders for 7ev3n ransomware

7ev3n is yet another ransomware about which I wrote some time ago (for Malwarebytes – you can read more here). It uses custom cryptography and I managed to decrypt several variants.  In this thread you can find my decryptors (and all the updates about them).

WARNING: 7ev3n ransomware has many variants. Check your ransom note and compare with the examples given below, in order to find what is your variant. Then, download appropriate decryptor. In case of any problems, feel free to contact me.

[Python scripts – PoCs]
[sourcecode of GUI versions – assembler]


A. For sample: 52517f419e78041f8e211428b8820dfb

DECODERS:

GUI version: [download executable]
Python version: seven_decoder1.py

This variant comes with NO ransom note.

In order to use this decryptor need to know the original path, where the file was stored when it got attacked by the 7ev3n ransomware. Example:

seven2


B. For sample: 08a53eb5d54c6829cf6ea29bd61ea161

DECODERS:

GUI version: [download executable]
Python version: seven_decoder2.py

In order  to use this decryptor you need to copy your unique ID from the ransom note – FILES_BACK.txt

Ransom note example:

hello, If you have Standart locker interface (green window) on desktop for decryption follow the instructions.
If you delete it, and want to decrypt your files you need decryptor, you can buy it by contact through email
contact email : JessMalibu@protonmail.com
reserve email : martingarrix@nonpartisan.com
your unique id : 73118178525283953643921210931031
6. If you want try to decrypt your files with software from anti-malware websites please make copies of this files
 once you understand that it's not working, you will still have clear copies of the files that be decrypted after payment

And paste it in the appropriate place in the GUI:

variant_b

youtube-512  see it in action: https://www.youtube.com/watch?v=RNZvsEMBfJs


C. For samples: 7e6af09baf19bc03c4a3b9078546a7c1, 5cce8bbe88dd6e95b8a89dd78a6b082e

This variant requires knowing the original path AND the Unique ID.

Ransom note example (FILES_BACK.txt):

hello, if standart cryptolocker interface was blocked or deleted by Antivirus or Firewall
and you want back your files, contact : backcontent@contractor.net
your unique id : 49b517551928275244272ca5da1f

DECODERS:

GUI version: [download executable]
Python version: seven_decoder3.py

seven_c

youtube-512  see it in action: https://www.youtube.com/watch?v=RDNbH5HDO1E

About hasherezade

Programmer and researcher, interested in InfoSec.
This entry was posted in Malware, Malware Decryptor and tagged , , . Bookmark the permalink.

21 Responses to Decoders for 7ev3n ransomware

  1. Pingback: Ransomware Authors Flunk Again and Again - InfoSec Resources

  2. Marko says:

    Hasherezade,
    I need your help. I’m try to use decoder for 7ev3n GUI, but I have not the original file name, I mean, any back up file. So, is there any way to recovry the files back with out it.
    Can I send you the shotscreens?

  3. Ami says:

    Hasherezade,
    Thanks for the great information on 7ev3n Hone$t malware. Based on this information I tried decrypting my files and surprisingly I succeeded for few files but not all files. It works well for all txt files and few bmp files but it does not work for doc, xls, pdf, jpg, psd etc.
    If possible for you please help me regarding this. my sample executable analysis is available here
    https://virustotal.com/en/file/46bbec1451c81d77c44de8b814d352fa110d4ccfb68186c83b31472e77a82de3/analysis/
    Please let me know if I can send you details thru email.

    • hasherezade says:

      Feel free to send me an e-mail. 7ev3n have many variants, so probably your sample is a bit different than the samples that I analyzed. But don’t worry – it looks it still can be cracked. Unfortunately, I can take care of this after next week, because now I am very busy.

    • hasherezade says:

      I made a decoder for you, please try the variant C

      • Diamante says:

        I am terrible sorry dear, still doesn’t work, the output are still unreadable and corrupt, but thanks anyway😦

      • hasherezade says:

        don’t worry, it will work. I have to figure out more details to check where is the problem, but this variant is decryptable for sure. I guess you just supplied wrong used id or wrong original path – this data is very important for the decryption process. please send me your ransom note and one file in encrypted and unencrypted version. I will try to solve it for you.

  4. Diamante says:

    Hi, I tested this tool in some of my affected files, but the final output files appears to be corrupt

    Tested with some pictures, pdf, and some documents, but no success

    What I can do?

  5. Marko says:

    Hasherezade:

    Thank you very much for your time and support, I got my files back.
    🙂

  6. Pingback: October 2016: The Month in Ransomware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s