decryption – Attacked by ransomware that has encrypted and renamed all files with a .makop extension

I’ve spent several hours searching the internet to see if anyone has cracked this encryption yet, but without any luck. I don’t want to reward criminals for their activity, but I do have a few files that I absolutely need. Besides finding a decryptor or paying the ransom, do I have any other options for recovering my files? I have been able to successfully restore a couple of systems from backups, but my personal system wasn’t backed up and has temporarily housed important files.

I’m somewhat familiar with best practices of backing up important files and/or saving to the cloud, but I will definitely be more vigilant in the future. It was mostly due to the ‘it will never happen to me’ mindset.

Relevant information:

  • I’ve identified how they got in, and have reset the password on that account (and all other accounts just in case).
  • I did have malware bytes and sophos installed. Looking at the Event Viewer, there are logs of both of these software being successfully uninstalled.
  • The files are renamed like this: originalFileName.orig.(8-digit-hex).(ruthlessencry@qq.com).makop
  • The ransom note file says to contact them at ruthlessencry@qq.com to pay them in bitcoins.
  • They’ll decrypt a couple of files for free, and then send me a scanner-decoder program after being paid.

AES encryption (in Java) of different JSON strings always produce same encrypted string as result. Why?

I have a program written in Java which takes JSON string as argument, encrypts it using AES then encodes it using Base64.
JSON string is like:

{"a": "b"} or {"a": "n"} or {"a": "k"} 

I.e related object would have one property a. Value part is randomly generated.

Program outputs for above JSON inputs looks like

UBNvKoRoGqk0PTQQL5K4Sw==
bKwlToSND3HkceDExEDXSw==
u/yKJq1FdoifBM+AnadC3A==

i.e. they are unique.

Same goes for {"a":"gn"} — random string with length 2. Same for 3 and so on.

But starting from 7 program produces the same encoded string for different inputs. I mean following JSON strings taken as input:

{"a": "pzfovvs"}
{"a": "bqwuvck"}

produces same string as output:

Dwg0Xjkot8UBfn+vbcCfOS4KluXB6RCFQ932Y9ABtIg=

Same goes for length 8 and 9. Starting from 10 results became unique again.

What is the explanation of this strange phenomenon?

(I can post code if needed.)

Ok, here is the code:

import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;

public class JWTEncryptor {

private static String algorithm = "AES";
private static Key key;
private static KeyGenerator keyGenerator;
private static Cipher cipher;

public static String encrypt(String jwt) throws Exception {
    if (key == null || cipher == null) {
        setUp();
    }
    cipher.init(Cipher.ENCRYPT_MODE, key);
    return Base64.getEncoder().encodeToString(cipher.doFinal(jwt.getBytes("UTF-8")));
}

private static void setUp() {
    try {
        cipher = Cipher.getInstance(algorithm);
    } catch (Exception e1) {
        e1.printStackTrace();
    }
    if (keyGenerator != null) {
        key = keyGenerator.generateKey();
        return;
    }
    try {
        keyGenerator = KeyGenerator.getInstance(algorithm);
        key = keyGenerator.generateKey();
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
}

public static String decrypt(String encryptedJWT) throws Exception {
    cipher.init(Cipher.DECRYPT_MODE, key);
    return new 
   String(cipher.doFinal(Base64.getDecoder().decode(encryptedJWT)));
} 

}

ios – Encrypted iPhone Backup Over iTunes on Windows 10

I backed up my last iPhone a few months ago, before purchasing a new XR so I could move all of the info from my past phone on to the new one. At the Apple Store, I ended up just connecting the two phones together to do the data transfer, so I didn’t end up needing the iTunes backup from my PC after all.

Fast forward to last week, my iPhone stopped working, and since shelter in place is still in full effect in CA, I had to send my phone in and they sent me a new replacement today. Since it stopped working suddenly, I wasn’t able to get my current data back, but I fortunately still have the backup I made in February. Problem is, it is asking for a decryption pass code that I never created (at least not within the last 10 years).

I have called Apple Support, and they told me that they have no way of accessing or resetting this password, does anyone have any idea what it could have been? Could it have been a password that I entered when I first setup my Apple ID in 2008? Could it have been a password I set on another computer?

This backup contains years of photos of travelling, life events, and moments with those who have passed away. Any help would be graciously appreciated.

From Zero to Encrypted With nginx and Let’s Encrypt

Let’s Encrypt is a free https certificate you can install on your cheap VPS for free, browser-validated https.  In this tutorial, we’ll walk through setting up Let’s Encrypt https on an nginx host running on Debian 10.

We’ll be installing nginx from scratch but not will not be getting into php-fpm and other extensions in this tutorial. I’ll be starting from a spanking new VPS on Vultr.

This tutorial assumes that you’ve already got your DNS records setup. In other words, if you’re setting up for www.example.com, then www.example.com already has an A record or CNAME that points to your VPS. Note that the certbot installer we’ll be using will query DNS, so this must be working properly.

