Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware - maktub


  • This topic is locked This topic is locked
7 replies to this topic

#1 dizzy224

dizzy224

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 13 April 2016 - 09:55 AM

My first post so please forgive any infringement.  My PC (Windows XP) has been infected by ransomware which I believe to be a version of maktub as this appears in the ransom note.  It infected all microsoft documents, including ITunes,  by adding the file type .robm but otherwise has not deleted or corrupted any other parts of the computer.  I have moved all the corrupt files to a dedicated folder and deleted a number of the ransom demands that appeared in each folder.  Does anybody know of a reasonable decryption software that I could try?

 

I did try to identify the particular ransomware by using a site in this forum but was not successful.



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:54 PM

Posted 13 April 2016 - 10:04 AM

Due to the random nature of the extensions, ID Ransomware cannot detect Maktub unless you also provide an actual ransom note - otherwise, it would be a false-positive for any single file that has an extension 4-6 characters long. A PDF picture of the ransom note won't work, lol.
 
I've verified from the PDF you uploaded that it is definitely a screenshot of Maktub. You should have files named _DECRYPT_INFO_robm.html in every folder that was hit.

 

I'm afraid there is no way to decrypt file hit by Maktub. You can check the appropriate support topic for more information.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 dizzy224

dizzy224
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 13 April 2016 - 10:23 AM

Many thanks for that prompt and comprehensive response.  I have visited the site you suggested and much appreciated the details you provided of the Maktub locker.  I will stop looking for any decryption and concentrate on recovering my files from my back up machines.  Is there any danger in keeping my folder full of encrypted files just in case a decryption is possible in the future?



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:54 PM

Posted 13 April 2016 - 10:43 AM

The files and ransom notes themselves are not malicious, so they are safe to keep in the event of a break-through in the future. I would recommend archiving them somewhere out of the way (external hard drive, burn to disc, whatever works best), since they would just otherwise clutter your regular files.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:09:54 PM

Posted 13 April 2016 - 10:44 AM

Many thanks for that prompt and comprehensive response.  I have visited the site you suggested and much appreciated the details you provided of the Maktub locker.  I will stop looking for any decryption and concentrate on recovering my files from my back up machines.  Is there any danger in keeping my folder full of encrypted files just in case a decryption is possible in the future?

The encrypted files are harmless. It would be a good idea to save the files - a decryption method could be found at some point in time. It would be a good idea to run Malwarebytes and/or Emsisoft on your computer just to be sure all malware files have been removed.


We are drowning in information - and starving for wisdom.


#6 dizzy224

dizzy224
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 13 April 2016 - 10:49 AM

Thank you both for that advice - I have recently installed Malwarebytes on my computer and will certainly run it again to be sure.



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:54 PM

Posted 13 April 2016 - 11:31 AM

*Wrong topic, sorry.


Edited by Demonslay335, 13 April 2016 - 11:31 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:54 PM

Posted 13 April 2016 - 06:40 PM


Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users