Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Encrypted Files


  • Please log in to reply
1 reply to this topic

#1 Flyboy6jz

Flyboy6jz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 09 August 2014 - 12:23 PM

An attorney client of mine came in Monday morning and found his .doc, .wpd, and .pdf files all encrypted. I had set him up a Synology NAS back in November and begin to use Glacier Backup. I also read on Monday about the SynoLocker attack on Synology NAS devices. Indeed, the operating system DSM 4.3-3810 was what we (my client) were running. I never saw any type of ransom note or announcement that we had been hacked. However, the many thousands of files residing on the server had been changed to a date of 8/4/2014 and attempts to open them only resulted in a request for the file to first be converted.  Seeing the newly dated files, the Glacier Backup from the previous day had already been busy updating its locker with the now corrupted files.

 

I have restored what good files I can, but many important files, had only the encrypted backup files. I read on this forum yesterday a quite lengthy and informative discussion about recovering encrypted files and I downloaded the Anti-CryptorBitv2.zip file and attempted to recover my bad files. Still no positive results. I do have the folks at Synology looking into this, but so far, nothing. My client was asking about the ransom, ready to pay, to recover his very important client files. 

 

If not a SynoLocker attack, does anyone have any idea what it could be and how I can recover these files?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 PM

Posted 09 August 2014 - 07:49 PM


Bleeping Computer's SynoLocker ransomware topic is here.

A repository of all current knowledge regarding Cryptolocker is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoLocker Ransomware Information Guide and FAQ

CryptoLocker is a ransomware program that will scan all physical or mapped network drives on your computer and encrypt files with the following extensions using a mixture of RSA & AES encryption.
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.


A repository of all current knowledge regarding CryptorBit and HowDecrypt is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptorBit and HowDecrypt Information Guide and FAQ

CryptorBit (HowDecrypt) is a ransomware program that encrypts any data file it finds regardless of the file type or extension (i.e. JPG, PST, MP3, PDF, .DOC, .XLS, .XLSX, .PPTX, .and DOCX documents). When it encrypts a file, CryptorBit (HowDecrypt) will create a HowDecrypt.txt file and a HowDecrypt.gif in every folder that a file was encrypted. The GIF and TXT files will contain instructions on how to access a payment site that can be used to send in the ransom.


A repository of all current knowledge regarding CryptoDefense is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

CryptoDefense is a ransomware program that encrypts data files such as text files, image files, video files, and office documents using RSA-2048 encryption, which makes them impossible to decrypt via brute force methods...CryptoDefense will create a How_Decrypt.txt and How_Decrypt.html file in every folder that a file was encrypted. The HTML and TXT files will contain instructions on how to access a payment site that can be used to send in the ransom. Though this infection has numerous similarities to CryptoLocker or CryptorBit, there is no evidence that they are related.


A repository of all current knowledge regarding CryptoWall is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

CryptoWall is essentially a new variant of CryptoDefense.
- ransom is $1000 USD.
- leaves files named DECRYPT_INSTRUCTION:
DECRYPT_INSTRUCTION.TXT
DECRYPT_INSTRUCTION.HTML
DECRYPT_INSTRUCTION.URL


A repository of all current knowledge regarding CTB Locker and Critroni Ransomware is provided by Grinler (aka Lawrence Abrams), in this tutorial: CTB Locker and Critroni Ransomware Information Guide and FAQ

CTB Locker (Critroni, Onion) will encrypt all data files and rename them as a file with a .CTBL extension.
- Creates a image file called AllFilesAreLocked <user_id>.bmp in the My Documents/Documents folder.
- Creates a text file called DecryptAllFiles <user_id>.txt in the My Documents/Documents folder that contains ransom instructions.


Once you have identified which particular ransomware you are dealing with, we can direct you to the appropriate discussion topic for further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users