Installing nginx in straightforward:

apt-get update && apt-get upgrade
apt-get install nginx

I’ll be setting up www.lowend.party and putting its web root in /web/www.lowend.party.

Let’s configure the web root and log directory:

mkdir -p /web/www.lowend.party
mkdir -p /var/log/nginx/www.lowend.party
chown www-data:adm /var/log/nginx/www.lowend.party

We want separate logs for each domain we host, and we want to rotate those logs. We can Debian’s log rotation system to accomplish this. We do this by placing the appropriate rules file in /etc/logrotate.d. Start with nginx’s basic log rotation rule:

cp /etc/logrotated.d/nginx /etc/logrotate.d/nginx_domain_logs

Now edit /etc/logrotate.d/nginx_domain_logs and modify as follows:

# change this: /var/log/nginx/*.log { 
# to this:
/var/log/nginx/*/*.log {

Before setting up https, we’ll setup http. I’ll place a place-holder index.html in /web/www.lowend.party:

<html>
<head>
<title>www.lowend.party test page</title>
</head>
<body>
<h1>www.lowend.party works!</h1>
</body>
</html>

Now take a look at /etc/nginx. /etc/nginx/sites-available should have a file for every single site we might host. Then we symlink into /etc/nginx/sites-enabled to turn on or off specific sites.

Let’s create a basic nginx config by creating /etc/nginx/sites-available/www.lowend.party:

server {
  server_name www.lowend.party;

  access_log /var/log/nginx/www.lowend.party/access.log;
  error_log /var/log/nginx/www.lowend.party/error.log;

  location / {
    root /web/www.lowend.party;
    index index.html;
  }
}

Now make it live by:

ln -s /etc/nginx/sites-available/www.lowend.party /etc/nginx/sites-enabled/www.lowend.party

Let’s syntax check that file:

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now restart nginx:

systemctl restart nginx

Then I visited http://www.lowend.party and successfully saw the HTML I created early.

Let’s start by installing certbot, the package that will setup https for us and keep our certificate fresh:

apt-get install certbot python-certbot-nginx

Now for the magic! Run this command:

certbot --authenticator webroot --installer nginx

And then follow along with the interactive install. My input is bolded:

# certbot --authenticator webroot --installer nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): raindog308@raindog308.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.lowend.party
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.lowend.party
Input the webroot for www.lowend.party: (Enter 'c' to cancel): /web/www.lowend.party
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/www.lowend.party

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number (1-2) then (enter) (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/www.lowend.party

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.lowend.party

(rest snipped)

Now take a look at /etc/nginx/sites-available/www.lowend.party:

server {
  server_name www.lowend.party;

  access_log /var/log/nginx/www.lowend.party/access.log;
  error_log /var/log/nginx/www.lowend.party/error.log;

  location / {
    root /web/www.lowend.party;
    index index.html;
  }

  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/www.lowend.party/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/www.lowend.party/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
  if ($host = www.lowend.party) {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  server_name www.lowend.party;
  listen 80;
  return 404; # managed by Certbot
}

certbot has done the following:

  • provisioned an SSL certification for www.lowend.party
  • loaded the SSL configuration in /etc/letsencrypt
  • updated /etc/nginx/sites-available/www.lowend.party and put the proper nginx rules in place to serve HTTPS
  • also added an entry so that if you connect on http, it redirects to https

And going to http://www.lowend.party in my browser confirms everything is working correctly.

Here’s a cool part of the certbot system: this chore is already taken care of for you.

Take a peek in /etc/systemd/system/certbot.timer and you’ll see a job is setup to run twice a day to check renewal and renew if needed.

ssd – How to access encrypted Linux user from Windows?

I’m trying to access my backup from an SSD with Linux Mint on it, but my user is password-protected and encrypted. I have tried numerous methods to try and input the password, but nothing has worked and neither has booting from a live USB. (I was using encryptfs on the USB.) Fiddling with BIOS settings is quite tedious, and not something I’d want to do.

Any good advice?

If the password is updated in production in Laravel, it is encrypted twice, but everything works fine locally

I tweak some details of a project in Laravel and find that changing the password locally works fine.

On the server The email arrives perfectly and the link to enter the new password is correct. The problem is that the password is stored in the BD because it appears to be encrypted twice. For this reason, when trying to start the session, the following error is returned: & # 39; This credential does not match our records. & # 39;

I assume that by removing the password encryption function in the User.php model, I can change the password perfectly, but when creating a new user, the password is saved without encryption.

Where in the ResetPasswordController.php driver could the password be re-encrypted?
And why does this only happen in production and not on site?

