Important files came under attack by ransomware. They are encrypted.

[ykcud]

Original post below:
------------------------------------------------------------------------------------------
I was using google chrome and none of the pages were loading correctly (including settings). This made me think I needed to do an immediate virus scan. On doing so it detected "ransonware", which I am uneducated about (no longer the case, I have used other browsers since this incident to educate myself). I found a few moments later that many of my documents, movies, ect were encrypted. I figured I would do a restore to a previous addition, but my virus removal program erased any such thing for the whole computer including for the documents as far as I can tell. I used shadow explorer and it does not show ANY file back ups for anything.

These documents are VERY important. I can not stress this enough. And as I can not seem to find a viable solution online, I am left on my own ideas to recover these files.

I am desperately asking the community here for two things:

Is there a program I can use that can potentially break the code for these encrypted files? I do not care if I have to wait a month or more before said program is successful.

Any other solutions that I may have over looked?
-----------------------------------------------------------------------
End of original post.

Thank you all for your offer of help. I have solved the issue by doing some research immediately after my last post yesterday. This method may or may not work for everyone, but if you have some files that are important that are encrypted, give what I did a try:

The way I did it was using a website to identify the ransomware (I used "https://id-ransomware.malwarehunterteam.com/identify.php").

Follow the sites instructions and if done correctly, it should be able to identify exactly what is that has encrypted you files (note that what is in the notepads or however the infection leaves its ransom (granted it does so) can be intentionally misleading.)

If there is a current known means of decrypting the files with said infection, the site should let you know of how to do so. This usually (if not, always) will be via a program. Follow the instructions of the site and of the installation procedure.

From this point onward, it may differ if you are not using "Rannohdecryptor" as was recommended by the website. Although, it may be similar. If so, keep following instructions below:

Make sure you have at least 45% of your :C (Hard Drive) empty. If the program is successful, it may not delete the encryted files, but rather make a duplicate of them that is decrypted.

After installing the program, click on "Scan" (or its equivalent). You will need to open both an encrypted file as well as a duplicate of said file that is not encrypted. (if you do not have a file(s) that has both an encrypted and non encrypted version, see the end of this post, after the dotted line.) It will identify if it is able to decrypt your files.

For the sake of the explanation, I will assume that the program says it is able to decrypt your files. If not, dont give up! If there is a will there is a way! Keep at it, doing research or what not. Do not give in to these cyber crooks. Waiting until there is a known way to decrypt your files IS an option, and there will be for all given enough time. (Sorry for going off topic) Allow it to do its thing (decrypt your files that is). This process is just like a typical virus scan; it checks every file and will take some time (in my case over two hours and it could take longer for you, so please be patient).

After it has completed, allow the program some extra (as I have learned) to finish its job. It will not say this, but I recommend it (I have a few left over video files that were not yet decrytped in a folder where some are).

Double to check to make sure the files are decrypted, and then celebrate.

Give the finger to the cyber criminals by spreading the message.

---------------------------------------------------------------------

A note for those that do not have duplicates of files. There is a chance that perhaps you may have an open document or simular that is still open. If so, save it (with the same as the crypted file, sans the "crypted" part of course). Another option is to look online for a video/music/game or other media that you can get redily online that you already had. For instance I had a Youtube video I made a few years ago that I forgot about. I had a copy of it on my computer that was downloaded then encrypted. I then redownloaded it; voila!

Another example is if you burned a dvd to your computer that became encrypted. Use the same software you used before (redownload it online if you need to) and burn it again. The same can of course be done with music CDs. You may even have an mp3 or other music player with some files.

what I am getting at, is give it some thought and you may have a duplicate file of something hanging around somewhere.

 

[townsbg]

Well it would help to know which program you where hit with but I did find these links.
https://noransom.kaspersky.com/
Cisco Offers Free Decryption Tool For Ransomware Victims
Cryptolocker Virus Removal: How To Decrypt or Restore Encrypted Files And Remove Ransomware Malware For Free [VIDEO]

 

[ykcud]

The ransomware was acquired via a torrent. I hope this little tidbit here will give more info than I can. It is in every folder that has encrypted files in it:

 

[townsbg]

As you can see in the below link that file failed 7 tests on virustotal so I am not opening it. Please copy/paste the contents if you wish for me to look at it otherwise look in your virus scanner's history. https://www.virustotal.com/en/file/d19b395ae14ca568d40e2e3e75dda065f9640faf14162da71f84dd40e6e5f05f/analysis/1462163046/

I also suggest that you run a scan using malwareabytes. https://www.malwarebytes.org/

 

[ykcud]

Wow! That is odd. I actually did use malware bytes before I uploaded that (and it was updated prior to use). I am going to copy the text of the file into a new notepad. I also happen to have a document that was open when the virus hit, and while the original was encrypted, I was able to save the current one. I am going to upload them both, hoping that maybe having duplicates of the same file, one normal and the other encrypted will shed some light. I use open office by the way.

