Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting files back


  • This topic is locked This topic is locked
5 replies to this topic

#1 Noobattech

Noobattech

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 19 November 2016 - 08:59 AM

The attack happened more than a month ago, and left a bunch of ransom notes with exclamation marks at the end. The screen looked something like this, but the picture of the key looked a bit different, and it had one .ru and one india e-mail address. I managed to remove the threats with Malwarebytes - I think!

 

Original file and encrypted file.
 

 

I think the best option, for someone who hasn't backed up their files, is to try and have them decrypted. Any other ideas? There are some files in there that I really really can't afford to lose.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:36 PM

Posted 19 November 2016 - 06:11 PM

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

The best solution for encrypted data is to restore from backups. Most ransomware infections typically will delete all Shadow Volume Copies so that you cannot restore your files via System Restore, native Windows Previous Versions or using a program like Shadow Explorer. But it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for ransomware infections to sometimes fail to properly delete Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Noobattech

Noobattech
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 19 November 2016 - 07:12 PM

Thanks for the quick reply, quietman7! I tried Recuva to recover files, on a few different picture folders and on the Desktop and couldn't really find anything, but I'll give it a few more shots.

 

The ID ransomware case SHA1: 72a7dac150986d2ad54d0bfccad8154dbd83b285

 

Worth noting, I also tried the Kaspersky decryptors and none matched.

 

Don't know if it helps, but I uploaded a few more samples of files. And I also remember having some trouble removing a malicious file called tmp47F8.exe with Malwarebytes.

https://drive.google.com/open?id=0BzPbuAVrxkLCMHhwTmVIMmZ2Y0E


Edited by Noobattech, 19 November 2016 - 07:14 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:36 PM

Posted 19 November 2016 - 07:54 PM

Not a problem.

Please be patient until one of our crypto=malware experts has a chance to review the information you provided. Staff members & Security Colleagues are all volunteers who assist members as time permits. No one is paid for their work or assistance to members of our community. New and more devious file encrypting ransomware is released almost daily. It takes time for our volunteers to investigate, analyze and test decryption techniques before we can try to help members like yourself. Doing that means that we sacrifice speed of response for a quality response.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 PM

Posted 20 November 2016 - 06:49 AM

Hi Noobattech.

This ransomware is called PClock. You should get your help in this topic:
PClock CryptoLocker Ransomware Support and Discussion

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:36 PM

Posted 20 November 2016 - 07:55 AM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users