Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ransomeware removal help


  • This topic is locked This topic is locked
3 replies to this topic

#1 argyllandy

argyllandy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 13 February 2016 - 03:45 PM

i have a friends pc that has been hit with a ransome ware programme looking like cryptolocker.  it only happened about a month ago but he has been down south and couldnt bring the pc to me earlier.
all his photos and videos are now encrypted, he has run malwarebytes and also said that none of the photos or videos have a previous version for opening. also doesnt have a backup for his pc or a restore point.

he has a message in each folder that is just a notepad message saying-
 
email me if you want your files back :
 
bleepedfiles - notepad   --- (sorry for the swear word but thats actually what the file is named)
file1@openmailbox.org
or
file1@inbox.lv
 
(add these emails to your whitelist or check your junk/spam folder )

he is really upset because the pc is full of photos of his kids.

any help would be great please.

Edit: Moved topic from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:45 AM

Posted 13 February 2016 - 04:36 PM

So you are saying that bleepedfiles.txt is the name of the ransom note?


Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .mp3, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?


A bleepedfiles.txt ransom note has been reported before...see here... but the encrypted files had an .0x0 extension added to the end of each filename.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 argyllandy

argyllandy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 13 February 2016 - 04:44 PM

yeah the files are all  0X0  files, there is another file called secret which is a key file ,

so he has around 30 folders with photos and each folder has a   bleepedfiles text document and a secret key file in them.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:45 AM

Posted 13 February 2016 - 04:50 PM

It appears you are dealing with a variant of Win32/Filecoder...(aka Gpcode ransomware or Encoder) which has been around for years, uses a secure encryption algorithm and has never been decryptable.Win32/Filecoder is a crypto malware infection detected by ESET. According to their research lab, there are several different variants for which they add a modifier or additional information after the name that further describes what type of ransomware it is. Most of the Filecoder (Encoder) threat detections are more commonly identified as CryptoLocker, Cryptowall, and CTB locker but they are not actually the same.The Win32/Filecoder.FD variant encrypts data, appends an .0x0 extension to the end of each filename and leaves a ransom note named READTHISNOW!!!.TXT with a SECRET.KEY file. Other variants have been reported with a .bleep, .1999 or .f**k extension appended to the filename, leaving ransom notes with names like FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT and IHAVEYOURSECRET.KEY, SECRETIDHERE.KEY files. In this this report at Kaspersky forums...the content of the ransom notes are essentially identical with instructions to go to hxxp://bitmessage.org/.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance but I am not aware of any fix tool or way to decrypt encrypted data without the private key or paying the ransom.As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. If that is not a viable option and if there is no fix tool, the only other alternative is to save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a possible solution so save the encrypted data and wait until that time.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff

.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users