Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


.crypted without admin

  • Please log in to reply
2 replies to this topic

#1 yelsew111


  • Members
  • 1 posts
  • Local time:09:27 PM

Posted 15 August 2016 - 04:19 PM

Hello everyone,


I have a user who felt it necessary to click on a suspicious email. He says it "did some javascript thing" on Friday the 12th. And today he notices all of his files in My Documents end in .crypted. I tried just changing the file name, but it didn't seem to like that. I went to the ID Ransomware website and it pointed me to "Decrypting Nemocod's .crypted ransomware". All is going great except my user can't find an unencrypted copy of his files.


My questions are:


1. The computer doesn't seem to have any of the tell tale signs detailed in the article of a ramsomware. I can't find any ransom note, the user says he never saw one, I don't see the files mentioned either. This machine has a current, corporate version of TrendMicro OfficeScan and it appears to have cleaned the virus from the machine but the files remain encrypted. Is that possible?


2. he does not have administrative rights to this machine...none of my users have admin. Is this able to run without admin rights?


Update: He did find a file and we were able to unencrypt his files.

BC AdBot (Login to Remove)


#2 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,561 posts
  • Gender:Male
  • Location:USA
  • Local time:08:27 PM

Posted 15 August 2016 - 04:50 PM

Glad to hear you were able to decrypt the files.


To answer your questions:


1. When a virus is removed, this does not decrypt the data - these are two separate tasks. It's like if your car was on fire and the fire is put out; the damage is still done. It is possible the antivirus removed the ransom notes, or the malware glitched out and did not display the note for some reason.


2. You don't need administrative rights. Any ransomware will encrypt any and all files that that user has access to write to even without this prompt.


You need to seriously invest in backups. You were very lucky it was one that is easily decrypted, as not many are.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,758 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:27 PM

Posted 15 August 2016 - 06:07 PM

Most crypto malware (ransomware) typically will run under the security level of the user....it will run on non-admin accounts under the same privileges as the infected user and encrypt any files that are accessible to that user. If the user can write to a file then the ransomware will be able to encrypt it. Ransomware needs write-access to files it encrypts so it will not be able to encrypt files owned by another account without write-access while running as a non-admin account.

For the best defensive strategy to protect yourself from malware and ransomware (crypto malware) infections, see my comments (Post #2) in this topic...Ransomware avoidance.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users