it seams that we have new Ransomware or something similar arround. Yesterday a client give me a HDD (with windows 7 pro) and all data files (jpg, txt, docx, dbf, zip. rar ...) were encrypted. I don't realy know what was the message they had on screen but he told me that it was asked to pay about 400 euros for decrypton of his data.
Here is what I know until now about the infection.
On one croatian forum http://www.bug.hr/forum/topic/vijesti-by-forumasi/ransomware-napada/223333.aspx they talk about it but no solution jet to decrypt data.
Attack on files was on Wensday 18.03.2015 at about 13:30 on all computers that have reported problem.
The filename is changed in FILENAME.EXTENSION.firstname.lastname@example.org where xxxxxxxxxx is a 10 digit number.
What I can see what is the difference between encrypted and decrypted file.
First 30000 bytes of file are encrypted (7530 HEX)
At the end on the file (after the real end of file) 4 random bytes are added
As for the client most important were DBF files I did some rescue with HxD Hex editor where I replace first 30000 bytes on encrypted file with 30000 bytes from older backup that was not encrypted but it was about 3 month old. Fortunatly, DBF file grove sequentialy so the beginning of file is same on both version of file and now I have some data restored.
Problem is where encrypted DBF file is smaller than 30000 bytes. Then whole file is encrypted so I can't just add the beginnig because don't know if there are some changes from last backup.
I don't know a lot about encrypting and decrypting but if there is someone tkat is interesed in case I have several files before and after encryption.
Thanks in advance.
Edited by ipunis, 22 March 2015 - 11:11 AM.