Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just got infected with randsomware RSC-1024


  • This topic is locked This topic is locked
8 replies to this topic

#1 bubba123

bubba123

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 07 September 2016 - 03:09 PM

Ran malwarebytes then rebooted and opened a white text doc. Saying all your docts encypted using RSA-1024 algorithm. 

 

in 3 days I lose my files. Is it possible to remove this and derypt my files? They seem to be all still there.

 

THX

 

 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:00 AM

Posted 07 September 2016 - 05:23 PM

The first step is to know what you are dealing with.

 

You may upload a ransom note and encrypted file to the website in my signature. It will attempt to identify what ransomware encrypted your files, and give you more information (including whether there is a known way of decrypting the files). Note that not all ransomware is decryptable.

 

If ID Ransomware cannot identify the ransomware based on the files you uploaded, you may post the Case SHA1 it gives, and I can manually inspect the files.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 bubba123

bubba123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 08 September 2016 - 11:03 AM

says it is NEMUCOD



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:00 AM

Posted 08 September 2016 - 11:15 AM

Then it will give you a link with instructions on how to decrypt your files using the Emsisoft decrypter. :) There is a dedicated support topic linked in the article as well if you have any trouble.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:09:00 AM

Posted 08 September 2016 - 11:16 AM

What else does it say? Does it say the ransomware is decryptable? If it is, you can find decryption information in the Nemucod topic

 

http://www.bleepingcomputer.com/forums/t/608045/nemucod-ransomware-crypted-decrypttxt-support-help-topic/

 

Edit: DemonSlay beat me to it - follow his directions.


Edited by cybercynic, 08 September 2016 - 11:20 AM.

We are drowning in information - and starving for wisdom.


#6 bubba123

bubba123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 08 September 2016 - 03:03 PM

Yes it says it can be decrypted but I do not undestand the instructions. They say put a encrypted version of the file (WHich I have) and a non encrypted together (which I do not). All the files are encrypted so what do they mean? How would I have a non encrypted version. They have all be Enctypted..



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:00 AM

Posted 08 September 2016 - 03:23 PM

Yes it says it can be decrypted but I do not undestand the instructions. They say put a encrypted version of the file (WHich I have) and a non encrypted together (which I do not). All the files are encrypted so what do they mean? How would I have a non encrypted version. They have all be Enctypted..

 

You have to acquire a clean copy of a file that was encrypted from a backup, an email you sent, something you downloaded from a website, etc. Sample Pictures work too (C:\Users\Public\Pictures\Sample Pictures) as they are standard on every system, and you can get a clean copy here: http://download.bleepingcomputer.com/public-sample-pictures/sample-pics.zip

 

As Fabian has said in the Nemucod topic.

 

 

 

Your mistake is to think we need the original file of every encrypted file you want to decrypt. In that case it obviously would be completely pointless to decrypt the files, since you have the originals backed up somewhere. What we need is just one encrypted and unencrypted file pair to determine the key that we can then apply to unlock all files, no matter whether you have the original or not. That file pair can be from everywhere really. Your browser cache is probably full with files that were downloaded from the internet that could be downloaded again. The sample pictures and wallpapers shipped with your version of Windows were probably encrypted as well and it is exceptionally easy to obtain the original version of that file from just another PC running the same version of Windows.

Trust me, you are not special. Even you have a file somewhere where you can get the original of. Just don't expect anyone here to search for you or hold your hand as you go find it. We can give pointers, but you will have to do the actual work.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 bubba123

bubba123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 08 September 2016 - 03:29 PM

Yes I figured it out. I was able to find 2 the same and one that did not get encrypted. It is running now. Thanx to you guys.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:00 AM

Posted 08 September 2016 - 04:14 PM

Glad to hear that and good luck.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users