Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware - No ID - No Letter - Files Appear Normal But Don't Open


  • Please log in to reply
6 replies to this topic

#1 CromCruach

CromCruach

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 27 July 2017 - 12:30 PM

Can anyone help me identify the type of ransomware that attacked my system so I can try to recover some of the files??

The system was hit when nobody was around to receive the note if there was one. All the files that were effected have the same date stamp, but their is no modification to the file extension or file name. When you try to open the file, it says the file cannot be opened because it is corrupt of parts are missing.

I tried the ID Ransomware website I saw in some of the other post and it came out negative I also tried Trend Micro decryptor also unsuccessful.

Just looking for any suggestions or help.

Thanks in Advance!



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:31 PM

Posted 27 July 2017 - 01:46 PM

If ID Ransomware could not identify it, you need provide the case SHA1 it gives you for us to manually inspect the files.

 

Blindly throwing a decrypter at files without knowing which ransomware it is can be very dangerous, and may only further corrupt files.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:31 PM

Posted 27 July 2017 - 03:22 PM

If there's no note and no added file extension, can you try checking your security product's quarantine, if you run one? It may have detected it mid encrypting. 

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 CromCruach

CromCruach
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 27 July 2017 - 04:08 PM

Okay, so where do I find the algorithm (SHA1)? 

I will check the security quarantine, but if I recall I don't think we were able to find anything previously. What sucks is that the two people that have access were both on vacation for a week so by the time it was discovered the program had ample time to run its course. 



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:31 PM

Posted 27 July 2017 - 04:47 PM

The Case SHA1 is an identifier ID Ransomware gives you so that I can match your case in my web panel. It's a SHA1 hash of the actual case number (randomly generated for each upload), so you can provide that to me without allowing people to guess your case or try to grab files from the server (permissions deny it anyways, but it's just another layer of security).

2016-07-01_0936.png


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 CromCruach

CromCruach
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 27 July 2017 - 04:53 PM

Please reference this case SHA1: 3e53c8e26ce4b2a63b693cb84c920efc016e9c47



#7 CromCruach

CromCruach
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 27 July 2017 - 04:55 PM

This one as well - word version (last one was a pdf) - Please reference this case SHA1: ddfd0c46b6a2aab3c022e0bfb712fc236b0de8ec






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users