Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Decrypt Protect/DirtyDecrypt Ransomware Support and Help Topic


  • Please log in to reply
153 replies to this topic

#1 DharmaRakshit

DharmaRakshit

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 15 May 2013 - 09:16 PM

Looks like there is a new variant  - Decrypt Protect Ransomware- seems  to be a  new Police trojan that’s directly related to previous Police trojans like FBI MoneyPak Ransomware, ACCDFISA Protection Program Ransomware, and Spamhaus Ransomware. Noton or Microsoft didi not stop it.
Although I was able to run Norton Eraser, remove it, files all encrypted wiht .html extension.
When clicked,  it take me ot the web page below. Any advice on how to decrypt the files.
 
 
decryptprotectransomware_img1.png

Edited by Orange Blossom, 15 May 2013 - 10:12 PM.
Removed links. ~ OB


BC AdBot (Login to Remove)

 


#2 corruptcorey

corruptcorey

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 16 May 2013 - 08:15 AM

I'm in the same boat.  If you rename the file back to a .doc (or whatever native format it was in before) it opens blank. I open the document in Notepad++ and the first line is the obvious redirect link to their website. The rest is garbage. Check the Pastebin below.

 

http://pastebin.com/hJ4fh0Xb

 

Anyone recognize the format, and how to convert it back. The user I'm doing this for doesn't have a recent backup.



#3 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:15 AM

Posted 16 May 2013 - 10:19 AM

Anyone recognize the format, and how to convert it back. The user I'm doing this for doesn't have a recent backup.

The format is most likely a custom homebrew format. So without the actual malware executable that encrypted the file it will be rather difficult to decrypt the files. Were the malware files still on the system and if so, can you please upload them here:

 

http://www.bleepingcomputer.com/submit-malware.php?channel=140

 

That way I can take a look at them and give you a more definitive answer whether or not the encryption can be reversed or not :).


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#4 reundoer

reundoer

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 16 May 2013 - 01:45 PM

I uploaded an original and encrypted version.  As you'll notice the file is appended with .html and then inside the file itself there is code added - html headers at the beginning and eof and then the data is commented out (and encrypted).  Just removing the inserted code yields no beneficial results.



#5 DharmaRakshit

DharmaRakshit
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 16 May 2013 - 02:20 PM

I also have a encrypted file and the orginal file from bakcup and can uplaod the file. Same here the the link to MLB site and code is added . Rest of the data is encryted.

Let me knwo if I need to uplaod hre sample files.

DharmaRakbleep



#6 jfh2112

jfh2112

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 16 May 2013 - 02:42 PM

I have a user that got hit with this yesterday, and I'd cleaned the system before I realized that her files were encrypted. I have encrypted files I can submit, if that will help.



#7 pipwillow

pipwillow

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 16 May 2013 - 03:23 PM

I am in the same boat, I am a total newbie to this kind of thing, I do have some examples of the same files before and after encryption, there are also some random files in the same folders that seem to have been spared the encryption, i dont know if those could yeild and help.

 

I had to go ahead and get rid of the virus as, i wouldnt be able to do anything without getting the computer up and running, but I have left the rest of my files, now with .html file extentions, in the exact places they were.I also noticed that my system restore points are gone along with everything else, is it possible the backups have themselves had the .html extention applied? thanks for all your help.



#8 the wedge

the wedge

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 16 May 2013 - 04:30 PM

i have been working on this on my computer for 3 day. i have gotten no where


Edited by the wedge, 16 May 2013 - 06:13 PM.


#9 the wedge

the wedge

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 16 May 2013 - 05:16 PM

I down loaded spy hunter 4 from this site. Said it was free . Then asked for money to remove infection.not any different than decrypt protect virus.How do i know that it would fix virus.


Edited by the wedge, 16 May 2013 - 05:17 PM.


#10 DharmaRakshit

DharmaRakshit
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 16 May 2013 - 06:12 PM

I uploaded the encrysted file on

http://www.bleepingcomputer.com/submit-malware.php?channel=140. It has the header and the encryption

 

Let me know if you could find anyhting or come up with a process to break the encryption. Panda tools did not work

-DharamaRakbleep



#11 pipwillow

pipwillow

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 16 May 2013 - 06:50 PM

I've just had a thought....now there are a few of us on here with the same problem....

 

would there be a benifit if we all submitted a "quantifiable" file that is native to all of  our setups, for instance, I notice my default windows user icon is no longer present, i am guessing this is because it has been iencrypted with the .html extention/encryption....

 

so, is we as differant uses all manage to send a common file that is native to a regular windows install....would this help someone with more encryption knowlege than me, work out what parts change and what stays the same between each of our files and if this does/doesn't relate to our "customer number" within the encrypted file?

 

just a thought?



#12 DharmaRakshit

DharmaRakshit
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 16 May 2013 - 08:48 PM

I think it is good idea to send a common file. I too see the my default windows user icon gone. 

Can someone advice which files should we send ?



#13 the wedge

the wedge

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 16 May 2013 - 09:07 PM

DharmaRackbleep i sent a file to web site



#14 the wedge

the wedge

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 16 May 2013 - 09:08 PM

does any one know what happens if time runs out ?



#15 benny1414

benny1414

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 17 May 2013 - 09:32 AM

I realize that the likelyhood of this is very low, but does anyone know if anything happens when you pay?  I gave a fake moneypak number to see what it would do (14 numeric digits) and it took me to a page where it said that once the payment cleared (which it obviously never did) i would get a pop up for a downloadable execuatable to unlock my files.

 

I did not fall off the turnip truck yesterday and I realize that it would probably never happen, but if there was a chance that this was a true extortion attempt and not just a scare tactic, I would pay $300 to have my files back.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users