Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HOWDECRYPT


  • Please log in to reply
8 replies to this topic

#1 StellaBella

StellaBella

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 10 December 2013 - 03:32 PM

Hello,

I recently logged on to my windows 8 computer and noticed that I could no longer open any of my word files, pictures, etc. There are two new items in each of the document and picture folders titled HOWDECRYPT that provide instructions for decrypting your files by paying $500 to a tor site. I tried a system restore but the files are still there and I can't open any files. It seems like a ransomeware issue but I can't find any information about this particular one that works for removal or restoring my files. Any help or advice would be greatly appreciated.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,404 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:01 PM

Posted 10 December 2013 - 07:49 PM

It may be a new variant of crypto malware ransomware.

A repository of all current knowledge regarding Cryptolocker is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoLocker Ransomware Information Guide and FAQ

There is also a lengthy ongoing discussion in this topic: Cryptolocker Hijack program.

Since that infection is so widespread, it may be a good idea if you posted a question or comment in that thread as well in case someone else has encountered this particular variant...they may have further suggestions.

However, from what you describe it does not sound like the same malware writers.

What security scans have you tried thus far to remove it?
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,404 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:01 PM

Posted 10 December 2013 - 08:52 PM

FYI: In Windows 8 the Shadow Volume Copy service has been replaced with File History, a backup application that if enabled, continuously protects personal files stored in Libraries, Desktop, Favorites, and Contacts folders. If something happens to your personal files, the restore application makes it easy to preview versions of selected files and restore them.
* Protecting user files with File History - Restoring files
* How to Use the File History Feature in Windows 8
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#4 StellaBella

StellaBella
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 10 December 2013 - 09:00 PM

Thanks! I'll try that. ShadowExplored got most of my files back a few months ago when this happened before but the systen upgraded to 8.1 between the discovery of this new one and the latest system restore. I'm not sure if shadowexplorer will still work but I will try to download anew version and try it. I was concerned since I did not see this particular varient anywhere. There is no countdown cloick or screen interface. It simply buries itself in every folder with a jeg and notepad file explaining the steps.



#5 mg23

mg23

  • Malware Study Hall Junior
  • 150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 10 December 2013 - 09:11 PM

Thanks! I'll try that. ShadowExplored got most of my files back a few months ago when this happened before but the systen upgraded to 8.1 between the discovery of this new one and the latest system restore.

 

A few months ago did the same exact thing happen?  The file HOWDECRYPT created?



#6 StellaBella

StellaBella
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 10 December 2013 - 09:16 PM

No - I never got a warning or message. The files were just inaccessible. I downloaded ShadowExplorer and recovered about 80% of them. I had read about the ransomware but didn't pursue the idea then because there was no warning or ransom request. Just figured it was one of those wierd computer things.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,404 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:01 PM

Posted 11 December 2013 - 08:58 AM

There are various variants of ransomware going around and we see newer ones all the time. Glad to hear you were able to recover most of your files.

Best Practice to protect yourself with this is backup, backup, backup.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#8 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,163 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:01 PM

Posted 13 December 2013 - 11:36 AM

If anyone has any copies of the infection files, please submit them to http://www.bleepingcomputer.com/submit-malware.php?channel=3

The files that are created for anyone else looking for more information are: howdecrypt.txt and howdecrypt.jpg

#9 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,163 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:01 PM

Posted 16 December 2013 - 07:30 PM

We have created a dedicated topic for the HowDecrypt Ransomware. Please post any questions and information about this infection in this topic:

HowDecrypt File Encrypting Ransomware - $500 USD Ransom Information Topic

We are still looking for working file samples. Instructions on how to send them are found in the above topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users