Masterkey infected ransomware

FachryMyID · March 25, 2022, 11:34am

My masterkey and vault file infected with STOP (Djvu) ransomware and it has the extension .mmuz, how to fix it?

SailReal · March 25, 2022, 1:30pm

Hey and welcome to the Cryptomator Community ,

So in the end, you have now encrypted your files twice. The best way to recover from this is to use a backup of your vault or data inside the vault, have you made one?

FachryMyID · March 25, 2022, 1:51pm

I didn’t make the safe twice. vault formed from desktop after update to v1.7 if I remember correctly. So that I have two access namely masterkey and vault.

But the problem is, both files for access (masterkey and vault) are infected with ransomware, so all files have the .mmuz extension. And now I can’t access files encrypted by the cryptomator.

SailReal · March 25, 2022, 1:57pm

Have you saved a recovery key of the vault somewhere? Password And Recovery Key — Cryptomator 1.6.0 documentation
If indeed only the vault config and the masterkey file were encrypted, you could use it to restore the vault.

You don’t use a cloud that could restore an old state of those files or the complete vault?

FachryMyID · March 25, 2022, 2:03pm

Looks like I didn’t generate a recovery key before.

“If indeed only the vault config and the masterkey file were encrypted, you could use it to restore the vault.” Can this be accessed even if the vault and masterkey have the extension .mmuz? Or should I just remove the .mmuz extension?

SailReal · March 25, 2022, 2:18pm

I think it is encrypted so removing the extension shouldn’t be enough but you can check it, open this file in a file browse, if the file contains just garbage it is encrypted, if it shows a structure similar to this, you can remove the extension and you should be able the unlock the vault again:

       │ File: masterkey.cryptomator
   1   │ {
   2   │   "version": 999,
   3   │   "scryptSalt": "tZgjqx/HeP4=",
   4   │   "scryptCostParam": 32768,
   5   │   "scryptBlockSize": 8,
   6   │   "primaryMasterKey": "WGyygnl+wX5xpIZSPli2tNNaKzw026/Ag4D4FBiIzmipuVgMCxe3+w==",
   7   │   "hmacMasterKey": "ZoiQPF3uKhUjOzFKAbgVRycjkffNupKRLkoKsNjOgdej9n4GPr+Msw==",
   8   │   "versionMac": "8zHqJ3l1e+DMGfnPKoXX379yN34ouLgtoJJPDm9B+BA="
   9   │ }

FachryMyID · March 25, 2022, 2:19pm

Thanks, I’ll try. Hope this work.

FachryMyID · March 26, 2022, 12:07pm

I managed to restore the masterkey and vault files (screnshot_5). however when I try to open it, the encrypted files don’t show up on the virtual drive (screenshot_6). When I tried to repair the folder whit Directory Check (screenshot_7), it worked and cryptomator created a CRYPTOMATOR RECOVERY folder with the contents of files I didn’t recognize (screenshot_8).

Screenshot_5

How to fix it?

FachryMyID · March 26, 2022, 12:07pm

Screenshot_6

FachryMyID · March 26, 2022, 12:08pm

Screenshot_7

FachryMyID · March 26, 2022, 12:11pm

Screenshot_8