Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

File Encripted whith .syqgmed / Ransomware Help


  • This topic is locked This topic is locked
7 replies to this topic

#1 Cristian89

Cristian89

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 07 June 2016 - 09:10 AM

Hi Everyone,

 
My PC is infected with ramsownare with .syqgmed extension
The infection occurred via email, opening an attachment from a false email courier.
The infection took place some months ago, but I have kept a copy of the infected disk because it contains important information. I have done many researches on the web, but have not found anything about this extension. There is any tool to decrypt that files?
 
 
Thanks.
Cristian


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:15 AM

Posted 07 June 2016 - 09:15 AM

Do you have any ransom notes to help identify?

 

Most likely, you were hit by CTB-Locker, which uses a completely random 6-7 character extension for every victim. Rather annoying for identification and false-positives. If this is the case, I'm afraid there is no way to decrypt files at the present time.

 

You should see a ransom note named something like "DecryptAllFiles.txt" or "!Decrypt-All-Files-syqgmed.txt".

 

You may view the following topic to see if your symptoms match, and get more information from other victims.

 

*Edit: I see your case on ID Ransomware, it definitely is CTB-Locker I'm afraid. I've tweaked detection to catch the ransom note, didn't realize they dropped the exclamation mark in the filename. I've also added experimental detection of the extension on the filename, it might not get as many FP as I was thinking it would.


Edited by Demonslay335, 07 June 2016 - 09:25 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Cristian89

Cristian89
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 07 June 2016 - 09:28 AM

There is a media file "Decrypt-All-Files-syqgmed.bmp"

 

https://drive.google.com/file/d/0B-giX6RJQxeOV2hKNTl1a3BBdGc/view?usp=sharing

 

I try to use "https://id-ransomware.malwarehunterteam.com" and result tell me that this ramsoware is Unknown, but there is this information : SHA1: 380efff977b1bcfa68e5b65a0c598a90304f6a04



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:15 AM

Posted 07 June 2016 - 09:30 AM

There is a media file "Decrypt-All-Files-syqgmed.bmp"

 

https://drive.google.com/file/d/0B-giX6RJQxeOV2hKNTl1a3BBdGc/view?usp=sharing

 

I try to use "https://id-ransomware.malwarehunterteam.com" and result tell me that this ramsoware is Unknown, but there is this information : SHA1: 380efff977b1bcfa68e5b65a0c598a90304f6a04

 

Try again, it will pick up on it now per my edit.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Cristian89

Cristian89
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 07 June 2016 - 09:34 AM

OK thanks.
but there's a way to decrypt the files now?


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:15 AM

Posted 07 June 2016 - 09:40 AM

Unfortunately, no. Like I said and the website will show, there is no way to decrypt CTB-Locker files at this time. You can always try Recuva and ShadowExplorer as a last-ditch effort, but otherwise if you don't have backups, paying the ransom is the only way to get your data back. You can view the support topic for any further questions.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Cristian89

Cristian89
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 07 June 2016 - 09:43 AM

I've just tried with recovery tools and shadow copy, but nothing. I'll be wait for some update! Thank you!



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:15 AM

Posted 07 June 2016 - 07:29 PM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users