I'm coming here asking desperately for help. One of the computers at a friend's office got infected with one of these Cryptolocker virus, so he doesn't have access to any of the crucial files like databases, docs, pdfs... and also the network shared folders got infected too .
He doesn't have a backup so he is really screwed so far.
All the infected files got an extension .bleep added to them (example. document.pdf.bleep), and he has two files on every infected folder; FILESAREGONE.TXT and IHAVEYOURSECRET.KEY
The text inside the IHAVEYOURSECRET.KEY is a public key i think (just a bunch of random characters ending in ==).
The text inside the FILESAREGONE.TXT is the typical ransom text from this infections:
Hello. All your files have been encrypted using our extremely strong private key. There is no way to recover them without our assistance. If you want to get your files back, you must be ready to pay for them. If you are broke and poor, sorry, we cannot help you. If you are ready to pay, then get in touch with us using a secure and anonymous p2p messenger. We have to use a messenger, because standard emails get blocked quickly and if our email gets blocked your files will be lost forever. Go to http://bitmessage.org/, download and run Bitmessage. Click Your Identities tab > then click New > then click OK (this will generate your personal address, you need to do this just once). Then click Send tab. TO: xxxxxxxxxxxx SUBJECT: name of your PC or your IP address or both. MESSAGE: Hi, I am ready to pay. Click Send button. You are done. To get the fastest reply from us with all further instructions, please keep your Bitmessage running on the computer at all times, if possible, or as often as you can, because Bitmessage is a bit slow and it takes time to send and get messages. If you cooperate and follow the instructions, you will get all your files back intact and very, very soon. Thank you.I uploaded an infected .pdf file here so u can download it and check and here is the original file not infected (i'm not sure if this is actually exactly the original tho )
So far i desinfected the computer, and tried to rename all the files back with an script but it obviously didn't help since they are... encrypted.
Is there any tool i can use so i can scan which files are infected/encrypted in the whole system?. I found two tools so far, http://omnispear.com/cryptolocker-scan-tool/ and http://download.bleepingcomputer.com/grinler/ListCrilock.exe but i'm not sure it will scan some of the files he has (some got an strange extension which are databases used with his invoice programs, but i think they are actually .DBF files).
Also, do u think i will have any luck restoring files using Windows Shadow Copy?, i will check later tomorrow if his Windows even has this feature installed/enabled (the computer has Windows XP).
Thanks a lot!
Edited by quietman7, 17 June 2016 - 09:58 PM.