Author Topic: Ransomware picture question  (Read 11984 times)

0 Members and 1 Guest are viewing this topic.

Offline rizo

  • Newbie
  • *
  • Join Date: Jan 2016
  • Posts: 21
  • Karma: 0
    • View Profile
Ransomware picture question
« on: February 06, 2016, 08:19:09 am »
Good evening everyone!

Just wanted to say I love this community, I usually find all my answers here.

I have a new issue. I have a customers computer who has ransom ware.
As always I usually back everything up scan the backup using VM using windows defender, norton, and bitdefender (different vm's)
everything looked good. I did not check the files, doing this all the time i thought everything was as always fixed.

I re imaged the computer- and started moving the files back onto the computer- it stated two hours to transfer but noticed it was done after about 5 minutes.... so i looked and saw that it stopped for no reason. i decided to try to just move the pictures. and same thing happened i looked at the pictures and noticed that none of them would open, and that there was instructions to un encrypt the files. (all in spanish btw --weird)

scans do not find anything unless i am moving the files --windows defender just says malware and deletes it
tdskiller found only one thing i forgot it already sorry.... but still can not view pictures...
running malware byte root kit cleaner now...
and will run combo fix.

the customer is a mother in college and needs the computer for schooling so i am trying to get this done so she is not behind.
i could give her the computer without her backs ups....which is like 40 gbs worth ... but i would feel like a shit bag.... and would not charge her which would suck too lol.

so any help would be appreciated.
if i figure any thing out i will update.

V/R
Rizo


Offline rizo

  • Newbie
  • *
  • Join Date: Jan 2016
  • Posts: 21
  • Karma: 0
    • View Profile
Re: Ransomware picture question
« Reply #1 on: February 06, 2016, 08:26:32 am »
I included a zip of the 3 files (instructions) included in each and EVERY folder backed up.

IT GOES WITHOUT SAYING but obviously, do not open this up unless on a VM or know what you are doing.
I do not know if it has infected the new computer yet, as of now i am just trying to get her pictures recovered.
and hopefully the rest of the 40 gigs if i can fix the pictures for her.

i know in like 2010 there was a php virus that infected pictures and a way to inject exe files in pictures. but honestly i dont know anything other then knowing about it.

 if needed i can attach a image i believe is infected

V/R
Rizo

Offline rizo

  • Newbie
  • *
  • Join Date: Jan 2016
  • Posts: 21
  • Karma: 0
    • View Profile
Re: Ransomware picture question
« Reply #2 on: February 06, 2016, 09:20:23 am »
so malware byte came up with only 1 issue...
and the weird thing it is from the files i put into a zip folder to upload to here...
it did not find any of the million other files that are the same thing only the ones i put in the zip file....
it is ...

ransom.cryptowall.trace

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Ransomware picture question
« Reply #3 on: February 06, 2016, 09:28:14 am »
While you can usually remove the Ransomware infection, decrypting the files may not be possible and the only defence against that is to restore with a clean system image which your customer obviously doesn't have.
« Last Edit: February 08, 2016, 05:09:05 am by Boggin »

Offline Samson

  • Hero Member
  • *****
  • Join Date: Nov 2011
  • Posts: 915
  • Location: London
  • Karma: 38
    • View Profile
Re: Ransomware picture question
« Reply #4 on: February 07, 2016, 03:31:10 pm »
Sometimes it is possible to recover them using a recovery program like http://www.piriform.com/recuva

The ransomaware copies the files, encrypts them and then deletes the originals. So, if the computer has n't been used too much afterwards, and the deleted files have not been subsequently overwritten, recovery may be possible.
« Last Edit: February 07, 2016, 03:33:51 pm by Samson, Reason: Spelling »

Offline Jethro Bodine

  • Newbie
  • *
  • Join Date: Dec 2015
  • Posts: 29
  • Karma: 4
    • View Profile
Re: Ransomware picture question
« Reply #5 on: February 08, 2016, 02:58:14 am »
Testdisk may also be useful , but the same proviso that Samson mentions will still apply.

http://www.cgsecurity.org/wiki/TestDisk

The latest version includes QPhotoRec .

But Recuva is probably more "user - friendly" .
« Last Edit: February 08, 2016, 04:48:19 am by Jethro Bodine »

Offline rizo

  • Newbie
  • *
  • Join Date: Jan 2016
  • Posts: 21
  • Karma: 0
    • View Profile
Re: Ransomware picture question
« Reply #6 on: February 09, 2016, 05:21:17 am »
Good evening

I have tried data recovery method, and some of the pictures i recovered, about 10%.

I am working with my brother now to brute force it. he says he has done it multiple times.
he runs his own security firm and is a big family guy, I talked to him on Sunday and hoping to receive his instructions today.
so once i figure out if it is actually possible or not i will update.

V/R
Rizo

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: Ransomware picture question
« Reply #7 on: February 25, 2016, 12:54:14 pm »
This is a new virus that is ou and is being sent through email as a doc or other formats claiming to be in invoice. i had a customer who got hit by it.

Once the files are encrypted there is no way to decrypt them yet.

So since the files where lost I just blew the machine away and did a fresh install to be sure that there was no traces left. Since it is a new virus there is a very very good chance that not all traces of it will be caught just yet.

Shane