Jump to content

Will ESETCrysisDecryptor.exe overwrite files I have already restored from backup?

Recommended Posts

Hello all,

I have some files that were affected by Crysis ransomware with the .wallet extension a couple years ago.  I've stumbled upon this tool ESETCrysisDecryptor.exe which I have some hope for.  I was curious though if the decryption process will overwrite some of the files I have already restored from a backup.  Some of these files I have worked with (made some edits, saved, etc.) since restoring them, so I am curious if running this tool will overwrite my files or not?  Or will it decrypt the file and re-name it with different name? like "filename(1).doc or something similar?

I don't want to go through my hundreds of directories to delete the wallet files from directories I have already restored from backups, because that would honestly take days to complete.

Working with the Wallet files has been a pain, because I have to disable some of the antivirus protection to do anything with them.  So before testing anything I thought I would ask first.  Thanks for any information you can provide!



Link to comment
Share on other sites

  • Administrators

Files encrypted by Filecoder.Crysis cannot be decrypted. The decryptor you are referring to can be used for very old first variants of Crysis.

Please collect logs with ESET Log Collector and supply the generated archive to samples[at]eset.com along with a couple of encrypted files (ideally Office documents) and the ransomware note with payment instructions.

Link to comment
Share on other sites

Actually, I have some good news - I copied about 100 or so wallet files to a flash drive, and copied those to an old PC that was hanging around. 

I found that not only does the tool properly decrypt all of the files, but it also does what I was hoping.  If you decrypt the wallet files a second or third time, it does *not* overwrite the decrypted file (or the file restored from backup already), and instead decrypts them and renames the file with (1) appended to the end of the file, and if you do it again, it will do (2), etc.

Example is if "Test.pdf" has already been restored from backup (or already decrypted), and if you run the tool to decrypt the wallet file again, it will decrypt the file again and rename the one you just decrypted to be "Test(1).pdf."  So it looks like I am in good shape!  



Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...