HELP !!! Encrypted computer files virus

[TristanC]

I know - it's not even remotely DeLorean related or even car related.

But I am desperate for help.

I came home today to find out that my PC somehow became infected with a malware that has encrypted all my files holding them to ransom until I pay 500usd.
I'm not paying, obviously.
But do any of you guys know of anyone able to decrypt the files?

My PC is formatted now, but it got to my connected USB drive with years of family photos on there which I desperately want back.
Pictures of my daughter from birth, Christmases, etc.

If anyone knows anyone that would be able to take the drive and decrypt what they can I would be eternally grateful. And can pay of course.

Anyway. Here's hoping.

Tris

[jamesrguk]

If this is 'crypto wall' you're in a world of poo, you can't break the encription, do not open any more files and take you PC to an expert.

This took our entire network down at work for three days despite us have very high security, if it is this virus then it's a Grade A pain in the arse.

Luckily we have extensive backup systems and eventually all was restored but we did loose 24hours worth of data which caused some headaches.

Sorry I don't have better news, it may be somthing different but this sounds like the classic CryptoWall hostage situation.

J

[TristanC]

Thanks mate.

I feared as much. It is the crypto wall thing.

The PC has been formatted and is restoring now.
But the external drive, which I had to make sure my photos were safe are affected and are now worthless.
No backups of that drive unfortunately.

Very sad

Tris

[jamesrguk]

You may find your external drive, or at least part of it can be saved, just don't try to open any files that's what triggers the encription.

I guess the little turds who designed the virus realised that the first thing most people do is check their most valuable documents, which it then encrypts.

It's really a job for a pc specialist.

Also don't think because you've formatted your hard drive that it will have gone 100%, it can be dormant for months/weeks and then suddenly be triggered, again worth getting a 3rd party to take a look IMHO.

J

[arranj]

As James says, you've got no chance at all - especially now you've formatted the infected computer.... Some variants of this virus stored the encryption key on the computer and you could have used some free tools to try and find this key - admittedly this would still have been unlikely (I have done it succesfully twice out of 100+ infected computers). It depends on the variant (there are many) - anyway - only applies if you still have the original infected computer in its infected state.
The other way of getting the stuff back is using Shadow Explorer - depends on the operation system and the settings - no chance anyway now you've formatted your computer.
The only other way is to pay the ransom - but that option is also not open to you now the computer is formatted.
The cryptography used involves a "key" stored on your computer combined with a "key" stored on the Russians' computer. Without both you'd need to crack a near impossible code, we're talking way beyond the Enigma Machine here - despite what you see on James Bond films - near enough impossible.

All you can do is hope that not all of the files on the external drive are encrypted. The virus won't be on there, so if you're accessing the external drive from a completely clean computer (i.e. a new, clean install of Windows that you know isn't infected) then you are fine to open the files on the external
drive (not .exe files though of course, if there are any).
Typically though it displays the ransom message only after it has done all of the files and deleted shadow copies, so that is pretty unlikely too - sorry

Some more information: https://blogs.sophos.com/2015/12/17/the ... ryptowall/
Usually this comes in via an email attachment.

[TristanC]

Oh well.

Thanks chaps

[RobvdVeer]

For future safety, my advise is to subscribe to an offsite backup service (i use Crashplan) that maintains multiple versions of your files. This allows you to go 'back in time' to a point where your photos are still unencrypted. Usually cheaper than a small usb drive and much more effective against the kind of crimes.

[Rissy]

I'd hate this. Complete (inappropriate language in use) !!!

A bit like Rob, I have multiple HDD's (of different makes and models), which hold multiple copies of EVERYTHING. At least 2 backups. It's a bit of an outlay in terms of buying the storage in the first place, but I've been stung in the past, with viruses, malware, hard drives failing, stupidity on my part etc etc. So I don't take any chances now.

I'm sorry to hear about your mess. Just set yourself up from this point forward so that this can't be done again. Hard lesson I know.

[arranj]

Just to add that the way these viruses work is they will mess up everything on every drive that can accessed by a drive letter - this includes all connected drives as well as network attached storage devices (NAS drives) - like James I've seen this extend to whole networks in a business where they had file sharing set up between their computers - only 1 computer needs to be infected and it's game over.
So your system is good Chris, but only if you manually take the last backup and then remove/unplug the drive.
As Rob says, if you can afford it (or if you're only talking about 50GBish of space which you could get for free), the good cloud services such as Dropbox/Google Drive etc. have a built in ability to roll back changed files to the previous version. I've seen one business saved this way too, where thankfully they were using Dropbox to share all of their files amongst 20 computers - all of which ended up with encrypted files, thanks to one infected computer - all of which got back to normal with 1 click!

[Rissy]

Yeah, I have a "live drive" and about 3-4 disconnected drives which are only connected for renewing archives, and staggered, so I alternate between drives where the data is updated fairly regularly, and for data which just exists, but doesn't change, I have a copy on the each drive.