Yes, this is C77L Ransomware.
You will need AES session keys to decrypt your files.
Those files are encrypted with two AES keys
Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
C77L/X77C Ransomware (.[<email>].[random 8]; .[ID-random 8][<email>]) Support
Started by
quietman7
, Apr 27 2025 06:05 AM
70 replies to this topic
#31
rivitna
-
- Security Colleague
- 649 posts
- OFFLINE
- Gender:Male
- Local time:07:07 AM
Back to top
#32
quietman7
- Topic Starter
-
- Global Moderator
- 65,330 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:11:07 PM
Posted 18 August 2025 - 04:25 PM
@Olli325
I have merged your topic into the primary support topic for victims of this ransomware.
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click 
#33
chzaza
-
- Members
- 2 posts
- OFFLINE
- Local time:08:07 AM
Posted 09 September 2025 - 03:08 PM
Hello,
My system was infected with ransomware.
All my files have been encrypted and the file names look like this:
example.png.[mrdarkness@onionmail.org].40D5BF0A
The ransom note is called "READ-ME.txt" and includes the email address mrdarkness@onionmail.org.
Inside the encrypted files, the header starts with the text: "EncryptedByC77L".
I have attached the ransom note and a sample encrypted file for analysis.
Could you please confirm if there is currently any free decryptor available for this ransomware,
or if there are any known methods to recover my files?
Thank you very much for your support.
READ-ME.txt contents
\\\\ All your files are encrypted...All your files have been encrypted !!!To decrypt them send e-mail to this address : mrdarkness@onionmail.orgIf you do not receive a response within 24 hours, Send a TOX messageTOX ID :B1AEB666CCE5D055BCF87D25DBACF8E82A0B69F5C605F2E133741147C9510908CD8C97DD36C0You can access it from here.INCASE OF NO PAYMENT IN 48 HOURS, THE PRICE WILL DOUBLE !!\\\\ Your ID : {40D5BF0A}Enter the ID of your files in the subject !\\\\ What is our decryption guarantee ?Before paying you can send us up to 2 test files for free decryption !The total size of files must be less than 2Mb.(non archived) !Files should not contain valuable information.(databases,backups) !Compress the file with zip or 7zip or rar compression programs and send it to us!
Attached Files
-
READ-ME.txt 912bytes
1 downloads
#34
quietman7
- Topic Starter
-
- Global Moderator
- 65,330 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:11:07 PM
Posted 09 September 2025 - 03:17 PM
@chzaza
I have merged your topic into the primary support topic for victims of this ransomware.
The contents of your ransom note are similar to what we have seen with other variants of this ransomware
C77L ransom notes are known to use a Decryption ID which is the same as the [random 8] (volume C serial number) included to the encrypted data file name.
\\\\ Your ID : {8AA60918}
Your Decryption ID: CE744A63
Your Decryption ID: BAE12624
Your Decryption ID: 80587FD8
Your ransom note includes a Decryption ID like those listed above.
\\\\ Your ID : {40D5BF0A}
mrdarkness@onionmail.org is on the C77L/X77C Ransomware Attackers Email List
The encryption is secure and the criminal's master private key is needed for decryption. Without the criminal's master private key, decryption is impossible. For now all you can do is backup/save your encrypted data as is and wait for a possible solution at a later time.
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
#35
chzaza
-
- Members
- 2 posts
- OFFLINE
- Local time:08:07 AM
Posted 09 September 2025 - 03:35 PM
Thank you @quietman7 and the team for your support and clarification.
I will keep a backup of my encrypted files and follow this thread for any future updates.
Much appreciated!
#36
quietman7
- Topic Starter
-
- Global Moderator
- 65,330 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:11:07 PM
Posted 09 September 2025 - 04:03 PM
You're welcome.
When or if a free (or legitimate paid for) decryption solution is found, that information will be provided in this support topic and victims will receive notification,
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
#37
quietman7
- Topic Starter
-
- Global Moderator
- 65,330 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:11:07 PM
Posted 23 September 2025 - 07:45 PM
New variant reported with .3yk extension (#Restore-My-Files.txt)
.[ID-80587FD8][Dm_for_decrypt@protonmail.com].3yk
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
#38
quietman7
- Topic Starter
-
- Global Moderator
- 65,330 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:11:07 PM
Posted 24 September 2025 - 10:42 AM
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
#39
tcv212121
-
- Members
- 2 posts
- OFFLINE
- Local time:11:07 PM
Posted 06 October 2025 - 10:17 AM
Looks like I have been gotten. Not sure how it got in but it did a number on my system.
