Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Important files came under attack by ransomware. They are encrypted.

03 May 2016   #11
Kari

Microsoft Community Contributor Award Recipient

 

Quote   Quote: Originally Posted by ykcud View Post
I figured I would do a restore to a previous addition, but my virus removal program erased any such thing for the whole computer including for the documents as far as I can tell. I used shadow explorer and it does not show ANY file back ups for anything.

These documents are VERY important. I can not stress this enough. And as I can not seem to find a viable solution online, I am left on my own ideas to recover these files.
Reading your post several times, thinking this through, I think there's nothing much you can do.

To start with, a system restore would not help you in any way. System restore restores the Windows system and installed programs as they were at the moment of creating the restore point but leaves all your personal files intact. That's the whole idea of system restore, restoring Windows system but not touching your documents, videos, music and so on. If a document is encrypted when restoring the system, it will be encrypted also after the restore.

Paying the criminals to get files decrypted is not a good idea; you can see by searching information about this that in most cases even after people have paid for it, the decryption does not work as hoped and in some cases a payment results no decryption at all. They'll take your money but that's it.

Your only options, as far as I can tell and recommend are to either restore a full system image containing all hard disks, or a clean install wiping all disks.

Quote   Quote: Originally Posted by ykcud View Post
The ransomware was acquired via a torrent.
Again a good example about the dangers in piracy! Of course I know there are some also valid, legal torrents but as we all know most of torrenting is piracy. How can you expect criminals stealing copyright protected content and distributing it through torrents to other criminals to do nothing else criminal, like adding nasty surprises to their torrents?

Kari


My System SpecsSystem Spec
.
03 May 2016   #12
townsbg

Windows 7 pro 64-bit
 
 

Performing a google search I did find some decryption programs by companies like Kaspersky however those are dependent upon knowing the specific virus. It appears that for some of the viruses a list of the decryption keys has been compiled. Without knowing the virus we could try some of them however like with using brute force tactics the decryption attempts would likely fail. I agree that paying off the hijackers would be risky and possibly fruitless but I think I read an article once stating that according to the FBI users should pay up if the data is that important to them. However he has removed the program so that isn't possible. I agree that the system should be wiped and we consider this a lesson learned about backing up data especially if the information is important enough. If the OP's data is that important perhaps he should hire a security expert to work on the system because there is only so much we can do and almost nothing without knowing which virus he was hit with. Can we agree that there isn't really anything else that we can do? All I know to say is for him to figure out which virus he was hit with and google it or take his system to a specialist.
My System SpecsSystem Spec
03 May 2016   #13
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

If I had to fix this troubled computer, I would completely wipe everything.
Then I would do a clean install and update of Windows 7. At that point I would make a image using Macrium.
Then I would install my needed and wanted programs. I would not install any torrent programs.
Then when everything was working properly I would make another Macrium image. All images would be on a external drives.

The next step is the hard one.
I would try to explain to the owner of the computer the do's and don't of computer security.
How well that works will very. I have had some people that refuse to learn and comply. Oh well.

Then I would make a list of programs I use and trust and hand to the owner of the computer and then remind him/her that if questions come up; this forum is open 24/7/365.
Asking for help before one makes a boo boo is always best.

**When I use to fix friends computers this was my methods.**
My System SpecsSystem Spec
.

03 May 2016   #14
torchwood

W7 home premium 32bit/W7HP 64bit/w10 tp insider ring
 
 

Hi
BleepingComputers has a dedicated RansonWare sub forum.
Ransomware Tech Support and Help Forum - BleepingComputer.com
I would suggest you post there,
DO NOT post any infected files, just provide them with the >>details<< from the AV logs.

Roy
My System SpecsSystem Spec
03 May 2016   #15
simrick

W7 64bit
 
 

Hi.
Until you determine what particular ransomware hit you, there's not much anyone can do. Some have had decryptors released, some are defeat-able by running a recovery program to grab the original deleted files. Still others, can be defeated by using Shadow Copy. Some have no resolution, and the best thing to do is save a copy of your encrypted data in the hopes that something breaks in the future (Yes, it does happen).
Just my 2-cents.
My System SpecsSystem Spec
03 May 2016   #16
ykcud

Windows 7 64bit
 
 

Thank you all for your offer of help. I have solved the issue by doing some research immediately after my last post yesterday. This method may or may not work for everyone, but if you have some files that are important that are encrypted, give what I did a try:

The way I did it was using a website to identify the ransomware (I used "https://id-ransomware.malwarehunterteam.com/identify.php").

Follow the sites instructions and if done correctly, it should be able to identify exactly what is that has encrypted you files (note that what is in the notepads or however the infection leaves its ransom (granted it does so) can be intentionally misleading.)

