Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RSA Ransome ware virus infection : help me


  • This topic is locked This topic is locked
4 replies to this topic

#1 Anton1965

Anton1965

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 13 August 2016 - 08:35 AM

Hi Guys,

 

i guess my pc has been infected with a ransomeware virus.

 

most of my files (.doc .ppt.xls,pdf, jpg)  have gotten are encripted and got an additonal extension  .nzjzhjg . Removing hte extension did not work.

Also found a message  in the file  !Decrypt-All-Files-nzjzhjg.txt   with the below text in Dutch, explaining me what to do to get my files back.

 

I traced back to the date I got the "Trojan horse" in  to may 29. The virus has been active between june 1 and june 3.

I remember receiving a "strange email" wit a zipp file. I thought I deleted it but it got active anyhow .

 

in the meantime my virus software deleted the virus I guess. since it is not active anymore

 

 

if found the following traces on my pc on may 29.

 

  • bitrock installer installed a program
  • and a lot of entries were created in  the directory:  c:\programdata\microsoft\Crypto\RSA\S_1-5-18

 

I tried decrypt_xorist.exe  but that did not work

 

Any tips on what I could do to decrypt my files ???

 

 

Thanks for the help

 

 

Je documenten, foto's, databases en andere belangrijke bestanden zijn versleuteld
met de sterkste encryptie en unieke sleutel, gegenereerd voor deze computer
 
Privé decryptie sleutel is opgeslagen op een geheime server en niemand kan je
bestanden ontsleutelen totdat er betaald is en je de sleutel ontvangt.
 
Als je de hoofd lock venster ziet, volg dan de instructies op van de locker.
Het lijkt erop dat u of uw antivirusprogramma de locker programma heeft verwijderd.
Nu heb je de laatste kans om uw bestanden te decoderen.
 
Open http://jssestaew3e7ao3q.onion.cab of http://jssestaew3e7ao3q.tor2web.org in de browser.
Het zijn publieke poorten naar de geheime server.
 
Bij problemen met de poorten, gebruik directe verbinding:
 
1. Download Tor Browser van http://torproject.org
 
2. In de Tor Browser open http://jssestaew3e7ao3q.onion/
   Note: Deze server is alleen beschikbaar via de Tor Browser.
   Probeer het over 1 uur als site niet bereikbaar is.
 
Kopieer en plak de volgende publieke sleutel in het invulformulier op de server.
J4E7M5Q-SISK2D3-652RBFN-V2DIR3M-J3SSJP6-NOQGPPG-7XSALSB-JM2FERX
YISOHG3-KTLJ42Q-VBC3LHP-E6QDSTC-6R3GUKS-JPWB3DM-SGRDAZQ-YVFEUP6
CCKS75L-X6UNFKD-TQLL23Q-FLUVOSJ-Y3JNTWR-E7GFDHV-G2PUNYH-W7GTNOA
 

Volg de instructies op de server.

 



BC AdBot (Login to Remove)

 


#2 BendingElements

BendingElements

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:33 AM

Posted 13 August 2016 - 08:51 AM

I believe that it'd be better, if you removed the virus, rather than decrypting the files. If the virus made those changes, it could be surely reverted.
Edit: disregard my post. Pay attention to the post below mine!


Edited by BendingElements, 13 August 2016 - 10:32 AM.


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:33 PM

Posted 13 August 2016 - 09:26 AM

I believe that it'd be better, if you removed the virus, rather than decrypting the files. If the virus made those changes, it could be surely reverted.

 

Incorrect. Have you followed ransomware at all? Removing the virus does not decrypt the data at all, mostly the whole point of the extortion.

 

The first step is to identify the ransomware that hit. Based on the name of the ransom note and matching extension, I would say this is CTB-Locker. If you upload a ransom note and ransom note to the signature in my website, it will detect it as CTB-Locker.

 

I'm afraid there is no way to decrypt the files, you can only restore your data from a backup

 

http://www.bleepingcomputer.com/forums/t/542564/ctb-locker-ransomware-support-and-help-topic-decryptallfilestxt/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 BendingElements

BendingElements

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:33 AM

Posted 13 August 2016 - 10:20 AM

 

I believe that it'd be better, if you removed the virus, rather than decrypting the files. If the virus made those changes, it could be surely reverted.

 

Incorrect. Have you followed ransomware at all? Removing the virus does not decrypt the data at all, mostly the whole point of the extortion.

 

The first step is to identify the ransomware that hit. Based on the name of the ransom note and matching extension, I would say this is CTB-Locker. If you upload a ransom note and ransom note to the signature in my website, it will detect it as CTB-Locker.

 

I'm afraid there is no way to decrypt the files, you can only restore your data from a backup

 

http://www.bleepingcomputer.com/forums/t/542564/ctb-locker-ransomware-support-and-help-topic-decryptallfilestxt/

 

Excuse the misunderstanding.


Edited by BendingElements, 13 August 2016 - 10:30 AM.


#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:33 AM

Posted 13 August 2016 - 01:50 PM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion, this topic is closed.
 
Thanks
The BC Staff


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users