Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ransomware attack


  • This topic is locked This topic is locked
9 replies to this topic

#1 younasseven

younasseven

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 26 December 2016 - 09:33 AM

Hello,

ID Ransomware is not able to identify my encrypted files

"Please reference this case SHA1: 8e49801bcd670f354d3ebb13c4f99f5110fe80a7"

No tool was able to decypt. Only jpeg-preview is shown after decryption.

 

Please help.

Regards

Hassan



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:10 PM

Posted 26 December 2016 - 09:49 AM

You'll need to upload a ransom note to identify. There is no recognizable hex pattern in the single file you uploaded, and there is no extension added, so I cannot identify anything by it.

 

If you don't have a ransom note, is there a background or something with an email address or way to contact the criminals?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 younasseven

younasseven
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 26 December 2016 - 10:14 AM

Unfortunately No.

 

i Am not a IT expert. I belong to lab experimental section. Therefore, I did not understand the problem.

I found the note on  my screen, thought that it is a viral attack as normal.

I deleted several sofwares and it did not disappear. My screen was red.

Then I reinstalled windows. After that I realized that I am not able to open my files.

Now the only thing I have is the encrypted files.

If you can help in this, I could be grateful to you.



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:10 PM

Posted 26 December 2016 - 10:23 AM

Without a ransom note or any idea as to what contact info the criminal left, there is no way to identify what ransomware it was, and thus we cannot get more information for you. I'm afraid without backups, there's no way to recover the files. Re-installing Windows blindly was not a good idea, as you now cannot even try recovery software, since the sectors would be overwritten.

 

Since you mention a red screen, did it look like this at all? PClock is a common one that does not change the extension of the file. It is not decryptable.

 

PClock-1.png


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 younasseven

younasseven
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 26 December 2016 - 10:33 AM

yes.

the notice was almost like this.

The support e-mail in yellow bar were different. rest of the notice was almost the same. The required amount was $947.



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:10 PM

Posted 26 December 2016 - 10:41 AM

The newer variants of PClock are known to use the following email addresses. If you recognize any of these, then we can positively identify it as PClock for sure. Unfortunately, it is not decryptable.

 

http://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/

suppcop@india.com
suppcop@yandex.ru
suppteam01@india.com
suppteam01@yandex.ru
suppteam02@india.com
suppteam02@yandex.ru
suppteam03@india.com
suppteam03@yandex.ru
sysgop01@india.com
sysgop02@india.com

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 younasseven

younasseven
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 26 December 2016 - 10:49 AM

I suspect, it was sysgop01@india.com and sysgop02@india.com

 

It means, my data can not be recovered?



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:10 PM

Posted 26 December 2016 - 10:51 AM

Correct. Check the article I linked for more information. If you did not properly backup your data before, then it is lost.

 

Use this as a lesson to backup the data you care about moving forward. I recommend a cloud backup such as Dropbox, CrashPlan, or Carbonite. All of them have very affordable plans, as low as $8/mo, and provide versioning to "rollback" data if it is overwritten in cases such as this. Honestly, if you care about your data and deem it important, you will keep it backed up.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 younasseven

younasseven
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 26 December 2016 - 11:05 AM

The data was really important.

I had the backup. But unfortunately i use external hard drive to save my backup. And I was updating my backup. My external hard was attached with computer for transferring the data. My computer files were encrypted as well as my files in external hard.

 

Alas....

i have lost all my data...



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:10 PM

Posted 26 December 2016 - 02:41 PM

In cases where there is no workable free decryption fix tool and victims are not willing to pay the ransom, the only other alternative is to backup/save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, they do not always work correctly so keeping a backup of the original encrypted files and related information is a good practice.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.When or if a solution is found, that information will be provided in that support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users