Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Important files came under attack by ransomware. They are encrypted.

01 May 2016   #1
ykcud

Windows 7 64bit
 
 
Important files came under attack by ransomware. They are encrypted.

Original post below:
------------------------------------------------------------------------------------------
I was using google chrome and none of the pages were loading correctly (including settings). This made me think I needed to do an immediate virus scan. On doing so it detected "ransonware", which I am uneducated about (no longer the case, I have used other browsers since this incident to educate myself). I found a few moments later that many of my documents, movies, ect were encrypted. I figured I would do a restore to a previous addition, but my virus removal program erased any such thing for the whole computer including for the documents as far as I can tell. I used shadow explorer and it does not show ANY file back ups for anything.

These documents are VERY important. I can not stress this enough. And as I can not seem to find a viable solution online, I am left on my own ideas to recover these files.

I am desperately asking the community here for two things:

Is there a program I can use that can potentially break the code for these encrypted files? I do not care if I have to wait a month or more before said program is successful.

Any other solutions that I may have over looked?
-----------------------------------------------------------------------
End of original post.

Thank you all for your offer of help. I have solved the issue by doing some research immediately after my last post yesterday. This method may or may not work for everyone, but if you have some files that are important that are encrypted, give what I did a try:

The way I did it was using a website to identify the ransomware (I used "https://id-ransomware.malwarehunterteam.com/identify.php").

Follow the sites instructions and if done correctly, it should be able to identify exactly what is that has encrypted you files (note that what is in the notepads or however the infection leaves its ransom (granted it does so) can be intentionally misleading.)

If there is a current known means of decrypting the files with said infection, the site should let you know of how to do so. This usually (if not, always) will be via a program. Follow the instructions of the site and of the installation procedure.

From this point onward, it may differ if you are not using "Rannohdecryptor" as was recommended by the website. Although, it may be similar. If so, keep following instructions below:

Make sure you have at least 45% of your :C (Hard Drive) empty. If the program is successful, it may not delete the encryted files, but rather make a duplicate of them that is decrypted.

After installing the program, click on "Scan" (or its equivalent). You will need to open both an encrypted file as well as a duplicate of said file that is not encrypted. (if you do not have a file(s) that has both an encrypted and non encrypted version, see the end of this post, after the dotted line.) It will identify if it is able to decrypt your files.

For the sake of the explanation, I will assume that the program says it is able to decrypt your files. If not, dont give up! If there is a will there is a way! Keep at it, doing research or what not. Do not give in to these cyber crooks. Waiting until there is a known way to decrypt your files IS an option, and there will be for all given enough time. (Sorry for going off topic) Allow it to do its thing (decrypt your files that is). This process is just like a typical virus scan; it checks every file and will take some time (in my case over two hours and it could take longer for you, so please be patient).

After it has completed, allow the program some extra (as I have learned) to finish its job. It will not say this, but I recommend it (I have a few left over video files that were not yet decrytped in a folder where some are).

Double to check to make sure the files are decrypted, and then celebrate.

Give the finger to the cyber criminals by spreading the message.

---------------------------------------------------------------------

A note for those that do not have duplicates of files. There is a chance that perhaps you may have an open document or simular that is still open. If so, save it (with the same as the crypted file, sans the "crypted" part of course). Another option is to look online for a video/music/game or other media that you can get redily online that you already had. For instance I had a Youtube video I made a few years ago that I forgot about. I had a copy of it on my computer that was downloaded then encrypted. I then redownloaded it; voila!

Another example is if you burned a dvd to your computer that became encrypted. Use the same software you used before (redownload it online if you need to) and burn it again. The same can of course be done with music CDs. You may even have an mp3 or other music player with some files.

what I am getting at, is give it some thought and you may have a duplicate file of something hanging around somewhere.



My System SpecsSystem Spec
.
01 May 2016   #2
townsbg

Windows 7 pro 64-bit
 
 

My System SpecsSystem Spec
01 May 2016   #3
ykcud

Windows 7 64bit
 
 

The ransomware was acquired via a torrent. I hope this little tidbit here will give more info than I can. It is in every folder that has encrypted files in it:
My System SpecsSystem Spec
.

