Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Encrypted or just corrupted? Tried to ID encryption no luck


  • Please log in to reply
7 replies to this topic

#1 gt358w

gt358w

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 12 August 2016 - 09:26 AM

 A couple years ago my friend asked me to a look at an Excel ODS file he couldn't get to open. He said at the time it was the only file he couldn't open and I don't remember finding any malware on his computer (at the time).  I tried a few of the file recovery sites at the time (back in 2014) and nothing ever worked. Since it was 1 file, he said don't worry about it.

 

 Now today he calls me about another file which is a PDF. Turns out on 6/24/2014 there is about 15 files in his My Docs that all have the same date and time within 2 minutes with all the same problem. They range from JPG, PDFs, to ODS files. I tried several of the different decryption tools I could find and none of them detect the encryption. So I'm trying to figure out if they are encrypted or just corrupted and lost. 

 

 The id-ransomware could not determine anything and there are no readme or txt files from that timeframe on his computer. 

 

 If you open the file in notepad, they all start with the same "ôÓó ˜É—½ " code. 

 

Link to one of the files

 

Thanks,

Tony



BC AdBot (Login to Remove)

 


#2 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:03:42 PM

Posted 12 August 2016 - 10:12 AM

That link doesn;t open anything. Also, if ID-Ransomware couldn't identify the malware, it should have given you a SHA1 hash which you could post here for the experts to review.


Edited by cybercynic, 12 August 2016 - 10:34 AM.

We are drowning in information - and starving for wisdom.


#3 gt358w

gt358w
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 12 August 2016 - 10:44 AM

Sorry, the link needs to be right clicked save as since it's a jpg. The browser tries to open it if you just click it.

Www.tonyw.net\fileid\ <- folder with 2 of the files

I don't remember the id site giving anything, I'll try it again

Tony

#4 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:03:42 PM

Posted 12 August 2016 - 11:01 AM

I suppose if the file names are unchanged, and this "encryption" dates back to 6/2014, it could be CryptoWall. Odd though that only a few files were affected. Maybe it is file corruption of some sort.Also, I would think that ID-Ransomware would have identified CryptoWall. DemonSlay will have to look at this. 


Edited by cybercynic, 12 August 2016 - 11:04 AM.

We are drowning in information - and starving for wisdom.


#5 gt358w

gt358w
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 12 August 2016 - 02:28 PM

I tried to upload to the ID page again, but without a ransom ware text file I don't think it can determine it. 

 

 


 Unable to determine ransomware.

Please make sure you are uploading a ransom note and encrypted sample file from the same infection.

This can happen if this is a new ransomware, or one that cannot be currently identified automatically.

You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.

Please reference this case SHA1: 8e7acd4944e2fe19f4d709add22e46ef8ba3467d

 

I think it only did those few files due to he didn't have much on that computer then. If it did have a virus, I must of cleaned it around that time and stopped before it finished. I can't remember exactly what happened 2 years ago to his computer but I know at least 3-4 times I've had to stop different bugs that have hit him. The computer he is using now, is not even the same one from 2014. I replaced it about 6 months ago for him and copied all the files over. 

 

Tony


Edited by gt358w, 12 August 2016 - 02:28 PM.


#6 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:03:42 PM

Posted 12 August 2016 - 02:47 PM

That SHA1 hash is what is needed for analysis. One of the experts here will probably look at it. May take a while - the ransomwares keep on coming. 


We are drowning in information - and starving for wisdom.


#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:42 PM

Posted 12 August 2016 - 05:56 PM

It looks like encryption as far as I can tell, haven't put the files under an entropy test yet. Usually if a file is simply corrupted, it will have only some of the data messed up. You can usually see some strings in PDFs, so I would expect to see at least something I recognize. Also, since the two files are different original types, but have the same bytes to start with, it leads to more of encryption.

 

I'm not as well versed with the ransomware scene back in 2014, but I know CryptoWall 3.0 and 4.0 would write the same 16 bytes to all files without renaming them - not sure if the earlier versions of it did the same thing. ID Ransomware can only identify the CryptoWall versions by ransom note due to this.

 

If the files were only recently encrypted (e.g. known to be opening a few weeks ago), then it could be a new ransomware attack. There have been some that do what's called "timestamp stomping" - it changes the modified dates to confuse the victim and make figuring out revisions of the data difficult, and time of attack.

 

I don't know if perhaps a ransomware had started but then stopped recently, it is possible (though only 15 files is odd, it takes seconds to encrypt a whole directory easily).

 

Either way, advise your friend to BACKUP his data at all times. I would honestly have thought the lesson would be learned from the first file issue years ago.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 gt358w

gt358w
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 12 August 2016 - 07:14 PM

Little clarification, this all originally happened on June 2014. And these are the same files from then. At the time he asked me about 1 ODS spreadsheet file that was on his desktop. I didn't know there was any other files encrypted. And that's all he knew wouldn't open. Something must of stopped it before it completed as it also never made any ransom info files.

Today he found a mortgage pdf in his my docs that wouldn't open and that's when I found the others along with the ODS file in the my docs (the one he showed me 2 years ago was on his desktop).

The computer is not infected now, this is not even the same computer from 2014. Ithe just has his files I moved over. He needs access to the mortgage pdf, but I only uploaded non sensitive files for now.

Tony

Edited by gt358w, 12 August 2016 - 07:24 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users