# Smrss32 (.encrypted) Ransomware Help & Support - _HOW_TO_Decrypt.bmp

**[bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/](https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/)**

## #1  Demonslay335

Ransomware Hunter

Security Colleague
4,748 posts
OFFLINE

Gender:Male
Location:USA
Local time:07:31 PM

Posted 11 August 2016 - 07:52 PM (2016-08-11T20:52:36-04:00)

A new ransomware has been floating around for the past few weeks, and only now have we
been able to find information on it.

Dubbed Smrss32 based on internal project settings of the malware, this ransomware
encrypts files with AES and appends the extension ".encrypted" (which is also used by
several other ransomwares). The ransom note "_HOW_TO_Decrypt.bmp" is dropped in
every folder that is hit, and will look like the following image, asking the victim to contact the
criminals at helprecover@ghostmail.com, among other email addresses.


-----

Among the large wall of text, it does try to call itself "CryptoWall Software", but it is in no way
nearly as sophisticated as the real thing.

Based on the way this ransomware behaves, and the project file associated with it, it is
assumed this variant is spread via manual RDP hacks into a system.

I do not recommend paying the ransom at this time.

**If you have been hit by this ransomware, please post 2-3 different well-known**
**encrypted files here (e.g. .png, .doc, .docx, .xls, .xlsx, .pdf, or .zip), and we will contact**
**you via PM with a key and decrypter.**

**Edited by Demonslay335, 22 August 2016 - 02:36 PM.**

[ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]](https://id-ransomware.malwarehunterteam.com/)

[RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]](http://www.bleepingcomputer.com/download/ransomnotecleaner/)

[CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]](https://www.bleepingcomputer.com/news/security/cryptosearch-finds-files-encrypted-by-ransomware-moves-them-to-new-location/)


-----

If I have helped you and you wish to support my ransomware fighting, you may support me
[here.](https://www.patreon.com/demonslay335)

Back to top

## BC AdBot (Login to Remove)

BleepingComputer.com
[Register to remove ads](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register)

## #2  Amigo-A

Ransomware Expert

Members
2,577 posts
OFFLINE

Gender:Male
Location:Bering Strait
Local time:06:31 AM

Posted 12 August 2016 - 04:34 AM (2016-08-12T05:34:10-04:00)

Smrss32 skipped files with the extension .bmp.

**The listed of targeted extensions:**

.18113 .3gp2 .3gpp .8pbs .acs2 .acsm .aifc .aiff .albm .amff .ascx .asmx .aspx .azw3 .back
.backup .backupdb .bank .bdmv .blob .bndl .book .bsdl .cache .calb .cals .cctor .cdda .cdr3
.cdr4 .cdr5 .cdr6 .cdrw .ciff .class .clipflair .clpi .conf .config .contact .craw .crtr .crtx .ctor
.ctuxa .d3dbsp .data .dazip .ddat .ddoc .ddrw .desc .divx .djvu .dmsk .dnax .docb .docm
.docx .dotm .dotx .dsp2 .dump .encrypted .epfs .epub .exif .fh10 .flac .fmpp .forge .fsproj
.gray .grey .group .gtif .gzip .h264 .hkdb .hplg .html .hvpl .ibank .icns .icxs .ilbm .im30 .incpas


-----

.indd .indt .ipsw .itc2 .itdb .ithmb .iw44 .java .jfif .jhtml .jnlp .jpeg .json .kdbx .kext .keychain
.keychain .kpdx .lang .latex .lay6 .layout .ldif .litemod .log1 .log2 .log3 .log4 .log5 .log6 .log7
.log8 .log9 .m2ts .m3url .macp .maff .mcmeta .mdbackup .mddata .mdmp .menu .midi .mobi
.moneywell .mp2v .mpeg .mpga .mpls .mpnt .mpqge .mpv2 .mrwref .ms11 .msmessagestore
.mspx .mswmm .oeaccount .opus .otpsc .pack .pages .paint .phtml .pict .pj64 .pkpass .pntg
.potm .potx .ppam .ppsm .ppsx .pptm .pptx .ppxps .psafe3 .psmdoc .pspimage .qcow2 .qdat
.qzip .rels .rgss3a .rmvb .rofl .rppm .rtsp .s3db .sas7bcat .sas7bdat .sas7bndx .sas7bpgm
.sas7bvew .sidd .sidn .sitx .skin .sldm .sldx .smil .sqlitedb .svg2 .svgz .targa .temp .test .text
.tiff .tmpl .torrent .trace .tt10 .uns2 .urls .user .vcmf .vfs0 .view .vmdk .wallet .wbmp .webm
.webp .wlmp .wotreplay .wrml .xbel .xfdl .xhtml .xlam .xlsb .xlsm .xlsx .xltm .xltx .xspf .xvid
.ycbcra .ychat .yenc .zdct .zhtml .zipx .ztmp

Total: 233 extensions, the list is cleaned from duplicates is type .BACKUPDB and .backupdb
and others.

If i something do not see - fix.

My site: [The Digest "Crypto-Ransomware" + Google Translate](https://id-ransomware.blogspot.com/2016/07/ransomware-list.html)

Back to top

## #3  loopbackbr

Members
1 posts
OFFLINE

Local time:10:31 PM

Posted 12 August 2016 - 12:23 PM (2016-08-12T13:23:18-04:00)

If anybody want's additional info, the infected machine stills untouched.


-----

Back to top

## #4  Grinler

Lawrence Abrams

Admin
44,675 posts
ONLINE

Gender:Male
Location:USA
Local time:09:31 PM

Posted 12 August 2016 - 05:22 PM (2016-08-12T18:22:49-04:00)

Thanks...we are still trying to figure out a solution. Hang tight. You may want to image the
drive if you need to get it up and running again.

**Lawrence Abrams**

**[Join our Official Discord Chat Server!](https://www.bleepingcomputer.com/forums/t/679076/the-bleepingcomputer-official-discord-chat-server-come-join-the-fun/)**

**[Follow us on Twitter!](http://twitter.com/BleepinComputer)**

**[Follow us on Facebook](http://facebook.bleepingcomputer.com/)**

Back to top

## #5  trixiebix


-----

Members
2 posts
OFFLINE

Local time:09:31 PM

Posted 16 August 2016 - 09:26 AM (2016-08-16T10:26:05-04:00)

We had a customer get hit with this last week. Found that their local profiles still had
"previous versions" (shadow copies) accessible. So we were able to recover their profiles
and documents that way. Found some of the computers had smrss32.exe in the c:\encryptor
folder. Some were empty. Also found a few computers that were not affected had their
profiles wiped out, which was strange. They rdp'd into the servers and to any desktops they
could hit.

**Edited by trixiebix, 16 August 2016 - 09:47 AM.**

Back to top

## #6  Demonslay335

Ransomware Hunter

Topic Starter

Security Colleague
4,748 posts
OFFLINE

Gender:Male


-----

Location:USA
Local time:07:31 PM

Posted 16 August 2016 - 10:02 AM (2016-08-16T11:02:27-04:00)

If anyone has paid for a key, I would love to see it via PM please.

@trixiebix

Can you submit the smrss32.exe here so I can verify there are no
[modifications? http://www.bleepingcomputer.com/submit-malware.php?channel=168](http://www.bleepingcomputer.com/submit-malware.php?channel=168)

Also if any files are left along with smrss32.exe in the same folder as it.

[ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]](https://id-ransomware.malwarehunterteam.com/)

[RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]](http://www.bleepingcomputer.com/download/ransomnotecleaner/)

[CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]](https://www.bleepingcomputer.com/news/security/cryptosearch-finds-files-encrypted-by-ransomware-moves-them-to-new-location/)

If I have helped you and you wish to support my ransomware fighting, you may support me
[here.](https://www.patreon.com/demonslay335)

Back to top

## #7  0E800

Members
1 posts
OFFLINE

Gender:Male
Local time:06:31 PM

Posted 16 August 2016 - 02:22 PM (2016-08-16T15:22:28-04:00)

Once on the systems, the attacker launches a web page and visits the following site to
download the ransomware payload:


-----

$USER/AppData/Roaming/Microsoft/Windows/Recent/uyy.lnk (was unable to get remote
address)

A zip file with a random three letter filename is then dropped onto the system. The
ransomware payload (smrs32.exe) is then unpacked and launched.

Note that it appears the malware is not compatible with WS2003 as only Windows 7 and
WS2008 machines were encrypted with the ransomeware.

It was confirmed that the attackers did access our older servers but none of those systems
were tampered with.

Best thing to do is to turn off computers when not in use, and make sure to have a password
lockout policy in place.

Change the RDP port to something other than default. Do not use easy to guess passwords.

Back to top

## #8  Praetorians

Members
19 posts
OFFLINE

Local time:02:31 AM

Posted 17 August 2016 - 04:07 AM (2016-08-17T05:07:31-04:00)

Hello all. Since this is my first post in this forum, initially I would like to thank all the members
for their invaluable input and help.


-----

Yesterday one of our computers, a Win7 machine was infected with a ransomware resulting
in all files being encrypted with ".encrypted" extension. Many of the files were backed up on
an external hdd 4TB, which unfortunately was also left connected to the PC overnight. UAC
was disabled on the machine and Sophos apparently wasn't able to do much. The PC had
also RDP enabled default ports and weak pass... yep I know
Thankfully when the user woke up his PC in the morning, the first thing he did was
disconnecting the external hdd so not all the files were encrypted in there (too many files and
many large ones like videos etc. I presume).

I'm not a very tech savvy person, so after bypassing dhe "lockscreen" through Safe Mode, I
tried to identify the ransomeware through HitmanPro and Malwarebytes with not much luck.
All I could find were some WinIo32.sys, winlogon.exe and conhost.exe files apparently
malicious identified as Trojan.backdoors.

After that I tried to identify the threat online through ID Ransomware by uploading the text file
and one encrypted file.
I got 2 results: potentially Apocalypse or Smrss32.

I tried both Emsisoft and AVG Apocalypse decryptors on the files with no success. Emsisot
says "apparently the files are not encrypted", while AVG returns 0 decryptions. The text files
appears to be more like the one of Apocalyspse than the Smrss32 one I see here. However I
think I'm left with with Smrss32 as the only remaining option

Can anyone suggest another identification method to be certain if it is or not Smrss32? There
was no c:\encrypted folder on my PC from what I see here.
Thanks in advance guys.
P.S. - At least around 7.500 files were also encrypted on the external backup HDD.

**Edited by Praetorians, 17 August 2016 - 04:19 AM.**

Back to top

## #9  quietman7

Bleepin' Gumshoe

Global Moderator
59,518 posts
OFFLINE


-----

Gender:Male
Location:Virginia, USA
Local time:09:31 PM

Posted 17 August 2016 - 05:50 AM (2016-08-17T06:50:44-04:00)

...Can anyone suggest another identification method to be certain if it is or not
Smrss32? There was no c:\encrypted folder on my ...

TorrentLocker (Crypt0L0cker), Apocalypse, Crypren, Smrss32, and KeRanger OS X
Ransomware all add an .encrypted extension to the end of filenames.

**Smrss32 Ransomware will leave files (ransom notes) named _HOW_TO_Decrypt.bmp**
which advises your files have been encrypted with "CryptoWall" Software.

**Apocalypse Ransomware will leave files (ransom notes) named**
filename.extension.encrypted.How_To_Decrypt.txt,
filename.extension.encrypted.How_To_Get_Back.txt (i.e.
family.jpg.encrypted.How_To_Decrypt.txt) for each file encrypted. The ransom note asks you
to contact "decryptionservice@inbox.ru" or "decryptdata@inbox.ru" and contains a personal
ID.

