Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware encrypted files


  • This topic is locked This topic is locked
3 replies to this topic

#1 Maesro

Maesro

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 18 February 2017 - 02:51 PM

Hi, my pc got infected. All files with extension .doc and .xls where added additional extension .gsz0f

 

A .txt files was found with the following instructions:

 

"Your files are encrypted!  Read decrypting instructions on:

 

http://oat3viyjqoyqh3ck.onion.casa/

 

Please help me

 

 

My pc is a Windows 10.

Clamwin free antivirus found Win.Worm.Chir-2423    and        CVE_2016_7196-1

 

Thanks


Edited by hamluis, 18 February 2017 - 04:22 PM.
Moved from MRL to Ransomware - Hamluis.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:15 PM

Posted 18 February 2017 - 05:56 PM

More information is needed to determine specifically what infection you are dealing with since there are several different ransomware infections which append a random 4, 5, 6, 7, or 8 character extension to the end of all affected filenames (i.e. CTB-Locker, Crypt0L0cker, Maktub Locker, Alma Locker, Princess Locker, Locked-In, Mischa, Goldeneye, Cerber v4x/v5x and some Xorist variants).

Are all the random extensions exactly the same or are they different? Did you find any ransom notes and if so, what is the actual name of the note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder (C:\ProgramData, C:\Documents and Settings\All Users\Application Data) for an image the malware typically uses for the background note or a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data has been encrypted.

The best way to identify the different ransomwares that use "random character extensions" is the ransom note (including it's name), the malware file itself or at least information related to the email address used by the cyber-criminals.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

According to Michael Gillespie (@demonslay335), the newest variant of Princess Locker uses notes named @_USE_TO_FIX_JJnY.txt and Tor: http://oat3viyjqoyqh3ck.onion/ ...see here.

Princess Locker appends a random 4-5 hexadecimal character extension.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Maesro

Maesro
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 18 February 2017 - 09:29 PM

Thank you for your help.

The extension is not full lowercase. I typo the extension.

The extension is .gsZ0f

All the encrypted files have the same extension.

The ransom notes file name is:

 

@_USE_TO_FIX_gsZ0f.txt

 

I followed your instruction and submitted my encrypted files and ransom note to ID Ransomware, the answer is PrincessLocker 2. But they still don't have any tool to decrypt PrincessLocker 2 files.

 

Sadly, I still don,t know how to recover the original files.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:15 PM

Posted 18 February 2017 - 09:56 PM

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. These types of infections typically will delete all Shadow Volume Copies so that you cannot restore your files via System Restore, native Windows Previous Versions or using a program like Shadow Explorer. But it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for ransomware infections to sometimes fail to properly delete Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work...again it never hurts to try.

If that is not a viable option and there is no decryption fix tool, the only other alternative is to backup/save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users