This week I had my managed Webroot software notify me that a client's PC had been infected. Upon inspection, it was clear they were hit with CRYPTOSHIELD ransomware.
I checked the network shares, and as expected, they were hit. We have good backups so I have no interest in decrypting the files that were hit. The problem I am having is, the files that have been encrypted cannot be deleted from the system!
Over the past couple of days, I've determined that the malware has done something odd to all the files...It's made symbolic links out of them, but with no target. Hence, any attempt to delete, move, rename, change attributes or look at file level security fail.
Unlike what I have read about Cryptoshield 2.0, this (possibly new) variant has scrambled the file name and extension. I determined, though, that the scrambling is very basic, using the kind of letter substitution you might find in a kids puzzle or code game. The same letter substitution code is found throughout all the files (so all .PDF files show as .CQS, .docx show as .QBPK, etc.). Basically A is substituted by N, B=O, C=P, D=Q, etc. Only letters are affected. Numbers and symbols are untouched. So while it is a pain to decrypt the file name, it is possible.
Here is an example of what all the encrypted files look like: FABJONETRE.ZFT.[R_SP@INDIA.COM].ID[2C3BB27C7ABB366E].CRYPTOSHIELD
When you try to delete, rename, move, copy, or do anything with any of the files, you get an error that the file cannot be found.
My main interest is getting rid of these files. I've restored the damaged files, so there is no loss. I just want to get rid of these!!
FWIW, I've tried various utilites to deal with symbolic link files, but none have worked for whatever reason.
Any help is appreciated. Thanks.