I think its Proton and the hacker did send back 3 files that they decrypted. Now my system has had all of the exe's changed and I have to totally wipe and bring back up. I have lost some stuff but have a good amount of backup so, I am comfortable with that. If I understand correctly, there is no tool to handle decryption yet?
ransom note contents:
>>> ALL YOUR IMPORTANT FILES ARE STOLEN AND ENCRYPTED <<<
Important:
- We have downloaded your files. Your data will be leaked within the next 72 hours.
- Contact us immediately to prevent data leakage and recover your files.
Your Decryption ID: 9A7BE444
Contact:
- Email-1: Decryptorkrypt@gmail.com
- Email-2: Saveyourdata@tutamail.com
Warning:
- Tampering with files or using third-party tools WILL cause permanent damage.
- Act fast! The price will increase if you delay.
Free Decryption:
- Send 3 small files (max 1MB) for free decryption.
<The test file is your right. And never pay without it because you must first make sure the tool works.>
Attached Files
-
files.png 75.84KB
0 downloads
#40
quietman7
- Topic Starter
-
- Global Moderator
- 65,330 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:11:07 PM
Posted 06 October 2025 - 10:29 AM
@tcv212121
You are not dealing with Proton/Shinra.
Your screenshot shows the below extension.
.[ID-9A7BE444][Decryptorkrypt@gmail.com].nb0
The file format looks like a new variant of C77L/X77C Ransomware most of which will have an .[<email>].[random 8 hex char] or .[ID-random 8 hex char][<email>].[random 3 char] extension appended to the end of the encrypted data filename
.[ID-BAE12624][recovery-data09@protonmail.com].mz4 .[ID-80587FD8][Dm_for_decrypt@protonmail.com].3yk
C77L leave files (ransom notes) named #Recover-Files.txt, #Restore-My-Files.txt, READ-ME.txt, READ-ME-Nullhexxx.txt. The contents of your ransom note are similar to what we have seen with other variants of this ransomware
However, these two emails are on both the C77L/X77C Ransomware Attackers Email List and Proton/Shinra Attackers Email List
- Email-1: Decryptorkrypt@gmail.com - Email-2: Saveyourdata@tutamail.com
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
#41
tcv212121
-
- Members
- 2 posts
- OFFLINE
- Local time:11:07 PM
Posted 06 October 2025 - 10:43 AM
Thank you so very much. Do you know if there is a tool to help get these back?
#42
quietman7
- Topic Starter
-
- Global Moderator
- 65,330 posts
- OFFLINE
Bleepin' Gumshoe
- Gender:Male
- Location:Virginia, USA
- Local time:11:07 PM
Posted 06 October 2025 - 02:40 PM
@tcv212121
I have split away (merged) your posting and related comments into the primary support topic for victims of this ransomware.
The encryption is secure and the criminal's master private keys (AES session key) are needed for decryption. Without the criminal's master private key (session key)s, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way (e.g. RSA, AES, Salsa20, ChaCha20, EDA2, ECDH, ECC, ECIES or combination of encryptions) that cannot be brute-forced...the public key alone that encrypted files is useless for decryption. In your case, the criminal's AES session keys are needed to decrypt files.
For now all you can do is backup/save your encrypted data as is and wait for a possible solution at a later time.
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
#43
gwinn
-
- Members
- 5 posts
- OFFLINE
- Local time:07:07 AM
Posted 13 October 2025 - 03:27 AM
Need Help. ID Ransomware can not identify. All files jn NAS dont open.
#44
rivitna
-
- Security Colleague
- 649 posts
- OFFLINE
- Gender:Male
- Local time:07:07 AM
#45
gwinn
-
- Members
- 5 posts
- OFFLINE
- Local time:07:07 AM
9 user(s) are reading this topic
0 members, 9 guests, 0 anonymous users