This being said, make sure to scan my files before opening them.

I am now downloading spybot search and destroy as I speak and immediately going to use it to do a scan.

(The site is not letting me upload the two document files. It is giving me an error saying that it does not recognize the format (I use open office). Is there a safe alternative I can use instead?)

 

[townsbg]

That file is still infected. Please do as I asked and paste the contents into your post. Also which program did I point you to? Sybot S&D isn't a full antimalware program.

 

[ykcud]

I will rescan everything with malwarebytes and post the history tomorrow. My time on the internet is limited and by the time the scan is complete I wont be somewhere I can post anything today. Is there anything else that you asked that I have missed?

I also read somewhere that what is said that the virus used to encrypt in said notepads may be misleading. (which is part of the reason why I want to upload the documents).

 

[townsbg]

Well you wanted me to look at a document however it is infected so I'll only look at it if you copy and paste the contents. From what I saw on google it seems that some ransomware only had a few encryption algorithms since identified by certain security companies (which I posted the links for) however until you determine what the infection was there really isn't any way to decrypt the files since the decryption programs (if any) are based on the virus. Using a brute force attack against an encrypted file can take months to even years depending upon the encryption strength.

 

[derekimo]

I also read somewhere that what is said that the virus used to encrypt in said notepads may be misleading. (which is part of the reason why I want to upload the documents).

It may or may not be, but it is getting flagged so uploading those documents is not an option.

We can't allow that to be posted, it's just not safe and we have to err on the side of caution.

 

[townsbg]

We don't want to risk our own systems by opening up that file. You can easily post the contents of the file without posting the file.

 

[Kari]

I figured I would do a restore to a previous addition, but my virus removal program erased any such thing for the whole computer including for the documents as far as I can tell. I used shadow explorer and it does not show ANY file back ups for anything.

These documents are VERY important. I can not stress this enough. And as I can not seem to find a viable solution online, I am left on my own ideas to recover these files.

Reading your post several times, thinking this through, I think there's nothing much you can do.

To start with, a system restore would not help you in any way. System restore restores the Windows system and installed programs as they were at the moment of creating the restore point but leaves all your personal files intact. That's the whole idea of system restore, restoring Windows system but not touching your documents, videos, music and so on. If a document is encrypted when restoring the system, it will be encrypted also after the restore.

Paying the criminals to get files decrypted is not a good idea; you can see by searching information about this that in most cases even after people have paid for it, the decryption does not work as hoped and in some cases a payment results no decryption at all. They'll take your money but that's it.

Your only options, as far as I can tell and recommend are to either restore a full system image containing all hard disks, or a clean install wiping all disks.

The ransomware was acquired via a torrent.

Again a good example about the dangers in piracy! Of course I know there are some also valid, legal torrents but as we all know most of torrenting is piracy. How can you expect criminals stealing copyright protected content and distributing it through torrents to other criminals to do nothing else criminal, like adding nasty surprises to their torrents?

Kari

 

[townsbg]

Performing a google search I did find some decryption programs by companies like Kaspersky however those are dependent upon knowing the specific virus. It appears that for some of the viruses a list of the decryption keys has been compiled. Without knowing the virus we could try some of them however like with using brute force tactics the decryption attempts would likely fail. I agree that paying off the hijackers would be risky and possibly fruitless but I think I read an article once stating that according to the FBI users should pay up if the data is that important to them. However he has removed the program so that isn't possible. I agree that the system should be wiped and we consider this a lesson learned about backing up data especially if the information is important enough. If the OP's data is that important perhaps he should hire a security expert to work on the system because there is only so much we can do and almost nothing without knowing which virus he was hit with. Can we agree that there isn't really anything else that we can do? All I know to say is for him to figure out which virus he was hit with and google it or take his system to a specialist.

 

[Layback Bear]

If I had to fix this troubled computer, I would completely wipe everything.
Then I would do a clean install and update of Windows 7. At that point I would make a image using Macrium.
Then I would install my needed and wanted programs. I would not install any torrent programs.
Then when everything was working properly I would make another Macrium image. All images would be on a external drives.

The next step is the hard one.
I would try to explain to the owner of the computer the do's and don't of computer security.
How well that works will very. I have had some people that refuse to learn and comply. Oh well.

