Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus turn my document files into X files format (.b0C)


  • Please log in to reply
14 replies to this topic

#1 ranganafox

ranganafox

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 05 February 2017 - 09:47 AM

Guys,

 

I have mistakenly open a .exe malware file and all my desktop documents are turned into format called "F file" format. Now I am unable to open any file. The sizes of the file remain the same. Virus turned ".pdf files into .pdfb0C", ".docx files into .docxb0C" like that. Please help me to recover my files

 

 

v4cwmp.jpg

Edited by Chris Cosgrove, 05 February 2017 - 12:01 PM.
Moved from 'General chat' to 'Ransomware help & support'


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 AM

Posted 05 February 2017 - 07:19 PM


Did you find any ransom notes and if so, what is it's actual name? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data has been encrypted.

The best way to identify the different ransomwares is the ransom note (including it's name), the malware file itself, any obvious extensions appended to the encrypted files, samples of those encrypted files and information related to the email address used by the cyber-criminals.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ranganafox

ranganafox
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 05 February 2017 - 11:34 PM

Hello quietman7,

 

Thanks for the prompt reply, really appreciated it. And No, Unfortunately, I have not found any ransom note. But I uploaded a sample of effected word files into ransomware site. Here is a sample of effected a word file and a .pdf file for your reference.

 

1. WORD FILE :https://www.sendspace.com/file/by4ty5

 

2. PDF FILE :https://www.sendspace.com/file/u36e9l



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 AM

Posted 05 February 2017 - 11:37 PM

What information did ID Ransomware provide about your submissions?


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 ranganafox

ranganafox
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 05 February 2017 - 11:39 PM

Furthermore, It is a file extention called " X files", All the word, pdf, jpeg files turned into .X files. Please refer below photo

 

 

Capture_5386.png



#6 ranganafox

ranganafox
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 05 February 2017 - 11:40 PM

Capture.jpeg



#7 ranganafox

ranganafox
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 05 February 2017 - 11:44 PM

I hope above information are suffice to understand the issue. I have very important word and .pdf files to be recovered from this. Please help me.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 AM

Posted 06 February 2017 - 07:36 AM


If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %Temp%\
  • %AllUserProfile%\
  • %UserProfile%\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 ranganafox

ranganafox
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 06 February 2017 - 07:59 AM

virus sample added



#10 ranganafox

ranganafox
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 06 February 2017 - 09:34 PM

https://www.hybrid-analysis.com/sample/f0c088b1084a809b0f6890d704ec28f6e91e4f18fc114ca0b05d58ae2a24f398?environmentId=100



#11 ranganafox

ranganafox
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 08 February 2017 - 10:03 AM

Hey Guys, I am not being pushy or anything but is there any development on my case. I lost very important documents here. I will definitely donate money for the site if my case gets resolved. thanks in advance.  :bananas:  :bananas:  :bananas:  :bounce:  :bounce:



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 AM

Posted 08 February 2017 - 12:34 PM

After our experts have examined submitted files, they will reply in a support topic only if they can assist or need further information. If not, then the submitted files were not helpful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:17 PM

Posted 09 February 2017 - 12:01 PM

It's a modified version of HT which on first look seems to be secure.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:17 AM

Posted 09 February 2017 - 12:15 PM

It's confirmed this is a secure variant. Afraid the only way we could decrypt your files is if you happened to have logged the network traffic from the malware at the time of infection - something not usually setup unless you are on an enterprise network.

 

You should have seen ransom note files named "Digisom Readme0.txt" through "Digisom Readme9.txt" on the desktop, asking you to go to digisom[.]pw and enter your hardware ID.

 

I'm afraid if you do not have backups, you can only get data back by paying the ransom. You could try ShadowExplorer and Recuva, some people get some luck with those. I don't see clearing of the Shadow Copies in the malware, so it's worth a try.

 

Also to note, it looks like the malware may try to block your internet access by creating a rule in your Windows Firewall.

 

There would have been a count-down timer displayed on your screen as well. It does start deleting files when the counter reaches 0.


Edited by Demonslay335, 09 February 2017 - 12:16 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 ranganafox

ranganafox
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 13 February 2017 - 04:43 AM

Nope it infected only my desktop documents.There wasn't any countdown timer situated in my desktop at that time. I am using NOD32 antivirus and nothing more happened after that. And Internet connection is running smoothly without any hazzle or dazzle. So what you are telling me that my documents can not be recovered?? oh dang.  :clapping:  :clapping:  :clapping:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users