Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HowDecrypt discovered on an inherited USB drive


  • Please log in to reply
6 replies to this topic

#1 Julesverne

Julesverne

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:11 AM

Posted 14 December 2016 - 04:07 PM

My cousin sent me a USB drive with family photos etc. on it. I scanned the drive before opening it, it scanned clean, but I couldn't open a single file. First I got messages that they were locked, then I was able to open them but saw only black screens. Then I spotted HowDecrypt files on the drive, inside a couple of folders... and now I know what it is. Yikes. My own files on my computer don't seem to be affected (yet...), but I'm this close to panic, since scanning (malwarebytes, mbam-chameleon, avast) picks up nothing, but there are the ransomware files sitting on the USB drive, plain as day. What should I do? I'm running Windows 10 64-bit.

 

Thanks so much for helping asap.

 

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:11 AM

Posted 14 December 2016 - 04:28 PM

CryptorBit is an older infecteion that created HowDecrypt.txt and HowDecrypt.gif files in every folder that a file was encrypted with information on how to pay the ransom.

A repository of all current knowledge regarding CryptorBit and HowDecrypt is provided by Grinler (aka Lawrence Abrams), in this topic: CryptorBit and HowDecrypt Information Guide and FAQ

The above FAQ contains screenshots of the ransom notes....do they look like that?

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Julesverne

Julesverne
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:11 AM

Posted 15 December 2016 - 12:32 PM

"The above FAQ contains screenshots of the ransom notes....do they look like that?"

 

I open the encrypted files and get a black screen with a message that they can't be opened because of an incompatibility with Windows Photo Viewer. Inside the same folder(s) there are two separate HowDecrypt files. I opened one of them yesterday while I was trying to open many different files on the same USB drive. I don't recall whether there was a ransom note or not. I discovered the problem while trying to import data from Family Tree Maker to Roots Magic (two compatible genealogy programs). The Roots Magic program gave a message that the Family Tree Maker program wasn't valid. (It should have been valid). I went into the FTM files, found some media files and tried opening them, and one by one discovered everything was giving me a black screen. I opened one of the HowDecrypt files thinking it was part of the FTM program; I don't recall seeing a ransom note, but I decided it sounded fishy and looked it up here.

 

The one file I opened has a .gif extension. It doesn't seem to have moved from the USB drive (which I removed) to my computer; I just looked at it in Properties and got an Invalid File Path message.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:11 AM

Posted 15 December 2016 - 02:13 PM

I would submit one of the HowDecrypt files and a sample of any encrypted file to ID Ransomware as noted above to see what the service identifies it as. There's not much we can do without knowing exactly what ransomware caused the infection. Even then there may not be a fix tool available.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Julesverne

Julesverne
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:11 AM

Posted 15 December 2016 - 02:57 PM

"I would submit one of the HowDecrypt files and a sample of any encrypted file to ID Ransomware as noted above to see what the service identifies it as. There's not much we can do without knowing exactly what ransomware caused the infection. Even then there may not be a fix tool available."

 

That makes sense, of course, but I have a question: does ransomware lie in wait, or would it be apparent if it's already infected my computer? Scanning my laptop has turned up nothing, but that no longer seems to mean much. I'll submit the files, but I'm terrified of attaching the infected USB drive to my computer again. Am I being overly paranoid, or can I attach it safely to my computer so long as I don't open any files?

 

Thanks for letting me know.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:11 AM

Posted 15 December 2016 - 06:49 PM

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was installed along with the ransomware. If other malware was involved it could still be present on the original infected computer.
 
Since you are concerned only about the usb drive, you can perform scans with programs like Malwarebytes 3.0, HitmanPro and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 16 December 2016 - 03:53 AM

does ransomware lie in wait, or would it be apparent if it's already infected my computer? Scanning my laptop has turned up nothing, but that no longer seems to mean much. I'll submit the files, but I'm terrified of attaching the infected USB drive to my computer again. Am I being overly paranoid, or can I attach it safely to my computer so long as I don't open any files?


quietman7 is correct that a lot of ransomware families delete themselves from a system after they have encrypted everything and almost none of them spread malicious files via USB drives. However, a ransomware infected system might have other malware on board that spreads to USB drives. Although it is unlikely, there is still a small possibility that the drive got also infected by your cousin's system.

But do you actually want to decrypt/recover files from that USB drive or are you only concerned about a possible infection? If you aren't interested in file recovery, you may check your system in Virus, Trojan, Spyware, and Malware Removal Logs. Follow the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

If you are interested in file recovery and want to follow quietman's suggestion to scan the USB drive, take into account that Malwarebytes and other malware scanners might delete the ransom notes from the drive. Identification of the ransomware is harder without those notes.
I personally would only use your cousin's computer to plug in the USB drive and recover those files because that system is already infected and no additional harm will be done inserting the USB drive.

Edited by Struppigel, 16 December 2016 - 04:00 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users