Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spamhaus Ransomware Virus - Files Locked


  • This topic is locked This topic is locked
6 replies to this topic

#1 angie111

angie111

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 21 April 2013 - 10:15 PM

We have been dealing with this problem since April 4th, and haven't been able to get this resolved. Pretty sure the virus is gone, but most of our personal files have all be renamed to *.*.html. There are other threads regarding this, but I haven't been able to resolve this by reading them.

 

I originally ran malwarebytes immediately and also did a Norton Scan. A few things were found and quarantined. Nothing gave me access to the files though. After a few days of not being able to figure it out, we took computer to a repair guy who said he could fix it, but he couldn't. He tried lots of various things, but nothing worked. Then took it to another computer guy who worked on it for several days and still couldn't fix it. There have been a variety of scans from every possible program...none of the decrypt programs work either because they aren't even recognizing that the files are encrypted. They may not be. I'm thinking that there is something in the registry blocking access. Have played with permissions in file properties, but it doesn't help.

 

Really desperate to get access back to the files before we do a complete reinstall. The backup drive was attached, so all of the backups are lost too.

 

I ran the dds scan and zipped the two logs. I will attach. Also have logs from probably a dozen other various scans if needed, or can redo them. Mostly need to get the files back and hoping that it's not too late.  Thanks!

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:59 AM

Posted 23 April 2013 - 07:40 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:


Posted Image
m0le is a proud member of UNITE

#3 angie111

angie111
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 23 April 2013 - 09:56 PM

Thanks.  I am here. 



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:59 AM

Posted 24 April 2013 - 08:04 PM

I'm sorry to say that there is no unlocker for this ransomware

 

Unfortunately, at this time there is no decryptor for the files that have been encrypted by this malware. This means that you will need to restore from a backup or attempt to restore from a previous version using Windows. To restore from a previous version when there is no backup available, please rename the file to its original filename. Then right-click on it and select Properties. When the Properties window opens, click on the Previous Versions tab. You will now be shown a screen screen that lists any previous versions you may have of this file. If you find any, backup the existing encrypted file and then restore the previous version. Windows will then restore the older file and overwrite the encrypted one.

 

Link


Posted Image
m0le is a proud member of UNITE

#5 angie111

angie111
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 24 April 2013 - 08:51 PM

I think that I did try that, but there were no previous versions.  I think they have been wiped out, but I'll recheck.  Are you sure that the files are actually encrypted?  I thought that originally, but I am also wondering if they are just somehow blocked.  Not sure.  If they are encrypted, do you think there will be a program to decrypt them in the near future?  It seems with so many people getting hit with this lately that maybe someone can find a solution. 

 

Does anyone else reading this have any ideas? 

 

Thanks for your help and let me know if you hear of something. 



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:59 AM

Posted 25 April 2013 - 06:00 PM

Ransomware is nasty but it got worse as they started to encrypt half of the key in such a way that they could leave no trace of the information on your computer and transfer it back to themselves. Previously they left both halves on your machine and it was this which made it decryptable, they learnt from this unfortunately.

 

This means that there is no way that, if they are really encrypted, the other half of the key can ever be retrieved. With Spamhaus we know that they really do encrypt the files.


Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:59 AM

Posted 02 May 2013 - 07:40 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users