Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brainless Rookie - Ransomware? What Ransomware?


  • Please log in to reply
36 replies to this topic

#16 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 PM

Posted 27 September 2015 - 11:32 AM

Here is the picture I recovered (I blacked-out the faces):

 

20150927-174803.png


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security
MVP_Horizontal_BlueOnly.png


BC AdBot (Login to Remove)

 


#17 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 PM

Posted 27 September 2015 - 11:34 AM

I suppose that's one of your lost pictures?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security
MVP_Horizontal_BlueOnly.png


#18 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 27 September 2015 - 11:47 AM

Yep - That's right. Well done, Didier. My dogs are disappointed they missed their 15 minutes of fame tho! Is it possible for me to rescue the others?



#19 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 PM

Posted 27 September 2015 - 11:57 AM

I looked through the file with a hex editor until I recognized byte patterns found in JPEG images. I copied all the bytes I assumed to be part of the picture, saved it in a new file and prefixed that with a JPEG header. And then I could open it with an image viewer.

 

What IT skills do you have? For example, have you ever used a hex editor or the command line?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security
MVP_Horizontal_BlueOnly.png


#20 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 27 September 2015 - 12:17 PM

I'm reasonable as a user and understand the math/ workings of hexadecimal numbers as regards data and addresses etc, I have basic masdos from years back, but that's about it. So I'm guessing it's not going to be that easy? I don't know how to access a hex editor and wouldn't know what patterns to look for, sadly. Ah well.



#21 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 PM

Posted 27 September 2015 - 12:27 PM

We'll work out a solution so that you can recover your pictures.

 

Meanwhile, can you upload another picture to VirusTotal so that I can check if it is obfuscated in the same way?

Please report the VirusTotal report link here.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security
MVP_Horizontal_BlueOnly.png


#22 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 27 September 2015 - 12:31 PM

Good man! I'll do the virus total thing. Also some word documents. Thanks!



#23 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 27 September 2015 - 12:39 PM

https://www.virustotal.com/en-gb/file/7d7ec35f1861e6267bcdc147743fe705e996e75ac8cefe7436f26a514941dd5c/analysis/1443375190/

 

https://www.virustotal.com/en-gb/file/d8c959b9952533653d8be48aa6968af5cb5c9edd503f2c0ef807877fc35f77fb/analysis/1443375515/



#24 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 PM

Posted 27 September 2015 - 01:26 PM

I can recover the other picture too.

The doc file not. That one is really encrypted.

 

With the files you gave me it is clear to me now that your machine was hit by ransomware. So it was infected, and is maybe still infected.

I suggest you start a new post in http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/ to have your machine checked for malware.

 

To recover your pictures: are all your ransomed pictures in the same folder?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security
MVP_Horizontal_BlueOnly.png


#25 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 27 September 2015 - 02:56 PM

Thanks Didier

 

The infected pics are spread over about 6 directories, but I can move them into a single folder if it would help. There is nothing in the word docs I really need or don't have backed up. Also - The other thread seems to be locked. I'll check back.


Edited by Xdivermkv, 27 September 2015 - 03:02 PM.


#26 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 28 September 2015 - 12:48 PM

Hi Didier

 

I have all the infected pictures in a single folder now. I've searched thoroughly and can find no ransom note. Not that I'd pay it! I await your instructions O guru! :0)



#27 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 PM

Posted 28 September 2015 - 01:52 PM

I'll write a Python program to recover the files. Might take a few days before I find the time.

You will need to install Python 2 to be able to run the program.

But we'll do that when I've written the program.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security
MVP_Horizontal_BlueOnly.png


#28 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 28 September 2015 - 02:05 PM

Thanks, mate. I won't bother you again till I hear from you. Best wishes, Steve



#29 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 PM

Posted 28 September 2015 - 02:08 PM

No problem. But the fall is a busy period for me: attending conferences and providing training.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security
MVP_Horizontal_BlueOnly.png


#30 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 11 October 2015 - 06:38 AM

Hi Didier

 

Sorry to trouble you - Have you had time to consider writing that bit of code to recover my pictures yet? IDTool.exe has not found any infection on my machine and I've had no further trouble to date. Would just be nice to have those pictures back as they are personal things like my wife's graduation and some stuff with my father in law who passed recently. Sort to be a bother, but I guess you're my only hope at the moment. Thanks for considering it anyway.

 

Best regards,

 

Steve






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users