Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC infected with not-fixable ransomware called CrypMic, need suggestions


  • This topic is locked This topic is locked
3 replies to this topic

#1 haaithere

haaithere

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 01 August 2016 - 05:00 PM

Hello.

For the first time, I've actually managed to get my hands on a computer that's been infected by ransomware. I've heard quite a bit about it in the media, but had not actually seen one before.

So an acquaintance of mine told me: "Hey, I know you're good in IT and stuff (I know a thing or two, not sure if I'm "that" good), could you please take a look, why most of my pictures, documents, music, have suddenly become unusable."

I thought, why the hell not and give it a go, since it's my first time seeing a computer, that has files encrypted by ransomware. So when I boot up computer a browser and a text document opens, telling me I should visit Tor's .onion site and pay up some Bitcoins. Of course, she's not going to do that. She told me, that the data that's encrypted is not that "valuable", but said she'd be glad, if I could retrieve even a bit of the files.

So I started looking for a solution. I read that easier types of ransomware are cured by just scanning with Malwarebytes' Anti-Malware application. Well, it did find a bunch of things, but that didn't help decrypting the files. Then for the sake of it, I tried scanning with SuperAntiSpyware, Sbybot S&D (not sure, if this program is relevant these days), Comodo's anti-virus and Hitman Pro. None of these helped.

Then I stumbled upon on this forum, and found you have a section that helps with ransomware. And from here I found a thread that links to a service, that identifies which type of ransomware the file is infected with. Turns out the files are infected with a ransomware called CrypMic. I looked it up, and it seems like there's no solution found yet, to decrypt those files.

Now, I saw some guides recommending System Restore - although it was turned on, the longest dating back restore point date was a few days ago, so that was out of the question. Another recommendation was to try file recovery programs, Recuva in particular. In the end I ended up recovering ~200 000 files. But going through them, it did restore some files that were encrypted, most of the files were still under encryption - but I'm sure she's glad, I got at least some family photos back, although there's some more processing and sorting to be done, but just browsing through the files, it does not give much hope.

Then I thought, I'd give PhotoRec a go (by selecting file types, which seemed relevant), but this ended up recovering also ~200 000 files, but problem is that it spreaded those recovered files in 300 folders. I'm not sure how I should process these, to find the files, that'd actually have some value - a negative side of PhotoRec is also, that it does not retain original file names. I found a batch-script, that'd go through all the folders and move them to one folder, that'd help a bit, to browse these files at one go, and maybe I could actually sort these by size, resolution, or anything.

Given that these files are not that important, I'm not sure how much time I'm willing to invest, to browse through these files. I was thinking, if I have any more options left, before I'd format the hard-drive and install Windows.

I have an idea, though I'm not sure if it's possible, and if there's actually a point. I've read that getting a cure/fix for types of ransomware have taken months, sometimes even years. Since she has quite a big hard-drive, I thought if there's a way to archive the contents of the drive to a *.zip, *.iso, or whatever file, make a new partition and just copy the file there, so that if, by some luck, the fix is found to decrypt this CrypMic ransomware, I could just apply a fix on the files, and she'd get her files back. So I'd have this *.iso (or whatever filetype) file on another parition, and then I could install Windows on another partition. Another side of this though is that, there may never come a day this CrypMic will see a fix to decrypt files. Given what I've read about CrypMic, it seems entirely possible.


So, I'm pretty sure, you can't give me a quick-way solution to this problem, by providing step-by-step guide. But, I was wondering, what would you do, if you were me. Would you just format the HDD, and wouldn't hassle with it? So yeah, long story short, what are my options, if any?



Greetings,
haaithere



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:40 AM

Posted 01 August 2016 - 05:56 PM

Courtesy of quietman7, 2 August 2016.

 

CrypMIC mimics CryptXXX in terms of entry point, ransom notes and payment sites but it does not append an extension to encrypted files.

Unfortunately, I am not aware of any way to decrypt CrypMIC encrypted data without paying the ransom.

 



#3 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:40 AM

Posted 01 August 2016 - 06:03 PM

There's no real "solution" per se, you just have to choose what to do in each situation.

 

The acquaintance can't really expect you to trawl through her 200,000 files looking for her photo's, that's her job (unless she wants to pay you hourly to do so).

 

So you have 2 options.

  • save the recovered documents to another drive or media and then reformat the machine.
  • Install Windows on a 2nd HDD and let her hold on to the infected one, maybe a free decryptor will come out one day.

The issue with having no extension on the encrypted files is you can't just remove the infection and delete them en masse, so that option isn't there.

 

Sorry I can't be of more help.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:40 PM

Posted 01 August 2016 - 08:20 PM

There is an ongoing discussion in this topic where you can ask questions and seek further assistance but as noted above there is no solution to fix your encrypted files.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users