So a client got a crypto variant on a computer that was not being backed up. Right now I am having issues identifying the version they got. It came in a email claiming to be an invoice and was a .zip file. They have DECRYPT_INSTRUCTIONS.html which is a very plain html page with a onion.nu link and a alternate TOR link plus instructions. It wants 2 BTC for payment. None of the file have their extensions changed from what I can see. What is the best way to identify this version to see if there's a solution besides payment(unlikely I know)
EDIT: There is a xyz.ps1 file that seems to be the source of the encryption.
Edited by Cinara, 23 October 2015 - 02:42 PM.