If there is a current known means of decrypting the files with said infection, the site should let you know of how to do so. This usually (if not, always) will be via a program. Follow the instructions of the site and of the installation procedure.

From this point onward, it may differ if you are not using "Rannohdecryptor" as was recommended by the website. Although, it may be similar. If so, keep following instructions below:

Make sure you have at least 45% of your :C (Hard Drive) empty. If the program is successful, it may not delete the encryted files, but rather make a duplicate of them that is decrypted.

After installing the program, click on "Scan" (or its equivalent). You will need to open both an encrypted file as well as a duplicate of said file that is not encrypted. (if you do not have a file(s) that has both an encrypted and non encrypted version, see the end of this post, after the dotted line.) It will identify if it is able to decrypt your files.

For the sake of the explanation, I will assume that the program says it is able to decrypt your files. If not, dont give up! If there is a will there is a way! Keep at it, doing research or what not. Do not give in to these cyber crooks. Waiting until there is a known way to decrypt your files IS an option, and there will be for all given enough time. (Sorry for going off topic) Allow it to do its thing (decrypt your files that is). This process is just like a typical virus scan; it checks every file and will take some time (in my case over two hours and it could take longer for you, so please be patient).

After it has completed, allow the program some extra (as I have learned) to finish its job. It will not say this, but I recommend it (I have a few left over video files that were not yet decrytped in a folder where some are).

Double to check to make sure the files are decrypted, and then celebrate.

Give the finger to the cyber criminals by spreading the message.

---------------------------------------------------------------------

A note for those that do not have duplicates of files. There is a chance that perhaps you may have an open document or simular that is still open. If so, save it (with the same as the crypted file, sans the "crypted" part of course). Another option is to look online for a video/music/game or other media that you can get redily online that you already had. For instance I had a Youtube video I made a few years ago that I forgot about. I had a copy of it on my computer that was downloaded then encrypted. I then redownloaded it; voila!

Another example is if you burned a dvd to your computer that became encrypted. Use the same software you used before (redownload it online if you need to) and burn it again. The same can of course be done with music CDs. You may even have an mp3 or other music player with some files.

what I am getting at, is give it some thought and you may have a duplicate file of something hanging around somewhere.
My System SpecsSystem Spec
06 May 2016   #17
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 

Hmm for my two cents worth I would have given this a go and there others by Bitdefender etc but I usually head for this one and because it runs in a non Windows environment makes it all the better

Kaspersky Rescue Disk 10
My System SpecsSystem Spec
06 May 2016   #18
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 

Quote   Quote: Originally Posted by ICIT2LOL View Post
Hmm for my two cents worth I would have given this a go and there others by Bitdefender etc but I usually head for this one and because it runs in a non Windows environment makes it all the better

Kaspersky Rescue Disk 10
Those are useless for this problem - all they do is scan for malware. By then, its already too late.
My System SpecsSystem Spec
07 May 2016   #19
townsbg

Windows 7 pro 64-bit
 
 

Agreed. In the case of ransomware the problem isn't over when the virus is removed. The OP had reportedly removed the ransomware already using his AV but that still left the files encrypted. It is a truly horrible virus to get because of the real possibility of losing data which is yet another reason why users should be taking good regular backups on an external drive that isn't usually connected to their pc. The developers seem to be really good with scare tactics as well.
My System SpecsSystem Spec
07 May 2016   #20
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 

Quote:
Those are useless for this problem - all they do is scan for malware. By then, its already too late.
Ok point taken just a suggestion I thought may help
My System SpecsSystem Spec
Reply

 Important files came under attack by ransomware. They are encrypted.




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Important Windows Encrypted file Backup
Good Day, Several months ago, on my Windows 7 Ultimate system, a Windows prompt to backup my encrypted file info has been popping up every boot. In sloth I have routinely told it to remind me again, until the time would come to investigate it. I am here, today with other issues and this...
General Discussion
Ransomware encrypted my files. All files have .html extension
Hello, System is a Toshiba Satellite L755-S5353 Windows 7 Home Premium 64-bit. Intel Pentium CPU B950 @ 2.10GHz 4GB RAM. This laptop came into my shop with the FBI screen. After making full backup and scanning with Malwarebytes, Superantispyware, and Symantec Endpoint Protection on my...
System Security
New ransomware attack blocks Internet access
More at: New ransomware attack blocks Internet access | Zero Day | ZDNet.com
System Security
New ransomware attack blocks Internet access
New ransomware attack blocks Internet access Live Traffic Feed Erie, Pennsylvania arrived from rootsecure.net on "Security-Shell: Microsoft Technet Vulnerable to Cross-Site Scripting" Algeria left "Security-Shell: Microsoft Technet Vulnerable to Cross-Site Scripting" via...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 01:28.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App