Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with decryption of client files


  • This topic is locked This topic is locked
5 replies to this topic

#1 FraserCorrance

FraserCorrance

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:09:06 AM

Posted 28 February 2017 - 12:32 PM

Hello all!

 

A client of mine brought in a computer that has been infected with what appears to be the Philadelphia ransomware or something very close to it. 

 

The computer is no longer functioning due to blown capacitors and a failing hard drive. I was able to image the drive and recover data from the image. I found a file in the client's desktop folder called LOCKED.txt which contains the following text:

 

All your files have been encrypted!
 
All your documents (databases, texts, images, videos, musics etc.) were encrypted. The encryption was done using a secret key 
that is now on our servers.
 
To decrypt your files you will need to buy the secret key from us. We are the only on the world who can provide this for you.
 
What can I do?
 
Pay the ransom, in bitcoins, in the amount and wallet below. You can use LocalBitcoins.com to buy bitcoins. Email Us at  isellbtc@yandex.com
 
Bitcoin Amount: 0.5
Wallet for Sending Bitcoins: 1FfrH3KokFDpg5TABBW8sySe6nM4mFTNvT
 
I downloaded the Emsisoft decrypter for the Philadelphia. I had the client bring in some backed up copies (not encrypted) of files that were encrypted so I could put them into the decrypter with the encrypted files. Each time that I tried this the decrypter came back with a message saying that it could not find an encryption key.
 
My questions for you, the community, are as follows:
 
1)  Are the encrypted files the same size as the original file was before encryption?
2)  Is this possibly a different type of ransomware?
3)  Is the source computer required in order decrypt the files or can this be done from a 3rd party computer?
 
Any help or advice you have would be greatly appreciated.
 
Thank You.
 
Fraser 


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,907 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:06 PM

Posted 28 February 2017 - 03:55 PM


Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 FraserCorrance

FraserCorrance
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:09:06 AM

Posted 28 February 2017 - 10:28 PM

Thanks for getting back to me so soon. :cowboy:

 

I submitted both the ransom note and an encrypted file at the same time and it came back with 3 possibilities: Stampado, Philadelphia, or Fantom. My client who brought this drive in said she saw a message saying that the infection was the Philadelphia ransomware. She went trough the data that we backed up from the encrypted drive and matched up 3 files from a recent backup with their encrypted counterparts. I have put all 3 sets of files through the Philadelphia decrypter from Emsisoft and none of the sets were able to produce a decryption key. 

 

I am wondering if I am doing something wrong or should I have my client help me find more matching files sets to try and produce a key to decrypt the data?

 

Is it possible that this is some new sort of variant that the decryper cannot work with?

 

Any suggestions or ideas you have would be welcome. 

 

Fraser



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,907 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:06 PM

Posted 01 March 2017 - 07:26 AM

Did you follow these instructions? How to use the Emsisoft Decrypter for Philadelphia
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 FraserCorrance

FraserCorrance
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:09:06 AM

Posted 01 March 2017 - 12:20 PM

Yes, I followed the instructions exactly. 



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,907 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:06 PM

Posted 01 March 2017 - 01:36 PM


Since Philapdelphia ransomware is essentially a new version of Stampado, if you have any questions or need assistance, you should ask for help in this support topic.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users