Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

id-<#>-decryptfile@aol.com


  • Please log in to reply
3 replies to this topic

#1 vipavi2

vipavi2

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 02 September 2016 - 01:26 AM

Hi,

need assistance with decryption of office 2013 files that got encrypted by some ransomware.

I don't know the name of the ransomware and there is not ransomware ID for it (what i've searched so far).

these office files are very important to me and I don't have a backup.

in addition, I didn't see any ransom request on my computer. 

please advise how to get rid from this ransomware.

Thanks,
Vipavi2


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,601 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:35 AM

Posted 02 September 2016 - 05:54 AM

Are there any obvious file extensions appended to or with your data files?

Any files that are encrypted with CrySiS Ransomware will have an .<id-number>.<email>.xtbl extension appended to the end of the encrypted data filename (i.e. mypicture.jpg.id-12345678.Vegclass@aol.com.xtbl) and leave files (ransom notes) named How to decrypt your data.txt, How to decrypt your files.txt, How to get data back.txt.

Did you submit samples to ID Ransomware for assistance with identification and confirmation?

You can also submit samples of encrypted files, ransom notes, email or/and website address you see in the RANSOM DEMAND to No More Ransom Crypto Sheriff for assistance with identification.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 vipavi2

vipavi2
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 02 September 2016 - 07:02 AM

Hi, thanks for your quick response.

every original file has a 'shadow' file that starts with the original file name and add this string to it: id-....40576..-decryptfile@aol.com.

the ID Ransomware didn't recognize it. it says:

Please reference this case SHA1: 8bb194997fc9529b10454603bbbd5e62962b621b

I ran a search for the specific txt files but came up with nothing.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,601 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:35 AM

Posted 02 September 2016 - 07:08 AM

Demonslay335 will most likely read this topic later today and provide his assessment.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users