Jump to content

We have a chance to get a hold of a decryptor for the Okean-1955 ransomware

Recommended Posts

Hello all!

I kind of have a special question here. Hope this is the right place to put it.

Our servers got attacked by ransomware and all of our files are encrypted by the Indian based Okean-1995 virus. We have backups but they are almost a year old. Production has stopped completely. And we are now pressed up against the corner. I am not proud to admit that we payed the criminals to have our files back. And they may or may not give them back. Now here is the thing: They want to connect to our server with RDP to do the decryption for us. This tells me that they have a decryptor that works for every single infected machine of this particular ransomware. Is there any way we can get a hold of this decryptor undetected by these criminals? Like packet sniffing on the RDP protocol for the executable code and the private key itself? I'd really love to help out the people who also are infected by this one. Problem is: I don't know how I can go about this undetected and risking all our companies files.

If you think you can do it: Get in touch with me, and I'll invite you in on the quest to recover the decryptor.

Link to post
Share on other sites

I'm sorry but you misconstrue the purpose of this sub-forum.
This sub-forum is provided such that the public can supply samples of malware, in the form of disk files, that Malwarebytes targets but presently fails to detect.
Malware hunters please read
Purpose of this forum
Malware Hunters group

Assistance with the Malwarebytes' Anti-Malware (MBAM) application on Windows for Businesses is performed in; Malwarebytes Endpoint Security Support

I will request a moderator move your thread there.


"Okean-1995 virus" ?  The ransomware seen in-the-wild Today are trojans, not viruses.  The Locky variants are the most prevalent but there are other ransomware flavours.

When it comes to encryption keys for Todays' crypto trojans, they are posted to 3rd party web sites using HTTP POST possibly including a Referral string being set.  Some use a Proxy and HTTPS ( SSL ) to post the keys to the Dark Net.  Each encryption and ransom action generates a unique key.  The malicious actors tie the affected system to the encryption key so each decryption action would also be unique.

  • Do NOT pay ransoms.
  • Do NOT allow them to use RDP to access the Intranet.
  • Do restore data from each system's most recent backup.


Edited by David H. Lipman
Link to post
Share on other sites

  • Root Admin

Hello @Zircuitz

From our Malware Intelligence Team

There exists a decrypter for xtbl extension encrypted files here Decryption Tools  the Shade Decrypter should be able to do it. It would be neat if you could try using it to see if it works against some of your files.  I know you have already paid the ransom but if this decrypter already works, well then no point in capturing the RDP session.

I think for time’s sake, you should just capture the entire session on Wireshark and then you can dig through the capture later.

WireShark RDP capture


There is also a definite risk that the attackers have planted a backdoor in that server. If the nomoreransom website sourced decryption tool works, decrypt the files, transfer them, and flatten the server. (or preserve it for forensic analysis, it depends on what the server was used for and how much money you want to invest in this.)

If you want to capture the RDP sessions, you would also need to examine the network infrastructure and see if there’s a tap/span/mirror port on your switch. Again this assumes it’s not virtualized or a colo. In addition, RDP is not super simple to sniff and replay: RDP Replay

For the sake of brevity, I will assume this is a small website, of a small company. Small enough to not have encountered this kind of problem before. “Backups are a year old” would seem to indicate that. Willingness to pay as well. Does the crime exceed $5000 in cost? Might have to involve authorities. Does the server contain PI or/and SPI? Responsible breach disclosure time. Regardless, once the data is recovered, this box needs to be flattened and rebuilt. It would be a shame to have them just come back in and do this all over again. You can do it right, or you can do it fast.

Thank you again, Ron



Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.