C77L/X77C Ransomware (.[<email>].[random 8]; .[ID-random 8][<email>]) Support

Any files that are encrypted with C77L/X77C Ransomware will have an .[ID-random 8 char][<email>.[random 3 char], an .[<email>].[random 8 char], or a .[random 10].[random 8 char] extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) named #Recover-Files.txt, #Restore-My-Files.txt, READ-ME.txt, READ-ME-Nullhexxx.txt.  These are some examples.

.[ID-BAE12624][recovery-data09@protonmail.com].mz4
.[ID-80587FD8][Dm_for_decrypt@protonmail.com].3yk
.[ID-9A7BE444][Decryptorkrypt@gmail.com].nb0
.[ID-646633FB][carolcarol0014410@gmail.com].1qb
.[ID-8430E697][SuppDecFile@gmail.com].958
.[ID-C282F1FD][Evoteam.sup@gmail.com].14z
.[ID-C4D676C5][SuppDecFile@gmail.com].9pf
.[nullhex@2mail.co].8AA60918
.[mrdarkness@onionmail.org].40D5BF0A 
.p9MQBw6X.OXOfUbfa

The [random 8 char] is the 32-bit serial number of volume C and crypto scheme is: AES-256 CBC - RSA-2048. The criminal's AES session keys are needed to decrypt files.
 
Inside the encrypted files, the header starts with the text: "EncryptedByC77L", "LockedByX77C" or "EncryptRansomware"
 
C77L ransom notes are known to include a Decryption ID which is the same as the [random 8 char] (volume C serial number) found in the encrypted data file name.

\\\\ Your ID :  {8AA60918}
Your Decryption ID: 40D5BF0A
Your Decryption ID: CE744A63
Your Decryption ID: BAE12624
Your Decryption ID: 80587FD8

C77L Ransomware Attackers Email List by rivitna (Andrey Zhdanov).

Hello everyone! A couple of days ago, 2 servers and one computer were encrypted at night by an unknown encryptor. If someone can help with decryption, I am attaching files from two servers.

It's C77L ransomware

https://github.com/f6-dfir/Ransomware/tree/main/C77L

Crypto scheme:

AES-256 CBC - RSA-2048

.[nullhex@2mail.co].8AA60918 
  
READ-ME-Nullhexxx.txt contents

\\\\ All your files are encrypted...
All your files have been encrypted !!!
To decrypt them send e-mail to this address : nullhex@2mail.co
If you do not receive a response within 24 hours, Send a TOX message
TOX ID : 
        5551C47D78A6C295B805270C49D6C072095ABD5A1CD2545F1EABAA773CBF6A1C8231E8BF49CE
You can access it from here.
https://tox.chat
\\\\ Your ID :  {8AA60918}
        Enter the ID of your files in the subject !
\\\\  What is our decryption guarantee ?
Before paying you can send us up to 2 test files for free decryption !
The total size of files must be less than 2Mb.(non archived) !
Files should not contain valuable information.(databases,backups) !
Compress the file with zip or 7zip or rar compression programs and send it to us

Since there is no existing support topic for this ransomware, I have changed the title to designate this one as such in order to direct other victims here.

8AA60918 - serial number of volume C

Edited by Amigo-A, 04 May 2025 - 12:36 PM.

I'm quite aware of that

https://github.com/rivitna/Malware/blob/main/Proxima/attackers.txt

Edited by rivitna, 04 May 2025 - 02:38 PM.

Please decrypt it

Maybe you missed this.

Crypto scheme:
AES-256 CBC - RSA-2048

That means it is secure and the criminal's master private key is needed for decryption. Without the criminal's master private key, decryption is impossible.

Please decrypt it

Unfortunately, session AES-256 keys are needed for decryption.

It is currently impossible to bruteforce them or factorize the RSA-2048 key

Edited by rivitna, 04 May 2025 - 06:47 PM.

They are scammers. Ransomware victims should ignore all Internet web searches which provide numerous links to bogus and untrustworthy ransomware removal guides, including Facebook and YouTube videos, many of which falsely claim to have decryption solutions.  Do not let yourself be victimized twice.

For more information, read What we know about those who claim they can decrypt data (Post #2), including scammers, the criminals and data recovery services.

This is what I tell victims.
 
Imaging the hard drive backs up everything related to the infection including all encrypted data, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed in the event that a free decryption solution is ever discovered in the future. The encrypted files and ransom note text files do not contain malicious code so they are safe to back up.
 
Alternatively, you can remove the hard drive, store it away and replace it with a new hard drive with a fresh install of Windows. If a future decryption solution is ever found or the criminals arrested and master keys are seized and released to allow creation of a public decryptor, victims will have the original hard drive to restore their encrypted data.