Test the decryptor for bigger files (>1MB)

[themaks]

Tested files were all bellow 1MB. The malware only encrypts the first MB of each file, except for files with special extentions. Code must be tested for those cases

[dapadilla]

Thank you! It worked with a 10MB file, not with an MDF file of 11GB. It crashes with OverFlowError: Python int too large to convert to C long.

[themaks]

At which line did it crash ? Can you provide a copy of the stack trace ?
Thanks

[themaks]

Can you try this version ?

[dapadilla]

It does works now without crashing, unfortunately the content of the file is still broken.

[themaks]

Have you try to decrypt a txt file first that was encrypted on the same machine ?
On a successful decryption, this will give you the exact time of the malware execution, which you can then use when trying to decrypt your MDF file (using --time or --localtime) ?

[dapadilla]

I tried with a .log file and it worked, tried with a .sql file and it worked.
tried with a .txt file and it didn't, same thing with a .csv.

[themaks]

Did you re-use the same timestamp (with --time or --localyime) for every file ?
The files you failed to decrypt were on the same machine that the one you successfully decrypted ?

[themaks]

If so, maybe the files have not been encrypted by the same malware execution (two parallel execution of the same malware, or maybe some of the files were encrypted by a malware executing from another machine, accessing the files through network share ?)
That would explain why the decryption did not work on some file with the provided timestamp.
On the files the decryption did not work, start a bruteforce attack :
decrypt_file.py --localtime <approx. day and hour of the attack> --delta 72000 <your txt or csv file>
72000 means that the tool will check every encryption's start time from 10h before the provided date to 10h after.
Hope this will help