Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Paid Ransom - Decryption Key NOT given


  • Please log in to reply
6 replies to this topic

#1 Innessa

Innessa

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 12 January 2017 - 08:58 PM

I got the ransomware virus on computer. Found the ransom note on notepad stating we have 3 days or files will be lost. External backup drive was connected to computer so all that info was encrypted as well. After going thru all options of removing - only option was left to pay ransom and hope they give the decryption key. It was a risk either way. Paid .77333 ($640 USD) before the 3 day deadline and nothing happened. They provided 5 website in the ransom note to go to one after payment. 4 out of the 5 were bogus. The last one said "access denied. Waiting on payment...".   Its not said that for 24 hours straight. 

We paid and didnt get anything back. My advice - dont pay. 

 

Unfortunately we lost all files/pics....everything. Heartbreaking. 

 

the extension was .crypted - in case anyone came across before. 

 

If anyone has suggestions or another thing I can try, I would be grateful. I understand at this point its a slim chance. 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:28 PM

Posted 12 January 2017 - 09:40 PM

From the description, I'll bet you were hit with Nemucod... Which is easily decryptable for free. Their threats about deleting files is just a ploy; nothing happens.

If your ransom note had 5 websites with "/counter" in the URL, it is Nemucod. If you had uploaded a ransom note and or an encrypted file to ID Ransomware, it would have given you this info and saved you the money. :/

Use the Emsisoft decrypter for Nemucod. You just need an original version of one file that was encrypted in order to derive a key; it can be example pictures that come with Windows, something you downloaded before, something you emailed to someone, etc.

https://decrypter.emsisoft.com/nemucod

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Innessa

Innessa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 12 January 2017 - 10:07 PM

I uploaded the 2 files (original and encrypted) and running the program now. Wanted to make sure this sound right - its been going for a bit and has not moved from :

C:\...\Application Date\Adobe\Photoshop element8.0....etc. the ending goes from thumbnails, to background..etc and keeps repeating. not looking at any other file. 

is this right?



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:28 PM

Posted 12 January 2017 - 10:11 PM

It does take a little while to run through all files, especially in the AppData folder. I would let it run for a few hours, shouldn't take too terribly long.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Innessa

Innessa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 12 January 2017 - 10:14 PM

THank you. Will leave it be. Fingers and toes crossed. LOL. I dont even care about the money, just getting files back. appreciate your help. 



#6 Innessa

Innessa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 13 January 2017 - 06:36 AM

It finished scanning - says it was successful. I attempted to open files and it says its not supported or corrupted. suggestions?



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:28 PM

Posted 13 January 2017 - 07:56 AM

Paid Ransom - Decryption Key NOT given

That is not uncommon.

Some ransomware victims have reported they paid the ransom and were successful in decrypting their data. Other victims reported they paid the ransom but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the key and decryption software they received did not work or resulted in errors. Still others have reported paying the ransom only to discover the criminals wanted more money or threatened to expose data unless additional payment was made. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users