Function in the User.php model for encrypting the password:

public function setPasswordAttribute($password)
{
    $this->attributes('password')=bcrypt($password);
}

ResetPasswords.php file:

public function showResetForm(Request $request, $token = null)
{
    return view('auth.passwords.reset')->with(
        ('token' => $token, 'email' => $request->email)
    );
}

/**
 * Reset the given user's password.
 *
 * @param  IlluminateHttpRequest  $request
 * @return IlluminateHttpRedirectResponse
 */
public function reset(Request $request)
{
    $this->validate($request, $this->rules(), $this->validationErrorMessages());

    // Here we will attempt to reset the user's password. If it is successful we
    // will update the password on an actual user model and persist it to the
    // database. Otherwise we will parse the error and return the response.
    $response = $this->broker()->reset(
        $this->credentials($request), function ($user, $password) {
            $this->resetPassword($user, $password);
        }
    );

    // If the password was successfully reset, we will redirect the user back to
    // the application's home authenticated view. If there is an error we can
    // redirect them back to where they came from with their error message.
    return $response == Password::PASSWORD_RESET
                ? $this->sendResetResponse($response)
                : $this->sendResetFailedResponse($request, $response);
}

/**
 * Get the password reset validation rules.
 *
 * @return array
 */
protected function rules()
{
    return (
        'token' => 'required',
        'email' => 'required|email',
        'password' => 'required|confirmed|min:6',
    );
}

/**
 * Get the password reset validation error messages.
 *
 * @return array
 */
protected function validationErrorMessages()
{
    return ();
}

/**
 * Get the password reset credentials from the request.
 *
 * @param  IlluminateHttpRequest  $request
 * @return array
 */
protected function credentials(Request $request)
{
    return $request->only(
        'email', 'password', 'password_confirmation', 'token'
    );
}

/**
 * Reset the given user's password.
 *
 * @param  IlluminateContractsAuthCanResetPassword  $user
 * @param  string  $password
 * @return void
 */
protected function resetPassword($user, $password)
{
    $user->forceFill((
        'password' => $password,
        'remember_token' => Str::random(60),
    ))->save();

    $this->guard()->login($user);
}

/**
 * Get the response for a successful password reset.
 *
 * @param  string  $response
 * @return IlluminateHttpRedirectResponse
 */
protected function sendResetResponse($response)
{
    return redirect($this->redirectPath())
                        ->with('status', trans($response));
}

/**
 * Get the response for a failed password reset.
 *
 * @param  IlluminateHttpRequest
 * @param  string  $response
 * @return IlluminateHttpRedirectResponse
 */
protected function sendResetFailedResponse(Request $request, $response)
{
    return redirect()->back()
                ->withInput($request->only('email'))
                ->withErrors(('email' => trans($response)));
}

/**
 * Get the broker to be used during password reset.
 *
 * @return IlluminateContractsAuthPasswordBroker
 */
public function broker()
{
    return Password::broker();
}

/**
 * Get the guard to be used during password reset.
 *
 * @return IlluminateContractsAuthStatefulGuard
 */
protected function guard()
{
    return Auth::guard();
}

What is the attack scenario that encrypted files offer protection against?

There are some files / tools that enable file-level encryption. I think PDF and ZIP are probably the best known.

I wonder what scenario they actually help with or if it's just a bad solution.

For example, if I want to be sure that no man in the middle receives information when I transfer a file over the Internet, TLS is the right solution in my opinion.

If I wanted to keep security for attackers who retrieve data on my laptop when I lose the device, I would think of full disk encryption.

The only thing I can see is a low-skill attacker who can access the computer with the encrypted file. Essentially when a friend / family member has access and doesn't accidentally see anything. Do I miss a scenario?

Encryption – What is the threat model for deciding between unencrypted and encrypted EBS volumes?

Let me start by saying that I am not questioning the usefulness of encrypting EBS volumes nor asking how this works.

I'm just wondering what the targeted encryption of EBS volumes protects against.

For my personal laptop, the reason the hard drive is encrypted is if it is ever stolen while the thief could make a copy of my hard drive, the data is encrypted at rest and cannot be decrypted without logging into my laptop and / or or provide the decryption key.

For a unencrypted EBS volume connected to an EC2, I would assume that the data can only be accessed by the EC2 to which it is connected. At least nothing other than EC2 can be accessed from the data without expressly allowing access to it. Is this assumption wrong?

If this assumption is correct, then Encryption The EBS volume protects against … what? The possibility that the hard drive will be stolen from the Amazon data center? Or could someone infiltrate their network and digitally copy the data from hard drives, which would then be encrypted?

I'm just curious about the threat model.

8 – Are user passwords encrypted when sending the registration form?

If you send the form under / user / login, both fields in the POST text will be sent in plain text. If you're using a browser debugger (like Chrome Inspector), you can view and view network traffic.

Then the transmitted password is hashed on the server side with the current algorithm (it is currently a stretched SHA-512, see PhpassHashedPassword() for more details) and compared with the version in the database.