I had been attacked by ransomware that encrypted many of my documents. My issue is similar to a previous thread started by another user: http://www.bleepingcomputer.com/forums/topic456569.html/page__pid__2726791#entry2726791
I believe the attack occured on the evening of Saturday,June 9th. My documents (Word, Excel, txt, PDF, JPG, etc.) had been encrypted and they all have ".crypt" extention at the end. Some of these file reside in my external hardrive which was connected to my computer at the time. There is a big black popup showing on my desktop and also a "WARNING" file created in each of my folders affected showing the following message:YOUR ID: 94
YOUR COMPUTER IS BLOCKED. All your documents, text files and databases
are securely encrypted.
You can unblock your computer by completing three easy steps.
STEP 1: Buy a MoneyPak in amount of $50 at the nearest store.
STEP2: Fill out the fields on the black screen on your cumputer. Otherwise
send as an e-mail at firstname.lastname@example.org. Indicate your ID in the message
title and provide MoneyPak number.
STEP 3: Check your e-mail. We will send you a program to remove the malware
and decrypt your files once payment is verified. Your computer will roll back
to the ordinary state.
Q: How I can make sure that you can really decipher my files?
A: You can send ONE any ciphered file on email email@example.com
(Indicate your ID and /test decrypt/ phrase in the message title), in the
response message you receive the deciphered file.
Q: Where can I purchase a MoneyPak?
A: MoneyPak can be purchased at thousands of stores nationwide, including
major retailers such as Walmart, Walgreens, CVS/pharmacy, Rite Aid, Kmart,
Kroger and Meijer.
Q: How do I buy a MoneyPak at the store?
A: Pick up a MoneyPak from the Prepaid Product Section or Green Dot display
and take it to the register. The cashier will collect your cash and load it onto
https://www.moneypak.com/StoreLocator.aspx - here you find a store near .
I tried to run a full scan with MS Security Essentials (after updating definitions on June 10) but nothing was detected. I have not attempted to run any tools to remove the virus since then as I'm afraid any changes I make could impact my chance of recovering my files.
At this stage my first and foremost priority is to recover my files to the original state (they include some important work documents and personal photos)
Removal of the virus comes second.
Please let me know if I need to provide anymore info. Any help to recover the infected files will be greatly appreciated!