Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wanna cry decryption after removal


  • Please log in to reply
2 replies to this topic

#1 mernarezk

mernarezk

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 18 October 2017 - 12:15 PM

Hi,

I am kind of new to this forum. I was hit by ransomeware last April and I tried many times to identify its type but the files are decrypted with no change in extension and nothing about the ransomeware that I could tell if it's wannacry. Anyway I removed the ransomeware long time ago and formatted the whole hard disk but got a copy of the encrypted files. Is there any way possible ever to decrypt these files after the ransomeware has been removed?



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:04 AM

Posted 18 October 2017 - 02:52 PM

Removing ransomware has nothing to do with decryption of files.

 

If ID Ransomware does not detect a filemarker or pattern in the encrypted file, then it will be impossible to identify the ransomware family without a ransom note or the malware itself. There are several ransomware that do not change the extension or leave a filemarker.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:04 AM

Posted 18 October 2017 - 04:14 PM

Any files that are encrypted with WannaCry (WCry, WNCry, WanaCrypt0r) Ransomware will have the .wcry, .wcry + .WCRYT for temp (2nd variant) or .wncry + .WNCRYT for temp (3rd variant) extension appended to the end of the encrypted data filename. Since your encrypted files have no appended extension, you are not dealing with that particular ransomware.

The best way to identify the different ransomwares that do not append an extension is the ransom note (including it's name), samples of the encrypted files, information related to any email addresses used by the cyber-criminals to request payment and the malware file responsible for the infection. Without any of that information or a file marker/unique hex pattern identifier, it is difficult to determine what you are dealing with.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users