A client of mine brought in a computer that has been infected with what appears to be the Philadelphia ransomware or something very close to it.
The computer is no longer functioning due to blown capacitors and a failing hard drive. I was able to image the drive and recover data from the image. I found a file in the client's desktop folder called LOCKED.txt which contains the following text:
All your files have been encrypted!
All your documents (databases, texts, images, videos, musics etc.) were encrypted. The encryption was done using a secret key
that is now on our servers.
To decrypt your files you will need to buy the secret key from us. We are the only on the world who can provide this for you.
What can I do?
Pay the ransom, in bitcoins, in the amount and wallet below. You can use LocalBitcoins.com to buy bitcoins. Email Us at email@example.com
Bitcoin Amount: 0.5
Wallet for Sending Bitcoins: 1FfrH3KokFDpg5TABBW8sySe6nM4mFTNvT
I downloaded the Emsisoft decrypter for the Philadelphia. I had the client bring in some backed up copies (not encrypted) of files that were encrypted so I could put them into the decrypter with the encrypted files. Each time that I tried this the decrypter came back with a message saying that it could not find an encryption key.
My questions for you, the community, are as follows:
1) Are the encrypted files the same size as the original file was before encryption?
2) Is this possibly a different type of ransomware?
3) Is the source computer required in order decrypt the files or can this be done from a 3rd party computer?
Any help or advice you have would be greatly appreciated.