Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomeware Attack


  • This topic is locked This topic is locked
2 replies to this topic

#1 Bartjaah

Bartjaah

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 14 November 2016 - 05:05 PM

Hi guys,

 

I don't know how but I got struck by a randsom attack. I do know when this happened. I was at a concert with my girlfriend (Alter Bridge, they rock) last thursday and didn't sleep home that night. Without me knowing my PC was being encrypted on Thursday/Friday overnight. I'm a wise guy, I have a virusscanner (AVG) and have Malware Bytes Anti-Malware installed too. This wasn't enough to stop this attack it seemed. They have feasted on my computer without any problems. But I'm not wise enough to make back-ups. Which I'll surely do from now on. I'm going to invest in some nice external terrabyte drives, for real.

 

So I came home to find out I had a new wallpaper:

td1.jpg

 

On my desktop and on the root of my freshly encrypted harddrives there are 11 readme *.txt files to be found.

(README1.TXT - README2.TXT - README3.TXT - README4.TXT - README5.TXT - README6.TXT - README7.TXT - README8.TXT - README9.TXT - README10.TXT)

All of them contain the same text:

 

 

Bашu файлы былu зaшuфровaны.

Чmoбы рaсшифровать ux, Bам нeoбxодимo omправumь код:
F0485E0DF8E4AD546CAF|0
нa элеkтpoнный aдрeс Novikov.Vavila@gmail.com .
Далeе вы noлучиmе все нeoбxодимыe инcтpуkцuи.
Поnытku pасшuфpoвamь сaмoстoятeльно нe nрuвeдyт ни k чeмy, кpoмe бeзвoзвpатнoй поmeрu инфopмацuи.
Еслu вы всё же xoтuте пoпытamься, тo nредвapuтельно сдeлaйme резервные konuи фaйлoв, иначe в слyчae
иx uзменения раcшuфрoвka cmанeт нeвoзмoжнoй нu при kаких условuях.
Если вы не nолyчили оmвema пo вышеykaзaнному aдpeсy в течениe 48 чacов (u moлько в этом cлучаe!),
воcnoльзуйmесь формой обpaтной cвязи. Это можнo cделamь двyмя сnocобами:
1) Cкачaйmе u yстанoвumе Tor Browser nо ссылкe: https://www.torproject.org/download/download-easy.html.en
B адpecнoй cтроkе Tor Browser-а ввeдumе адpeс:
и нaжмиmе Enter. 3arрузuтся сmраницa с формoй обpаmнoй cвязu.
2) B любом браузеpе nерейдиmе nо однoмy из адрeсoв:
 
 
All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
F0485E0DF8E4AD546CAF|0
to e-mail address Novikov.Vavila@gmail.com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the feedback form. You can do it by two ways:
1) Download Tor Browser from here:
Install it and type the following address into the address bar:
Press Enter and then the page with feedback form will be loaded.
2) Go to the one of the following addresses in any browser:

 

It took me few minutes to remove the virus. But now the real problem, decrypt my files back to original, if possible (After that I'm going for a clean Windows install anyway, I'm not feeling safe on my machine at the moment). 

 

But what I did find was a horror. Allmost all of my files got encrypted. All of my private and some professional files are still here, but have a new, long, random name and can't be opened. The most strange thing is that all of the file extensions are changed to *.DA_VINCI_CODE. Here's a painful screenshot of one of my private folders with pictures that I made:

2r2rmg4.jpg

 

It took my not long online to find this website: https://id-ransomware.malwarehunterteam.com/

I uploaded my ransom note and an example of a file here and the site came to the following conclusion:

 

 

 

Troldesh
 This ransomware may be decryptable under certain circumstances.

Please refer to the appropriate guide for more information.

Identified by

  • ransomnote_filename: README7.txt
  • ransomnote_email: Novikov.Vavila@gmail.com
  • sample_extension: .da_vinci_code

 

Click here for more information about Troldesh

 

So I tried a lot of the decryptors, but none of them work. There even was a decryptor that asked for a file that was encrypted and asked for the same file that wasn't encrypted. So I plugged in one of my USB drives that contained a *.PNG file with a logo and looked this one up on my machine (I knew which folder it was and compared filesizes). But yeah, this too didn't work. If you think you can get some information out of this. I uploaded both files here in a *.zip file: Link. (+url.png & 7gZEm8kGE5RodNwXm9Xdtw==.F0485E0DF8E4AD546CAF.da_vinci_code, 1.3MB)

 

There was one decryptor that gave me some hope; Kaspersky's rectordecryptor.exe. But I tried this four times. I've started the application, selected an infected/encrypted file and after 45/60 minutes it does nothing. It 'Processed' somewhere around a million files (Yeah the first 750k goes really fast, they are other files, it gets slower when working on the da_vinci_code files). But after that; Nothing happens. Still 'Found: 0' and Decrypted: 0'.

x6a68p.jpg

 

Some people say I should try a Windows Restore Point. But I checked. I don't have any.
I've tried Shadow Explorer, but that one's clean. I don't see a thing.

 

I've been at this for days and still haven't got one file back. I'm asking you guys for help.

 

Paying the criminal is out of the option, I really would not like to reward this kind of scam, but I'm getting desperate and I would really like my files back. And as said earlier, when (IF) this blows over, I'm going to invest in Back-up drives. But I'm starting to consider it, not even sure if they even give you some sort of key which should help me decrypt my files back. But I'm really desperate.

 

Thank you in advance,

Bart.

 

 

Aditional info:

 

What hard-drives got encrypted?

My 2TB X:\ drive and my 2TB Z:\ drive. My 2TB D:\ drive was spared, just as my 120GB SSD C:\.

 

What did I lose?

EVERYTHING. All of my pictures made with my camera(s) over the past 10 years, all of my video clips, all of my camera recordings. Complete un-edited footage of projects that I shot (videoclips etc). For a more detailed list of all filetypes that got encrypted: http://totalsystemsecurity.com/remove-win32troldesh-ransomware-and-restore-da_vinci_code-files/

 

What do I still have?

Some video-game recordings for my youtube channel, un-edited. All edited versions are gone. My After Effects Project files, which should be quite un-useable without my images, audio files, footage files, illustrator files, etc etc. I still have every project I worked on for my studies (4 years in total), but that isn't that important, it's on a back-up drive.


Edited by Bartjaah, 14 November 2016 - 05:20 PM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:04 PM

Posted 14 November 2016 - 05:11 PM

As stated on ID Ransomware, decryption is only possible in some cases; for Troldesh/Shade, it is only particular extensions that Kaspersky's and Intel's tools support. The decrypter on the NoMoreRansom website you are looking for is the ShadeDecrypter. According to their website, they only support the extensions .xtbl, .ytbl, .breaking_bad, and .heisenberg. I'm afraid the .da_vinci_code may not be decryptable.

 

You can try Recuva and ShadowExplorer, might get lucky, but otherwise paying the ransom is your only option if you didn't have backups.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,069 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:04 PM

Posted 14 November 2016 - 07:29 PM

Troldesh (Shade) leaves files (ransom notes) named README1.txt, READEME2...README10.txt and How to decrypt your files.txt.

Any files that are encrypted by some variants of Troldesh/Shade are completely renamed with the format Base64(AES_encrypt(original file name) and will have the .better_call_saul, .da_vinci_code, .breaking_bad, .heisenberg, .<hex>.windows10 or .magic_software_syndicate extension appended to the end of the filename (i.e. +5GbFrz34gdLAvMb74MvU5KNYwWaIoNkA-PYYDkVGwM=.953CB76FB59D831A44A.da_vinci_code).

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users