**Crypren Ransomware will leave files (ransom notes) named**
READ_THIS_TO_DECRYPT.html.

**Crypt0L0cker (TorrentLocker) will leave files (ransom notes) with names like**
DECRYPT_INSTRUCTIONS.TXT, DECRYPT_INSTRUCTIONS.HTML,
INSTRUCCIONES_DESCIFRADO.HTML, How_To_Recover_Files.txt,
How_To_Restore_Files.txt and HOW_TO_RESTORE_FILES.HTML.

**KeRanger OS X Ransomware will leave files (ransom notes) named**
README_FOR_DECRYPT.txt.

.
.
**Windows Insider MVP 2017-2020**
**Microsoft MVP Reconnect 2016**

**Microsoft MVP Consumer Security 2007-2015**

[Member ofUNITE, Unified Network of Instructors and Trusted Eliminators](http://www.uniteagainstmalware.com/)

**If I have been helpful & you'd like to consider a donation, click**

Back to top


-----

## #10  Praetorians

Members
19 posts
OFFLINE

Local time:02:31 AM

Posted 17 August 2016 - 05:52 AM (2016-08-17T06:52:54-04:00)

**Smrss32 Ransomware leaves files (ransom notes) named _HOW_TO_Decrypt.bmp**
which advises your files have been encrypted with "CryptoWall" Software.

**Apocalypse Ransomware leaves files (ransom notes) named**
filename.extension.encrypted.How_To_Decrypt.txt,
filename.extension.encrypted.How_To_Get_Back.txt (i.e.
family.jpg.encrypted.How_To_Decrypt.txt) for each file encrypted. The ransom note
asks you to contact "decryptionservice@inbox.ru" or "decryptdata@inbox.ru" and
contains a personal ID.

Thank you very much quietman7. Than definitely it is not Smrss32 since also my bitmaps
were encrypted.

I will have to move my problem to the appropriate apocalypse thread then.

Below is what the ransom note consistent with Apocalypse says:

THIS COMPUTER HAS BEEN LOCKED AND ALL THE FILES HAVE BEEN CRYPTED.

(images, videos, documents, backups, etc ).

Contact by Email for data recovery.

Then, we'll provide Unlock-Password and Data Decryption Software to you.

Email: fabiansomware@mail.ru


-----

WARNING: If you don t contact in 48 hours, then all DATA will be damaged unrecoverably!!!
**Edited by Praetorians, 17 August 2016 - 05:57 AM.**

Back to top

## #11  Demonslay335

Ransomware Hunter

Topic Starter

Security Colleague
4,748 posts
OFFLINE

Gender:Male
Location:USA
Local time:07:31 PM

Posted 17 August 2016 - 08:26 AM (2016-08-17T09:26:40-04:00)

@Praetorians

See my reply in the Apocalypse topic. You definitely have the newest Apocalypse we
uncovered yesterday, which ID Ransomware will pickup on by the extension, ransom note
name, and email address in the ransom note. You'll need to use the ApocalypseVM
decrypter for that particular variant.

http://www.bleepingcomputer.com/forums/t/617212/apocalypse-encrypted-ransomware-helptopic-filenamehow-to-decrypttxt/?p=4065585

[ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]](https://id-ransomware.malwarehunterteam.com/)

[RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]](http://www.bleepingcomputer.com/download/ransomnotecleaner/)

[CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]](https://www.bleepingcomputer.com/news/security/cryptosearch-finds-files-encrypted-by-ransomware-moves-them-to-new-location/)


-----

If I have helped you and you wish to support my ransomware fighting, you may support me
[here.](https://www.patreon.com/demonslay335)

Back to top

## #12  Demonslay335

Ransomware Hunter

Topic Starter

Security Colleague
4,748 posts
OFFLINE

Gender:Male
Location:USA
Local time:07:31 PM

Posted 17 August 2016 - 10:10 AM (2016-08-17T11:10:56-04:00)

@All

If anyone has been hit by this ransomware and has not paid, please share an encrypted
image or Office file (e.g., *.png.encrypted, *.jpg.encrypted, *.doc.encrypted, etc.). We will be
able to provide a key and decrypter via PM.

[ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]](https://id-ransomware.malwarehunterteam.com/)

[RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]](http://www.bleepingcomputer.com/download/ransomnotecleaner/)

[CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]](https://www.bleepingcomputer.com/news/security/cryptosearch-finds-files-encrypted-by-ransomware-moves-them-to-new-location/)

If I have helped you and you wish to support my ransomware fighting, you may support me
[here.](https://www.patreon.com/demonslay335)

Back to top


-----

## #13  R2D2015

Members
6 posts
OFFLINE

Local time:08:31 PM

Posted 17 August 2016 - 12:51 PM (2016-08-17T13:51:15-04:00)

@All

If anyone has been hit by this ransomware and has not paid, please share an
encrypted image or Office file (e.g., *.png.encrypted, *.jpg.encrypted, *.doc.encrypted,
etc.). We will be able to provide a key and decrypter via PM.

Did you get my .PNG.Encrypted files?

Back to top

## #14  Frakkle

Members
1 posts
OFFLINE


-----

Local time:09:31 PM

Posted 17 August 2016 - 01:15 PM (2016-08-17T14:15:03-04:00)

A new ransomware has been floating around for the past few weeks, and only now
have we been able to find information on it.

Dubbed Smrss32 based on internal project settings of the malware, this ransomware
encrypts files with AES and appends the extension ".encrypted" (which is also used by
several other ransomwares). The ransom note "_HOW_TO_Decrypt.bmp" is dropped
in every folder that is hit, and will look like the following image, asking the victim to
contact the criminals at helprecover@ghostmail.com, among other email addresses.

Among the large wall of text, it does try to call itself "CryptoWall Software", but it is in
no way nearly as sophisticated as the real thing.

Based on the way this ransomware behaves, and the project file associated with it, it is
assumed this variant is spread via manual RDP hacks into a system.

If you or someone you know has been hit by this ransomware, please post in this topic.
We are looking to gather more information if possible, including whether files still exist
in the directory "C:\encryptor" or another suspicious folder on the root of the drive.

I do not recommend paying the ransom at this time.

**If you have been hit by this ransomware, please post an encrypted file here, and**
**we will contact you via PM with a key and decrypter.**

Encrypted and unencrypted version of file:

[https://www.dropbox.com/sh/9erahtg50g2ak47/AACyL1dzQjnSSxxAyKFOTbtfa?dl=0](https://www.dropbox.com/sh/9erahtg50g2ak47/AACyL1dzQjnSSxxAyKFOTbtfa?dl=0)

I hope you can help.

--
Follow-up: Machine is fully restored now. Thanks again so much, you guys are amazing.

**Edited by Frakkle, 17 August 2016 - 08:30 PM.**

Back to top

## #15  Demonslay335

Ransomware Hunter


-----

Topic Starter

Security Colleague
4,748 posts
OFFLINE

Gender:Male
Location:USA
Local time:07:31 PM

Posted 17 August 2016 - 01:52 PM (2016-08-17T14:52:01-04:00)

@R2D2015

Thanks for the reminder, I have your files and will contact you when we have a key.

@Frakkle

I will contact you when we have a key as well.

[ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]](https://id-ransomware.malwarehunterteam.com/)

[RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]](http://www.bleepingcomputer.com/download/ransomnotecleaner/)

[CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]](https://www.bleepingcomputer.com/news/security/cryptosearch-finds-files-encrypted-by-ransomware-moves-them-to-new-location/)

If I have helped you and you wish to support my ransomware fighting, you may support me
[here.](https://www.patreon.com/demonslay335)

Back to top

[Community Forum Software by IP.Board](http://www.invisionpower.com/apps/board/)


-----