Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware turned all my photos to .8dbd file type


  • This topic is locked This topic is locked
6 replies to this topic

#1 Maverick1776

Maverick1776

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 18 October 2016 - 07:51 PM

Hello, I discovered an issue with ransomware on a friends computer. The ransom URL has a headline that says cerber.
But it's not a cerber file type.
It targeted all the photos. Changing the file type to .8DBD
I tried changing the file type myself to .jpg, or .png
No luck. So it's definitely encrypted. But I have been searching the internet for hours, and literally cannot find anyone who has this file type. So all the known decrypters, don't work.

The photos were moved to an external device, the PC was wiped out and reloaded. I tried countless things to try doing a recovery 1st, but it didn't work. It was also an XP machine.

Any help would be hugely appreciated.

BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:58 PM

Posted 18 October 2016 - 07:58 PM

The newest Cerber 4.0 renames files and uses a random, unique extension per victim. So yes, it IS Cerber. You can upload a ransom note and encrypted file to ID Ransomware for confirmation, it will pickup the special pattern that Cerber uses to rename the files. There is no way to decrypt the files.

Edited by Demonslay335, 18 October 2016 - 07:59 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Maverick1776

Maverick1776
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 18 October 2016 - 08:08 PM

Wow, that sucks. That's like 3 years of photos......
wonder how tech shops are handling this issue.
Removing a virus is one thing, but unencrypting files is completely something else.

#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:58 PM

Posted 18 October 2016 - 08:12 PM

We simply tell our customers they should have had backups if they really cared about their data, there's really nothing else that can be said... You can try ShadowExplorer and Recuva, otherwise the data is completely lost if they don't want to pay the ransom (not recommended). You can always backup the encrypted data and hope for a solution in the future, you never know. Cerber 1 was broken, 2 was temporarily decryptable for one day, but since then they have fixed the flaws. There's never a guarantee that a solution will exist in the future.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Maverick1776

Maverick1776
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 18 October 2016 - 08:26 PM

Thanks for the feedback. I have the files saved on a drive for now.
At some point I guess somebody will break it.
The importantance of backups are huge. Unfortunately most people are too nieve about this. Backup ? Nah, it's just extra money I don't need to spend.

Now that I think about it, could I use a program like "get data back" and tell the program to look for files from 2 weeks ago ?
Possibly could work right ?

#6 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:11:58 PM

Posted 18 October 2016 - 09:19 PM

That would be ShadowExplorer, and it would work provided Cerber hasn't deleted the Shadow Copies. Most ransomwares attempt to delete them, but SOMETIMES fail. However, if the computer was wiped, the Shadow copies are gone.


Edited by cybercynic, 18 October 2016 - 09:24 PM.

We are drowning in information - and starving for wisdom.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:58 PM

Posted 19 October 2016 - 08:17 AM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users