I wasn't able to locate anything via Google, and so was unable to "decrypt" the files (password-protected RARs).
The customer ended up paying these scum.
Has anyone seen this variant before (and know the password by chance)?
Update - e-mail address listed on the infection is down and customer unable to access via phone. We're proceeding with infection removal, but are nowhere with the password to return the customer files to their original state.
Edited by lupinezero, 12 March 2012 - 04:34 PM.