Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Which ransmoware? Need help


  • Please log in to reply
6 replies to this topic

#1 Taznat

Taznat

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 02 July 2017 - 03:16 AM

Hello everybody,

Hello everyone,

(Sorry I do not speak good english.)
My PC was infected late 2014-early 2015. When I saw the ransom message, I panicked and turned off my computer. Unfortunately, my DDE was plugged in at that time. I have lost all my documents (docx, odt, xls, .jpeg .mp4 ...)
I contacted an IT team, to remove the ransomware. They did it. But they told me they had not found the ransomware .txt file. So I don't have this text file. And I do not know what ransomware infected my PC. I can hardly remember the logo of the message of the ransomware.
I was so sad and furious for losing my family photos, I contacted at the beginning of the year Kaspersky. I had to send them several infected-uninfected files (fortunately, I had some duplicate photos on USB stick). But they were not able to determine which ransomware it was: they told me that the encryption mode was very powerful.
Then I discovered "No more ransom". I had tried all the decryption software. I tried again recently, because I know that keys are discovered from time to time.
But many of these software require the text file of the ransomware, and the others are blocked when analyzing my encrypted files.

I've tried your ID ransomware, but unfortunately it does'nt work.
I can not rationally tell myself that I have no hope of finding my lost files. There must be someone on this earth who can help me.
You will surely not be my last hope, but for now, you may be are my only hope of finding my family photos.
Thank you for your advice.
Nat


Edited by Taznat, 02 July 2017 - 03:22 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:02 PM

Posted 02 July 2017 - 06:59 AM

The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses used by the cyber-criminals to request payment and the malware file responsible for the infection.

Without any of that above information, our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if the encrypted files can even be decrypted. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button.

If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Taznat

Taznat
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 02 July 2017 - 07:16 AM

Hello Quietman,

 

Thank you very much for your advice. It seems that the only way to try something is to report the SHA from one of the corrupt files. 

Here there is: Please reference this case SHA1: 91e1cba222245177563b48d461a5934aa73707e

 

I have many files, this is just one of them, a .doc file. 

 

I hope that I have correctly undestand your response. 

 

See you soon.

Nat



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:02 PM

Posted 02 July 2017 - 07:22 AM

Demonslay335 will check it out when he gets a chance and advise accordingly.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:02 PM

Posted 02 July 2017 - 11:38 AM

The SHA1 you posted was truncated, so I had to make some guesses to pull up what I believe are your case files. I've correlated your local time on your profile versus the country where the files were uploaded, so I'm pretty sure I have the right files.

 

Assuming I pulled up the correct case, I don't see any kind of pattern or file marker. I don't believe it is CryptoWall 3.0 or 4.0, which were prevalent around that time, as the first 16 bytes are not the same in each file (would be the IV they stored I believe). I'm not as familiar with the file structure of the prior versions of CryptoWall and whether they had a similar pattern; you can really only tell those apart by their ransom note contents.

 

I'm afraid there won't be any way to identify without a ransom note or the malware. I can only guess the files were encrypted by a block cipher based on entropy and filesize divisor, AES is usually the most common algorithm amongst ransomware.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Taznat

Taznat
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 02 July 2017 - 03:41 PM

Hello Demonslay335,

Thank you very much for watching and for your interest.

For the malware note, it is no way to consider this: if it existed, it has been definitively suppressed by the IT team that repaired my pc, but they had told me to have found nothing.

But one strange thing, in the confusion of the characters and syntax of an encrypted doc that I had opened (but which? I do not remember), maybe I had guessed species of words related to the payment of the ransom ... Is it possible or did I hallucinate? I could open them all to search something.
I understood your message that does not leave much hope: :-) But since there is a computational, mathematical calculation that has encrypted my files, then there is a solution. One day, when the technology will be more advanced, in no time, I could surely open these files again. I do not despair.
 

Thank you for your time.
Nat


Edited by Taznat, 02 July 2017 - 03:47 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:02 PM

Posted 02 July 2017 - 03:48 PM

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. Other possible options include using native Windows Previous Versions or programs like Shadow Explorer and ShadowCopyView if the malware did not delete all shadow copy snapshots. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work either...however, it never hurts to try.

In cases where that is not a viable option and if there is no free decryption tool, the only other alternative to paying the ransom is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users