Then I would make a list of programs I use and trust and hand to the owner of the computer and then remind him/her that if questions come up; this forum is open 24/7/365.
Asking for help before one makes a boo boo is always best.

**When I use to fix friends computers this was my methods.**

 

[torchwood]

Hi
BleepingComputers has a dedicated RansonWare sub forum.
Ransomware Tech Support and Help Forum - BleepingComputer.com
I would suggest you post there,
DO NOT post any infected files, just provide them with the >>details<< from the AV logs.

Roy

 

[simrick]

Hi.
Until you determine what particular ransomware hit you, there's not much anyone can do. Some have had decryptors released, some are defeat-able by running a recovery program to grab the original deleted files. Still others, can be defeated by using Shadow Copy. Some have no resolution, and the best thing to do is save a copy of your encrypted data in the hopes that something breaks in the future (Yes, it does happen).
Just my 2-cents.

 

[ykcud]

Thank you all for your offer of help. I have solved the issue by doing some research immediately after my last post yesterday. This method may or may not work for everyone, but if you have some files that are important that are encrypted, give what I did a try:

The way I did it was using a website to identify the ransomware (I used "https://id-ransomware.malwarehunterteam.com/identify.php").

Follow the sites instructions and if done correctly, it should be able to identify exactly what is that has encrypted you files (note that what is in the notepads or however the infection leaves its ransom (granted it does so) can be intentionally misleading.)

If there is a current known means of decrypting the files with said infection, the site should let you know of how to do so. This usually (if not, always) will be via a program. Follow the instructions of the site and of the installation procedure.

From this point onward, it may differ if you are not using "Rannohdecryptor" as was recommended by the website. Although, it may be similar. If so, keep following instructions below:

Make sure you have at least 45% of your :C (Hard Drive) empty. If the program is successful, it may not delete the encryted files, but rather make a duplicate of them that is decrypted.

After installing the program, click on "Scan" (or its equivalent). You will need to open both an encrypted file as well as a duplicate of said file that is not encrypted. (if you do not have a file(s) that has both an encrypted and non encrypted version, see the end of this post, after the dotted line.) It will identify if it is able to decrypt your files.

For the sake of the explanation, I will assume that the program says it is able to decrypt your files. If not, dont give up! If there is a will there is a way! Keep at it, doing research or what not. Do not give in to these cyber crooks. Waiting until there is a known way to decrypt your files IS an option, and there will be for all given enough time. (Sorry for going off topic) Allow it to do its thing (decrypt your files that is). This process is just like a typical virus scan; it checks every file and will take some time (in my case over two hours and it could take longer for you, so please be patient).

After it has completed, allow the program some extra (as I have learned) to finish its job. It will not say this, but I recommend it (I have a few left over video files that were not yet decrytped in a folder where some are).

Double to check to make sure the files are decrypted, and then celebrate.

Give the finger to the cyber criminals by spreading the message.

---------------------------------------------------------------------

A note for those that do not have duplicates of files. There is a chance that perhaps you may have an open document or simular that is still open. If so, save it (with the same as the crypted file, sans the "crypted" part of course). Another option is to look online for a video/music/game or other media that you can get redily online that you already had. For instance I had a Youtube video I made a few years ago that I forgot about. I had a copy of it on my computer that was downloaded then encrypted. I then redownloaded it; voila!

Another example is if you burned a dvd to your computer that became encrypted. Use the same software you used before (redownload it online if you need to) and burn it again. The same can of course be done with music CDs. You may even have an mp3 or other music player with some files.

what I am getting at, is give it some thought and you may have a duplicate file of something hanging around somewhere.

 

[ICIT2LOL]

Hmm for my two cents worth I would have given this a go and there others by Bitdefender etc but I usually head for this one and because it runs in a non Windows environment makes it all the better

Kaspersky Rescue Disk 10

 

[Golden]

Hmm for my two cents worth I would have given this a go and there others by Bitdefender etc but I usually head for this one and because it runs in a non Windows environment makes it all the better

Kaspersky Rescue Disk 10

Those are useless for this problem - all they do is scan for malware. By then, its already too late.

 

[townsbg]

Agreed. In the case of ransomware the problem isn't over when the virus is removed. The OP had reportedly removed the ransomware already using his AV but that still left the files encrypted. It is a truly horrible virus to get because of the real possibility of losing data which is yet another reason why users should be taking good regular backups on an external drive that isn't usually connected to their pc. The developers seem to be really good with scare tactics as well.

 

[ICIT2LOL]

Those are useless for this problem - all they do is scan for malware. By then, its already too late.

Ok point taken just a suggestion I thought may help :huh: