Can I start by singing the praises of BC advisor Didier Stevens on another topic here? I've been hit by a ransomware bug (Don't know which one yet - that's what I'm hoping to find out on this thread!) Dider has spent a lot of time on looking at some of my encripted files and has successfully recovered some. What a guy!
Basically, earlier in the month I discovered that a load of my JPG and MS office files had changed from standard file extensions to a format like this: CIMG1152.JPG.id-9737394708_help2015@mail
In retrospect we noticed all the files had the same number after the id part of the extension. That seems to be a clue for the ransomware. Needless to say, these cannot now be opened. Didier managed to find the header for the jpegs using a hex editor (I think) and re save them. This recovered these - but the office docs are really encrypted.
We have been unable to find any ransom note - not that I'd pay it!
I scanned some files on virustotal.com and they came up with slightly longer filename like this Michael 21st2 email@example.com Note the .BG extension missing from above. That made more sense as mail.BG is an eastern euro e mail outfit. Here's the virustotal scan url - https://www.virustotal.com/en-gb/file/7d7ec35f1861e6267bcdc147743fe705e996e75ac8cefe7436f26a514941dd5c/analysis/1443375190/
I run windows XP on this machine and I have McAfee on board and up to date, so don't know how the bug got in.
Question is - can anyone help me discover if my machine is still infected? McAfee scans all come up clear.
Hoping brighter people than me can help and maybe learn something from this!
Thanks, my friends!