Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Odd File Extension on Corrupted Files


  • This topic is locked This topic is locked
6 replies to this topic

#1 stomanov

stomanov

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 12 March 2015 - 10:51 AM

I'm running Windows 7 and have a number of corrupted files.  They all have an additional extension of ".hybiyuj" and the original extension has been capitalized.  So a file previously named "test.pdf" is changed to "test.PDF.hybiyuj".  Unfortunately, the problem is not simply solved be removing the extension and opening the file as usual.  This has occurred for .pptx, .pst, .doc, .txt etc.  It did not happen to all files on the hard drive, only some folders.

 

Any help is greatly appreciated...


Edited by hamluis, 12 March 2015 - 11:41 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Javrak

Javrak

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Baton Rouge, Louisiana
  • Local time:06:10 AM

Posted 12 March 2015 - 11:02 AM

Not 100% certain, but it sounds like a crypto variant. Did you happen to notice any .html/.jpg/.txt files mentioning encryption in the folder locations of these files?



#3 stomanov

stomanov
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 12 March 2015 - 11:22 AM

Thanks for the quick reply.  But no, I didn't see any additional files in these locations...



#4 Javrak

Javrak

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Baton Rouge, Louisiana
  • Local time:06:10 AM

Posted 12 March 2015 - 11:37 AM

http://community.spiceworks.com/topic/749297-alert-malware-ransomware-variant-changes-file-extensions-to-random-characters
 

 

Pretty sure this is your issue. I'm unfortunately not qualified enough to identify which variant it is. Though I do find it odd that there are no decrypt instructions in those folders...



#5 stomanov

stomanov
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 12 March 2015 - 12:57 PM

I'll follow these threads and try to figure it out.. Thanks for the leads.



#6 Javrak

Javrak

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Baton Rouge, Louisiana
  • Local time:06:10 AM

Posted 12 March 2015 - 04:23 PM

Anytime.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:10 AM

Posted 12 March 2015 - 05:48 PM


The newest variants of CTB Locker typically appends encrypted data files with a 6-7 length extension consisting of random characters. This extension is believed to be generated as a result of some type of algorithm involved at the time of the initial infection. The newer variants also do not always leave a ransom note if the malware fails to change the background, like it generally does. Compounding matters, the newer CTB-Locker infection has been seen in combination with KEYHolder, Torrent Locker (fake Cryptolocker) or Cryptowall ransomware. Unfortunately, there is still no known method of decrypting your files without paying the ransom and with dual infections, that means paying both ransoms.

A repository of all current knowledge regarding this infection is provided by Grinler (aka Lawrence Abrams), in this tutorial: CTB Locker and Critroni Ransomware Information Guide and FAQ

There is also an ongoing discussion in this topic: CTB Locker or DecryptAllFiles.txt Encrypting Ransomware Support & Discussion. Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users