Solved

ransomware - Unable to open encrypted files

Posted on 2013-01-25
6
1,425 Views
Last Modified: 2013-11-22
The manager has a virus on an external hd

It’s basically locked all his office files and changed the name to locked.filename.doc.random4letters

 
I need to get these documents back so he can open the file. The virus is one where if you have the virus and try and open the locked document you get a police popup saying ‘pay some money and open then’ I don’t know exactly, as the virus was on the laptop he had, which he no longer has, he just had the external hd with the locked files.

 

Anyway I found Kaspersky have a bit of software that can unlock these encrypted files, but you need one original file and he doesn’t have any originals.

 

http://support.kaspersky.com/us/viruses/solutions?qid=208286527

Does anybody have any ideas , I've attatched a screenshot showing the new file extensions attatched to the document.
locked-.bmp
0
Comment
Question by:phitusers
  • 3
  • 2
6 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 38818325
Sadly, you need the original - what happened to the infected laptop? usually least some of the easily recovered standard files are encrypted (eg from the MS Office dir) and the same key will work for both.
0
 

Author Comment

by:phitusers
ID: 38818339
The user had an issue with a laptop. These files were then transfered across and I believe the laptop has been rebuilt since, Which obviously means I have no access to the original files.

Thanks
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 38818388
I think you are going to have to resort to searching the external for "locked.*" then and hope there is at least one other file with the issue.

Decryption without a sample would be very difficult indeed - see the analysis here

http://malware.lu/Pro/RAP001_malware_rannoh_matsnu_1.1.pdf

for what is actually going on with these files.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 14

Expert Comment

by:BlueCompute
ID: 38818521
Do you mean that the files were copied to external drive when they had already been encrypted, and you then blew away the original OS and data?

As DaveHowe says, you need to find an encrypted file with known unencrypted content, eg normal.dotx to run the Kaspersky tool.
0
 

Author Comment

by:phitusers
ID: 38818699
Yes that is correct, Is there any other workaround if we don't have an unencrypted original?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 38818763
Possibly, but it would be a great deal of work. You would need to cut custom code to reverse-engineer the RC4 key from the encrypted docx files you have, using the fact that the DOCX files are by necessity actually zipfiles containing xml files, and hence have a known structure (they start with the letters PK and contain the default filenames - for example [Content_Types].xml, word/document.xml and word/fontTable.xml - which are stored in plain text in zip format)

Google doesn't show me anyone else having attempted this, so you would be on your own.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Restoring files from Windows Server Backup 7 80
Ransomware 9 83
svg file 10 83
EICAR File 5 59
As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now