Redshitlineindia virus ransomware decrpytion

How we got our files Decrypted by Redshitline@india.com Virus Ransomware

Our client’s server was infected by Redshitline@india.com Virus Ransomware and all most of the files were encrypted.

This happened on a 4 day long-weekend, all 4 backups were encrypted, no shadow volume or restore point. Tried everything we could find on the Internet without any luck. Finally decided to email the hackers (redshitline@india.com) with an encrypted file attached.

Got a reply back in few hours with the decrypted file attached and the following email:

Hello! Your files have been encrypted with cryptographic algorithm!
We suggest you purchase a decoder which
decrypt all your files in a fully automatic mode on the same day after
payment! (You not need to send any files to us). As we can guarantee – we can
decrypt files for free (2-3 total weight <= 5mb). For warranty
decryption (if required) you should send to us archived
test files in the response letter (even if you did it before).
The cost of the decoder: 5 bitcoins (BTC).

Payment instructions:

1. Go to https://localbitcoins.com/
2. Register (sign up)

3. You need to buy Bitcoins from people. (You can pay with any method,
which is convenient to you)

4. Send purchased Bitcoins to our address listed below. If you have any questions, you can contact support this service, or email us.

Our Bitcoin wallet: 11111111111111111111111111111111111111

The guarantee to decrypt.
1) I give decrypted files for you, and you see – I have decrypter.
2) Making personal decoder for you – it takes just 3-5 minutes. After payments – everyone gets a personal decoder without exception.

Write if you have any questions about the case. There is no bidding, requests to give free decoder and other unnecessary questions – will be ignored.

According to the amount payable. Price for this day – 5 bitcoins, it will be relevant for two days, starting from you wrote to me. After spending two days – the price of the decoder will increase every day on 1 Bitcoin.

It mean, for example, after 4 days from the time you contact me, if you still have not paid the decoder – the amount will be 7 bitcoins. (except for two days without a price penalty)

 

We tried to negotiate with Redshitline@india.com but they didn’t budge.

We created a bitcoins account to buy the bitcoins for the first time. We thought it will be as easy as paying someone and buying the bitcoins by one bank transfer.

To our surprise we had to prove that we are genuine people buying to buy the bitcoins in a legit way. We had to email out drivers licence, Medicare card and photo clicked in different angles. Also hold a paper with the reference number and the amount being transferred.

We end up buying 2.5 bitcoins from one guy and 2.5 from the other as could buy maximum of 2.8 in the first go (it does increase after your first purchase though). Most of the seller’s prefer cash deposit in the their account, but we were looking for sellers who will accept bank transfer. Took us 2 days to get all 5 bitcoins.

Transferred 5 bitcoins in wallet address provided in the email. Emailed them informing about the transfer. We got the following reply back:

http://rghost.ru/private/8RtCmFWwL/76e681a1dfd6fde08e03c99145eee60b
Its your decrypter. Just press the button “Scan PC” and wait for the scan to finish, then send me the key, which you will see on this basis – I’ll make you another key. When I send you – your personal key, you press the button – “Decrypt…”, enter your personal key, and click “OK”. Ticks – no need to clean up.
You need to remove the virus from your PC after decryption. Download any anti-virus and scan all your PC, and remove it. I advice you – DR.Web Cure IT. Waiting for key!

 

We followed the instructions and emailed the key as requested. We got the following reply back in few hours:

Ah, see, we have statistics for each computer, my boss said – that the information on the computer is estimated at more than 10 Bitcoins. He said to tell you that we can sell you the decryption key – just for 4 Bitcoins. If you want to buy – send this amount on my Bitcoin – if not, I am sorry, because the boss checked the value of your files and does not allow me to send key now.

https://www.sendspace.com/file/v0t0ek
– it’s your personal key for decrypter.
If you want to pay 4 BTC – I send the password for archive with key – instantly after payment.
Sorry, I can not go against my boss, coz I lose my job. I do not have to do with the money that you send us, I do not have access to them, I am working on the payroll as well as you, and I do not care how much money you send, I have from this nothing, but the boss does not allow to send the key for such a small sum, arguing that checked your computer at our statistics via your ip address – the number of encrypted files, and said that there is information on more than 10 Bitcoins, but will sell to you for 4 Bitcoins decoder, since you already paid for earlier, and we do not want to put you in an awkward position. If you are going to pay – write to me. Price 4 BTC will be available today. Its one way to get decrypter, have money – you will get it.

 

We were fuming after reading that email, first of all we have paid a lot of money to decrypt the files and now they want more. Secondly if we pay them again what’s the guarantee Redshitline@india.com wont ask for more later. We had no other choice but to pay them.

We had to go through the same exercise of buying more bitcoins, proving your identity to the seller. We paid them and informed about the transfer. We got the following email back:

Ok, I see.
Do it again:
http://rghost.ru/private/8RtCmFWwL/76e681a1dfd6fde08e03c99145eee60b
It’s your decrypter. Just press the button “Scan PC” and wait for the scan to finish, then send me the key, which you will see on this basis – I’ll make you another key. When I send you – your personal key, you press the button – “Decrypt…”, enter your personal key, and click “OK”. Ticks – no need to clean up.
You need to remove the virus from your PC after decryption. Download any anti-virus and scan all your PC, and remove it. I advice you – DR.Web Cure IT. Waiting for key!
PLEASE, write under message: (I make 2 payments), thanks!

 

So we followed the instructions and emailed the key again mentioning that its our second payment. Got a reply the next day with the decryption key. We were a bit sceptical whether the decryption key is going to work to not. Left it running overnight and success in the morning. All the files were decrypted and readable again.

We formatted the Hard Drive and installed all the Programs and made sure that the files were clean before we reloaded them on the server

After $5400 they were back in business.

The moral of the story is: To backup often, keep multiple copies and have a strong backup solution.

 

Vineet Gurmukhani

Reliable Computers

www.reliablecomputers.com.au

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *