Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hit by some type of ransomware


  • Please log in to reply
22 replies to this topic

#1 modernprimitive

modernprimitive

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 29 November 2015 - 04:06 PM

first off, i would like to say thank you to all who are working to recover files for all of us.  i really have no idea which version of encryption virus i got hit with.  all i know is that it has corrupted most of my files.  i didn't get a ransom notice when attempting to open a jpg, pdf, docx, or mp4.  it just doesn't open.  i didn't know these viruses even existed.  everything i had ever read about would overwrite your hard drive, corrupt your drive, cause it to crash, etc.  so having a backup on another drive had always been adequate for me.  i never thought to back up to a dvd, or flash storage.  i planned for hard drive crashes, not encryption.  i have tried a couple of different programs that claim to recover data, but so far nothing has worked for me.  if i lose most of the data then it will suck, and be very inconvenient, but the photo memories are what i'm most concearned with.  any and all help/advice will be appreciated.  thank you again for doing this.  you guys are awesome.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:04 PM

Posted 29 November 2015 - 05:22 PM

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .CTBL, .CTB2, .crinf, .XTBL, .encrypted, .crypt, .EnCiPhErEd, .vault, .HA3, .toxcrypt or 6-7 length extension consisting of random characters?

Did you look for any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:
HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt
HELP_RESTORE_FILES.txt, HELP_TO_SAVE_FILES.txt, RECOVERY_KEY.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.txt
How_To_Recover_Files.txt, ReadDecryptFilesHere.txt, Help_Decrypt.txt, About_Files.txt
RECOVERY_FILES.txt, DecryptAllFiles_<user name>.txt, encryptor_raas_readme_liesmich.txt
HOWTO_RESTORE_FILES_*****.txt, DecryptAllFiles_*******.txt (where * are 6-7 random characters)
RECOVERY_FILE_*****.txt, restore_files_*****.txt (where * are random characters)
howto_recover_file_*****.txt, _how_recover_*****.txt (where * are random characters)
how_recover+***.txt, recover_file_*****.txt, (where * are random characters)
Once you have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.

Another option is to download and run IDTool created by Nathan Scott (DecrypterFixer), a BleepingComuter Security Colleague. IDTool is a small utility that scans certain files, folders, registry keys and signatures of a system for evidence (known flags) of various crypto malware which helps identify what kind of ransomware infection you are dealing with. The tool will provide a list or text generated report of what was found and then provide the correct support links where you can receive assistance with that specific ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 modernprimitive

modernprimitive
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 01 December 2015 - 02:08 AM

what i kept seeing were files that said decrypt.exe, decrypt.html, and decrypt.txt.  showing up in ever folder on every drive.  super anti spyware, malwarebytes anti malware, and trend micro housecall couldn't get rid of them all.  the first two didn't find them, and housecall kept crashing during the removal process.  i manually searched for those decrypt files, and deleted 36,000+ of them, then ran scans again.  housecall found more, and was able to remove them without crashing.  but by the time i had noticed them, and was able to get rid of them, they had already damaged most of my data.  i never actually saw a ransom note show up in place of a document or jpg.  so i have no idea what it's called.  i googled decrypt.exe and kept finding dirtydecrypt, but that's it.  i compared two of the same file.  one that was corrupted, and one that wasn't.  when i open the jpgs in notepad, instead of looking like a normal jpg in notepad, the corrupted one appears to be in chinese.   i don't know if that is of any help/use to you.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:04 PM

Posted 01 December 2015 - 06:39 AM

I provided examples of ransom note names in my first reply. I have not heard of a decrypt.html and decrypt.txt so you may be dealing with something new.

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic:

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:04 PM

Posted 01 December 2015 - 08:58 AM

Yes, please submit a copy of the decrypt.exe, decrypt.html, and decrypt.txt files so we can take a look.

As QM stated you can submit them here:

http://www.bleepingcomputer.com/submit-malware.php?channel=3

#6 modernprimitive

modernprimitive
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 01 December 2015 - 02:08 PM

thanks for the quick response.  i think i have managed to hunt down and destroy all copies of the "decrypt" files.  sorry.  i thought it was just another replicating virus and needed to be deleted and that was it.  it wasn't until after i deleted it, that i realized i couldn't open anything else.  i can submit a corrupt jpg and an uncorrupt backup of the same jpg if that would help at all.  i will also keep looking for any more signs of the "decrypt" files.



#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:04 PM

Posted 01 December 2015 - 02:25 PM

No chance you have them in the recycle bin? The decrypt files would be the most helpful.

Any idea how you were infected?

#8 1dunn0

1dunn0

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 02 December 2015 - 04:20 AM

Damn, this thing is a nasty business. I am running a decryption 2 days now by this .vvv type of ransomware and I found instructions for it on the web. The thing is that I do not have backup set up unfortunatly and I still haven`t managed to decrypt anything. I advise trying with different files, since it may use different encryption strenght, depending on the file extension. Here is more info I found with instructions:
 
<removed>

I think this might work, but if you have any ideas to decrypt faster can you please share???

Mod Edit by quietman7: link to non-Bleeping Computer malware removal guide disabled per this policy.

Edited by Grinler, 02 December 2015 - 09:26 AM.
Removed link that wont help.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:04 PM

Posted 02 December 2015 - 06:50 AM

@ 1dunn0


Further you posted in the wrong topic as you are dealing with a newer variant of TeslaCrypt/Alpha Crypt. Any files that are encrypted with the newer variant of TeslaCrypt will have the .vvv extension appended to the end of the filename. There is an ongoing discussion in this topic where you can ask questions and seek assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 modernprimitive

modernprimitive
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 02 December 2015 - 02:41 PM

did a recovery scan, and it found some jpgs with the ransomware info.  it says that's i've been hit by the cryptowall 3.0.  all hope for me getting back my info is now lost. 

 

i have no idea how i got infected.  i've been at work so much that i barely have time to check my work email, let alone my personal account.  i don't open attachments unless they come from a friend, and even then, if it's a forwarded attachment, then i stilll don't open them.  the only thing i've downloaded lately were some episodes of a tv show that my dvr didn't record all of.  i am really lost on how i got this virus.



#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:04 PM

Posted 02 December 2015 - 02:53 PM

It could very well be cryptowall 3.0, which you were infected with through an exploit kit when browsing the web. Unfortunately, nothing we can about CryptoWall.

#12 Ageel

Ageel

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 02 December 2015 - 04:33 PM

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .CTBL, .CTB2, .crinf, .XTBL, .encrypted, .crypt, .EnCiPhErEd, .vault, .HA3, .toxcrypt or 6-7 length extension consisting of random characters?

Did you look for any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:

HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt
HELP_TO_SAVE_FILES.txt, RECOVERY_KEY.txt, DecryptAllFiles.txt, DECRYPT_INSTRUCTION.TXT
HOW_TO_DECRYPT_FILES.txt, How_To_Recover_Files.txt, encryptor_raas_readme_liesmich.txt
About_Files.txt, DecryptAllFiles_<user name>.txt, ReadDecryptFilesHere.txt
RECOVERY_FILES.txt, DecryptAllFiles_*******.txt (where * are 6-7 random characters)
Recovery_File_*****.txt, restore_files_*****.txt (where * are random characters)
recover_file_*****.txt, HOWTO_RESTORE_FILES_*****.txt (where * are random characters)
howto_recover_file_*****.txt, _how_recover_*****.txt (where * are random characters)
Once you have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.

Another option is to download and run IDTool created by Nathan Scott (DecrypterFixer), a BleepingComuter Security Colleague. IDTool is a small utility that scans certain files, folders, registry keys and signatures of a system for evidence (known flags) of various crypto malware which helps identify what kind of ransomware infection you are dealing with. The tool will provide a list or text generated report of what was found and then provide the correct support links where you can receive assistance with that specific ransomware.

 

Got files that now have .vvv appended to the file extensions (eg. test.psd is now test.psd.vvv).  Any suggestions on removal tools?



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:04 PM

Posted 02 December 2015 - 05:48 PM

Got files that now have .vvv appended to the file extensions (eg. test.psd is now test.psd.vvv).  Any suggestions on removal tools?

You are dealing with a newer variant of TeslaCrypt/Alpha Crypt. Please read this BC news article:There is an ongoing discussion in this topic where you can ask questions and seek assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 modernprimitive

modernprimitive
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 06 December 2015 - 03:00 PM

It could very well be cryptowall 3.0, which you were infected with through an exploit kit when browsing the web. Unfortunately, nothing we can about CryptoWall.

 

 

that's unfortunate.  i've lost everything.  and why?  because someone knows how to write a virus, and decides to disupt or ruin peoples lives for profit?



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:04 PM

Posted 07 December 2015 - 08:04 AM

...that's unfortunate.  i've lost everything.  and why?  because someone knows how to write a virus, and decides to disupt or ruin peoples lives for profit?

The only other alternative is to save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a possible solution so save the encrypted data and wait until that time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users