lofishman
asked on
Ransomware Decrypter: I have a file that is normal and encrypted!
Hi all,
Recently a new client of mine was infected by a ransomware virus( since this infection, his previous IT consultant has gone underground). All of his Microsoft Office files are encrypted and his backup drive is badly corrupted. However, I was able to restore one file from the drive and so I possess the same file in it's encrypted and non-encrypted form. Is there a way for me to find the encryption key from these two files? I tried one utility from Panda Security, but it did not help. Does anyone have any suggestions?
Recently a new client of mine was infected by a ransomware virus( since this infection, his previous IT consultant has gone underground). All of his Microsoft Office files are encrypted and his backup drive is badly corrupted. However, I was able to restore one file from the drive and so I possess the same file in it's encrypted and non-encrypted form. Is there a way for me to find the encryption key from these two files? I tried one utility from Panda Security, but it did not help. Does anyone have any suggestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if it is password based, hashcat is nice @ http://hashcat.net/hashcat-gui/
sometimes, i also check the ADS if it becomes a exe ... for no reason as it can store the secret key (but protected most of the time)
@ http://www.nirsoft.net/utils/alternate_data_streams.html
sometimes, i also check the ADS if it becomes a exe ... for no reason as it can store the secret key (but protected most of the time)
@ http://www.nirsoft.net/utils/alternate_data_streams.html
ASKER
Thanks for the suggestions, but the file format has not been changed to an .exe. The files are still in the same format, just encrypted.
No harm trying the peidor protection id
Could You post or send one example of encrypted file ? ( of course if it is not confidential)
I can try to recover the password.
I can try to recover the password.
If it is cryptolocker which is rather recent, trying to decrypt ot is not going to happend though there is mention panda decryptor doing the initial possible but most could not get it back still..not even using elmosoft decryptor...possibly only retrieve backup of they are encrypted too..from shadown or previous version..
ASKER
Hi all,
Someone requested a look at a file. I will attach this one and maybe one of you can decrypt this. As I had mentioned, the backup drive is corrupted, but I was still able to recover some of the documents. It would be great if I could just decrypt what has been encrypted.
LexusofOrland-OrderForm-Merrivil.docx
Someone requested a look at a file. I will attach this one and maybe one of you can decrypt this. As I had mentioned, the backup drive is corrupted, but I was still able to recover some of the documents. It would be great if I could just decrypt what has been encrypted.
LexusofOrland-OrderForm-Merrivil.docx
ASKER
Has anyone else out there have any other ideas?
It is not going to be straightfoward as far as I see from the file.
So far haven't heard of any successful decryption withe latest evolved cryptolocker
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Wondering if you be interested in this forensic mean to recover backup
http://securitybraindump.blogspot.ru/2013/11/finding-cryptolocker-encrypted-files.html
http://securitybraindump.blogspot.ru/2013/11/finding-cryptolocker-encrypted-files.html
I've requested that this question be closed as follows:
Accepted answer: 500 points for breadtan's comment #a39559041
for the following reason:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Accepted answer: 500 points for breadtan's comment #a39559041
for the following reason:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
I propose to split points between ID: 39559041 and ID: 39670500
ASKER
There is a way to decrypt files encrypted by the Cryptolocker virus. Here is a link detailing how the keys were obtained in an FBI raid: http://www.tampabay.com/news/free-fix-for-cryptolocker-ransomware-available/2196568
And here is the website that will allow you to obtain a key (and a tool!) for decrypting your files as long as they were infected by the Cryptolocker virus: https://www.decryptcryptolocker.com/
And here is the website that will allow you to obtain a key (and a tool!) for decrypting your files as long as they were infected by the Cryptolocker virus: https://www.decryptcryptolocker.com/
thanks for sharing, that was came up by FireEye and FoxIT, but note that the service will attempt to decrypt that file using all of the known encryption keys. So if the file uploaded to the service does not fall under the "lucky" one - meaning decryption key not found, it is back to square one.
-rich