Jump to content

Will ESETCrysisDecryptor.exe overwrite files I have already restored from backup?

Recommended Posts

Hello all,

I have some files that were affected by Crysis ransomware with the .wallet extension a couple years ago.  I've stumbled upon this tool ESETCrysisDecryptor.exe which I have some hope for.  I was curious though if the decryption process will overwrite some of the files I have already restored from a backup.  Some of these files I have worked with (made some edits, saved, etc.) since restoring them, so I am curious if running this tool will overwrite my files or not?  Or will it decrypt the file and re-name it with different name? like "filename(1).doc or something similar?

I don't want to go through my hundreds of directories to delete the wallet files from directories I have already restored from backups, because that would honestly take days to complete.

Working with the Wallet files has been a pain, because I have to disable some of the antivirus protection to do anything with them.  So before testing anything I thought I would ask first.  Thanks for any information you can provide!



Share this post

Link to post
Share on other sites

Files encrypted by Filecoder.Crysis cannot be decrypted. The decryptor you are referring to can be used for very old first variants of Crysis.

Please collect logs with ESET Log Collector and supply the generated archive to samples[at]eset.com along with a couple of encrypted files (ideally Office documents) and the ransomware note with payment instructions.

Share this post

Link to post
Share on other sites

Actually, I have some good news - I copied about 100 or so wallet files to a flash drive, and copied those to an old PC that was hanging around. 

I found that not only does the tool properly decrypt all of the files, but it also does what I was hoping.  If you decrypt the wallet files a second or third time, it does *not* overwrite the decrypted file (or the file restored from backup already), and instead decrypts them and renames the file with (1) appended to the end of the file, and if you do it again, it will do (2), etc.

Example is if "Test.pdf" has already been restored from backup (or already decrypted), and if you run the tool to decrypt the wallet file again, it will decrypt the file again and rename the one you just decrypted to be "Test(1).pdf."  So it looks like I am in good shape!  



Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...