01 May 2016   #4
townsbg

Windows 7 pro 64-bit
 
 

As you can see in the below link that file failed 7 tests on virustotal so I am not opening it. Please copy/paste the contents if you wish for me to look at it otherwise look in your virus scanner's history. https://www.virustotal.com/en/file/d19b395ae14ca568d40e2e3e75dda065f9640faf14162da71f84dd40e6e5f05f/analysis/1462163046/

I also suggest that you run a scan using malwareabytes. https://www.malwarebytes.org/
My System SpecsSystem Spec
02 May 2016   #5
ykcud

Windows 7 64bit
 
 

Wow! That is odd. I actually did use malware bytes before I uploaded that (and it was updated prior to use). I am going to copy the text of the file into a new notepad. I also happen to have a document that was open when the virus hit, and while the original was encrypted, I was able to save the current one. I am going to upload them both, hoping that maybe having duplicates of the same file, one normal and the other encrypted will shed some light. I use open office by the way.

This being said, make sure to scan my files before opening them.

I am now downloading spybot search and destroy as I speak and immediately going to use it to do a scan.

(The site is not letting me upload the two document files. It is giving me an error saying that it does not recognize the format (I use open office). Is there a safe alternative I can use instead?)
My System SpecsSystem Spec
02 May 2016   #6
townsbg

Windows 7 pro 64-bit
 
 

That file is still infected. Please do as I asked and paste the contents into your post. Also which program did I point you to? Sybot S&D isn't a full antimalware program.
My System SpecsSystem Spec
02 May 2016   #7
ykcud

Windows 7 64bit
 
 

I will rescan everything with malwarebytes and post the history tomorrow. My time on the internet is limited and by the time the scan is complete I wont be somewhere I can post anything today. Is there anything else that you asked that I have missed?

I also read somewhere that what is said that the virus used to encrypt in said notepads may be misleading. (which is part of the reason why I want to upload the documents).
My System SpecsSystem Spec
02 May 2016   #8
townsbg

Windows 7 pro 64-bit
 
 

Well you wanted me to look at a document however it is infected so I'll only look at it if you copy and paste the contents. From what I saw on google it seems that some ransomware only had a few encryption algorithms since identified by certain security companies (which I posted the links for) however until you determine what the infection was there really isn't any way to decrypt the files since the decryption programs (if any) are based on the virus. Using a brute force attack against an encrypted file can take months to even years depending upon the encryption strength.
My System SpecsSystem Spec
03 May 2016   #9
derekimo

Microsoft Community Contributor Award Recipient

 
 

Quote   Quote: Originally Posted by ykcud View Post
I also read somewhere that what is said that the virus used to encrypt in said notepads may be misleading. (which is part of the reason why I want to upload the documents).
It may or may not be, but it is getting flagged so uploading those documents is not an option.

We can't allow that to be posted, it's just not safe and we have to err on the side of caution.
My System SpecsSystem Spec
03 May 2016   #10
townsbg

Windows 7 pro 64-bit
 
 

We don't want to risk our own systems by opening up that file. You can easily post the contents of the file without posting the file.
My System SpecsSystem Spec
Reply

 Important files came under attack by ransomware. They are encrypted.




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Important Windows Encrypted file Backup
Good Day, Several months ago, on my Windows 7 Ultimate system, a Windows prompt to backup my encrypted file info has been popping up every boot. In sloth I have routinely told it to remind me again, until the time would come to investigate it. I am here, today with other issues and this...
General Discussion
Ransomware encrypted my files. All files have .html extension
Hello, System is a Toshiba Satellite L755-S5353 Windows 7 Home Premium 64-bit. Intel Pentium CPU B950 @ 2.10GHz 4GB RAM. This laptop came into my shop with the FBI screen. After making full backup and scanning with Malwarebytes, Superantispyware, and Symantec Endpoint Protection on my...
System Security
New ransomware attack blocks Internet access
More at: New ransomware attack blocks Internet access | Zero Day | ZDNet.com
System Security
New ransomware attack blocks Internet access
New ransomware attack blocks Internet access Live Traffic Feed Erie, Pennsylvania arrived from rootsecure.net on "Security-Shell: Microsoft Technet Vulnerable to Cross-Site Scripting" Algeria left "Security-Shell: Microsoft Technet Vulnerable to Cross-Site Scripting" via...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 11:31.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App