Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

*.ejryolm Ransomware infection


  • Please log in to reply
8 replies to this topic

#1 yiega

yiega

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 20 May 2016 - 04:07 AM

Hello guys.

I seem to have been infected with this particular ransomware, i have looked all over the net and there is nowhere that this variant has been noticed or detected.

Is there a way to decrypt this type of virus???



BC AdBot (Login to Remove)

 


#2 RubyS

RubyS

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 20 May 2016 - 05:10 AM

do you have the file? let me check. 



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:25 PM

Posted 20 May 2016 - 06:49 AM

Did you find any ransom notes? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. They typically are found in every directory where data was encrypted. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 yiega

yiega
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 20 May 2016 - 03:14 PM

Hello RubyS on which platform can i send you the file? for you to examine?

 

quiteman7 unfortunately i cant be able to get the ransom notes because of some not so bright decision made by one of my work mates. now what i can get is a sample of the files that have been encrypted 

 

I have uploaded the file on ID Ransomware and it says it can be able to determine the ransomware 

The case refrence number is SHA1: 86b69f5a08fad174e80ac8fc5dcb39b8124aa57d

 

Thank you for the help



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:25 PM

Posted 20 May 2016 - 05:13 PM

I've taken a look at the file from the case, and I don't recognize any patterns with it. My best guess would be CTB-Locker, as it generates a random 6-7 character extension. The only way to confirm would be the ransom note, which would typically be called "!Decrypt-All-Files-ejryolm.html" in your case.

 

There's no known way to decrypt CTB-Locker if that is the case. You may refer to this topic and the linked article for more information and ways to identify it manually on the system: http://www.bleepingcomputer.com/forums/t/542564/ctb-locker-ransomware-support-and-help-topic-decryptallfilestxt/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:25 PM

Posted 20 May 2016 - 07:02 PM

Maktub Locker also has a random 6-character file extension appended to the end of all affected filenames similar to those seen with the newest variants of CTB-Locke but displays a ransom note named _DECRYPT_INFO_[random].html.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 yiega

yiega
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 21 May 2016 - 02:06 PM

Demonslay335 then am stuck with my files till something reasonable comes out, huh? Ill try recover the ransom note so we can make sure which one is it, i have followed the link hopefully something will come out soon

 

quietman7 ill read more about maktub locker, hopefully i can get a solution soon

 

Once again thanks guys



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:25 PM

Posted 21 May 2016 - 02:16 PM

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. These types of infections typically will delete all Shadow Volume Copies so that you cannot restore your files via System Restore, native Windows Previous Versions or using a program like Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do. It is not uncommon for ransomware infections to sometimes fail to properly delete Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work.

If that is not a viable option and there is no decryption fix tool, the only other alternative is to save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing information which may be needed if a solution is ever discovered.

Grinler, (aka Lawrence Abrams), the site owner of Bleeping Computer has said this...

If you are affected by ransomware and do not plan on paying the ransom, the best bet it to immediately image the drive before doing anything else. Then in the future if there is a way to decrypt the files you have everything you may need to do so.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 yiega

yiega
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 21 May 2016 - 02:29 PM

I had actually used two recovery softwares for recovery, they recovered the files but seems some how the files recovered were also affected because when i open for example a word document get the error "we are sorry cant open file. because we found a problem with its content".  then word gives you an option to recover the document but it solves nothing bringing nothing as the content, tried this with other document readers doing the same.

 

I have taken the whole hard disk out of commission ill just store it some where in the hopes something comes up in the future






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users