Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

victim of ransomware


  • This topic is locked This topic is locked
4 replies to this topic

#1 Thoro

Thoro

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 29 December 2015 - 05:37 PM

Im a victim of ransomware, and searching any way to recover my data. In this forum i see many information about is an i hope to find here what i'm searching for.
 
Thanks in advance.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:40 AM

Posted 29 December 2015 - 09:12 PM

Welcome to Bleeping Computer.

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .encrypted, .crinf, .XRNT, .XTBL, .crypt, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .EnCiPhErEd, .0x0, .bleep, .1999, {CRYPTENDBLACKDC}, .vault, .HA3, .toxcrypt, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:
HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt
HELP_RESTORE_FILES.txt, HELP_TO_SAVE_FILES.txt, RECOVERY_KEY.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT, How_To_Recover_Files.txt
DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, 
About_Files.txt, FILESAREGONE.TXT, IHAVEYOURSECRET.KEY, HELLOTHERE.TXT, SECRETIDHERE.KEY, 
READTHISNOW!!!.TXT, SECRET.KEY, HELPDECYPRT_YOUR_FILES.HTML, Help_Decrypt.txt
YOUR_FILES.HTML, DecryptAllFiles_<user name>.txt, encryptor_raas_readme_liesmich.txt
DecryptAllFiles_.txt, RECOVERY_FILES.txt, help_decrypt_your_files.html
Howto_RESTORE_FILES_.txt, RECOVERY_FILE_.txt, restore_files_.txt, _how_recover_.txt
howto_recover_file_.txt, how_recover+****.txt, recover_file_*****.txt

Note: The (*) represents random characters which some ransom notes names may include.
Once you have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Thoro

Thoro
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 30 December 2015 - 01:49 AM

Hi,

 

The file name was changed from WP_20151023_003.jpg to WP_20151023_003.jpg.id-3660246556_email_info@cryptedfiles.biz

 

There are not any adding files about ransom info. The only things is a desktop background image 

 

lock.png

 
 
Here an example of one file ciphered and plain useful fo testing:
 
 
 
I tried rakhnidecryptor from karspesky, a week ago, and after a couple of hour it claim to found the key, and next try to decrypt all HD. When finished I find the decrypted images and documents, but still be unusable.
HEX comparing the ciphered and karspesky deciphered it seems so similar. First 100000 bytes are different but still remain scrambled, this mean that the algo or key is not good. Also append to ciphered file there are many added bytes. 
 
I think this is a variant that have a different behavior. 
 
 
Thanks

Edited by Thoro, 30 December 2015 - 03:30 AM.


#4 Obryant

Obryant

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 30 December 2015 - 03:11 AM

The same virus encrypted embedded my files about two weeks ago . I tried the tool rakhnidecryptor several times but got neither could find the key, it must be a new variant that has changed encryption.

 

I would be grateful for any help that you can give us.

Thank you very much for your attention.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:40 AM

Posted 30 December 2015 - 07:53 AM

It is believed these infections are part of a ransomware kit that different affiliates utilize with their own payment email addresses which explains all the "@" ransomwares which have been reported.

There are going discussions in these related topics.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of the above topic discussions. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users