I don't know how but I got struck by a randsom attack. I do know when this happened. I was at a concert with my girlfriend (Alter Bridge, they rock) last thursday and didn't sleep home that night. Without me knowing my PC was being encrypted on Thursday/Friday overnight. I'm a wise guy, I have a virusscanner (AVG) and have Malware Bytes Anti-Malware installed too. This wasn't enough to stop this attack it seemed. They have feasted on my computer without any problems. But I'm not wise enough to make back-ups. Which I'll surely do from now on. I'm going to invest in some nice external terrabyte drives, for real.
So I came home to find out I had a new wallpaper:
On my desktop and on the root of my freshly encrypted harddrives there are 11 readme *.txt files to be found.
(README1.TXT - README2.TXT - README3.TXT - README4.TXT - README5.TXT - README6.TXT - README7.TXT - README8.TXT - README9.TXT - README10.TXT)
All of them contain the same text:
Bашu файлы былu зaшuфровaны.Чmoбы рaсшифровать ux, Bам нeoбxодимo omправumь код:F0485E0DF8E4AD546CAF|0нa элеkтpoнный aдрeс Novikov.Vavila@gmail.com .Далeе вы noлучиmе все нeoбxодимыe инcтpуkцuи.Поnытku pасшuфpoвamь сaмoстoятeльно нe nрuвeдyт ни k чeмy, кpoмe бeзвoзвpатнoй поmeрu инфopмацuи.Еслu вы всё же xoтuте пoпытamься, тo nредвapuтельно сдeлaйme резервные konuи фaйлoв, иначe в слyчaeиx uзменения раcшuфрoвka cmанeт нeвoзмoжнoй нu при kаких условuях.Если вы не nолyчили оmвema пo вышеykaзaнному aдpeсy в течениe 48 чacов (u moлько в этом cлучаe!),воcnoльзуйmесь формой обpaтной cвязи. Это можнo cделamь двyмя сnocобами:1) Cкачaйmе u yстанoвumе Tor Browser nо ссылкe: https://www.torproject.org/download/download-easy.html.enB адpecнoй cтроkе Tor Browser-а ввeдumе адpeс:и нaжмиmе Enter. 3arрузuтся сmраницa с формoй обpаmнoй cвязu.2) B любом браузеpе nерейдиmе nо однoмy из адрeсoв:All the important files on your computer were encrypted.To decrypt the files you should send the following code:F0485E0DF8E4AD546CAF|0to e-mail address Novikov.Vavila@gmail.com .Then you will receive all necessary instructions.All the attempts of decryption by yourself will result only in irrevocable loss of your data.If you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. You can do it by two ways:1) Download Tor Browser from here:Install it and type the following address into the address bar:Press Enter and then the page with feedback form will be loaded.2) Go to the one of the following addresses in any browser:
It took me few minutes to remove the virus. But now the real problem, decrypt my files back to original, if possible (After that I'm going for a clean Windows install anyway, I'm not feeling safe on my machine at the moment).
But what I did find was a horror. Allmost all of my files got encrypted. All of my private and some professional files are still here, but have a new, long, random name and can't be opened. The most strange thing is that all of the file extensions are changed to *.DA_VINCI_CODE. Here's a painful screenshot of one of my private folders with pictures that I made:
It took my not long online to find this website: https://id-ransomware.malwarehunterteam.com/
I uploaded my ransom note and an example of a file here and the site came to the following conclusion:
TroldeshThis ransomware may be decryptable under certain circumstances.
Please refer to the appropriate guide for more information.
- ransomnote_filename: README7.txt
- ransomnote_email: Novikov.Vavila@gmail.com
- sample_extension: .da_vinci_code
Click here for more information about Troldesh
So I tried a lot of the decryptors, but none of them work. There even was a decryptor that asked for a file that was encrypted and asked for the same file that wasn't encrypted. So I plugged in one of my USB drives that contained a *.PNG file with a logo and looked this one up on my machine (I knew which folder it was and compared filesizes). But yeah, this too didn't work. If you think you can get some information out of this. I uploaded both files here in a *.zip file: Link. (+url.png & 7gZEm8kGE5RodNwXm9Xdtw==.F0485E0DF8E4AD546CAF.da_vinci_code, 1.3MB)
There was one decryptor that gave me some hope; Kaspersky's rectordecryptor.exe. But I tried this four times. I've started the application, selected an infected/encrypted file and after 45/60 minutes it does nothing. It 'Processed' somewhere around a million files (Yeah the first 750k goes really fast, they are other files, it gets slower when working on the da_vinci_code files). But after that; Nothing happens. Still 'Found: 0' and Decrypted: 0'.
Some people say I should try a Windows Restore Point. But I checked. I don't have any.
I've tried Shadow Explorer, but that one's clean. I don't see a thing.
I've been at this for days and still haven't got one file back. I'm asking you guys for help.
Paying the criminal is out of the option, I really would not like to reward this kind of scam, but I'm getting desperate and I would really like my files back. And as said earlier, when (IF) this blows over, I'm going to invest in Back-up drives. But I'm starting to consider it, not even sure if they even give you some sort of key which should help me decrypt my files back. But I'm really desperate.
Thank you in advance,
What hard-drives got encrypted?
My 2TB X:\ drive and my 2TB Z:\ drive. My 2TB D:\ drive was spared, just as my 120GB SSD C:\.
What did I lose?
EVERYTHING. All of my pictures made with my camera(s) over the past 10 years, all of my video clips, all of my camera recordings. Complete un-edited footage of projects that I shot (videoclips etc). For a more detailed list of all filetypes that got encrypted: http://totalsystemsecurity.com/remove-win32troldesh-ransomware-and-restore-da_vinci_code-files/
What do I still have?
Some video-game recordings for my youtube channel, un-edited. All edited versions are gone. My After Effects Project files, which should be quite un-useable without my images, audio files, footage files, illustrator files, etc etc. I still have every project I worked on for my studies (4 years in total), but that isn't that important, it's on a back-up drive.
Edited by Bartjaah, 14 November 2016 - 05:20 PM.