Malware: Affected all pdf files (CTB Locker?)

A client with a Win XP machine has problems with their accounts system (a UK software called Pegasus Opera). However when my colleague who supports it looked more closely at the accounts system and the machine realised that all PDFs had been compromised with an added set of random characters on the file extension. e.g. filename.pdf.ajajnhe (the same set of characters on all PDFs).

However don't know what state the accounts system is in.  Won't start. I don;t know anythign about how it works. At one point client told me he had seen error message referring to CTB-Locker (CBT?), the ransomware, though no messages demanding money have appeared (yet). I have ran Malwarebytes, twice, it has found about 30 or so items each time. I've ran CCleaner. I've read articles saying to do these in safe mode? Will also run McAfee Stinger. Lots and lots about CTB (cbt) on Web but many solutions require downloading other (dodgy?) programs. Found this MS article, but in essence it is just saying to do a restore from a backup, rather than any repair attempt?

So, in summary, I have two related problems here, to sort out the actual malware (and hopefully the accounts sytem) then recover the PDFs.

All suggestions welcomed.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPRetiredCommented:
the pdf's are history unless you pay the ransom and since you cleaned out the stuff then these files can't be unencrypted so you have to restore from a backup or a shadow copy..
Thomas Zucker-ScharffSolution GuideCommented:
That is so if they are indeed encrypted. Have you tried making a copy of one and renaming?

Bulk renaming software is free and easy to use.
☠ MASQ ☠Commented:
This is typical behaviour of the current generation of CTB-Locker ransomware where file extensions are normally affected while the infection is active.  Do you have a sandbox environment you could place one of the .pdfs into to examine it outside of that machine's active partition?

Generally ransomware will target all data files, common Office extensions, JPGs and PDFs but encrypt them sequentially, ignoring the file type, so with a typical infection all files of this type will be affected.  If the infection is active (you'll probably need to boot to an AV scan disk such as Kapersky's Rescue disk to detect the active elements as they are stealthed) then decryption of the files happens "on the fly" so the end user remains unaware that encryption is happening.  If you move a file that will open OK on the affected to another machine and it appears encrypted there this is a good indication of active ransomware infection.  If the file still opens on a different machine then this is not ransomware or at least not a known variant.

CBT-Locker is a trojan so the individual files are not an infection risk

It's likely you will find the ransom demand in a My Documents folder
Displayed when encryption is complete

There is currently no means of recovering encrypted files short of brute force decryption which because of the key used is not practical or paying the ransom which is not advised.  If you have shadow copy enabled you may be able to recover undamaged files from that but usually the only practical solution is to restore from backup.

Because of the nature of ransomware infections (i.e. Trojans) it is user behaviour that needs modification more than physical changes to security but there are some steps you can take to reduce the risk of infection.


This will also account for your users issues with Pegasus as some of its data files will also be affected :(

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

gerlisAuthor Commented:
Thanks, all. This has helped me to better understand the situation. I will try making a copy of one and renaming, as suggested. On a different machine.

I will also take a closer look at the Accounts software files.
gerlisAuthor Commented:
Found a file on the system called "Decrypt-All-Files-ajajnhe.txt"

Contains instructions, but they're a honey trap, surely?


Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.

If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.

Open or 
in your browser. They are public gates to the secret server.

If you have problems with gates, use direct connection:

1. Download Tor Browser from

2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/
   Note that this server is available via Tor Browser only.
   Retry in 1 hour if site is not reachable.

Copy and paste the following public key in the input form on server. Avoid missprints.

Follow the instructions on the server.
gerlisAuthor Commented:
I copied one of the infected PDFs to another machine (in effect sandboxed it as suggested), renamed it to remove the dodgy extension and tried to open it in Acrobat, no joy.

Been checking it out and all of the .DBF (database) files which relate to the accounts system have also been infected, plus Word files and I suspect most, if not all, Office files on the system.

I think this machine is beyond repair and is well-ransom-wared!
☠ MASQ ☠Commented:
Yes, pretty much as in the screenshot above.  Each infection generates a different key
Hopefully you have backups

As far as Honey Trap goes - not really just a means to anonymously extract Bitcoin ransoms You enter the public key and a bot server somewhere gives you a chance to transfer ฿ and then provides a private key to decrypt (you need to put the Trojan back on the machine to do this) - bizarrely it's in the criminal's interest to ensure that the decryption works to "encourage" other victims to pay up.  (And no I'm not recommending this as a solution!)
Thomas Zucker-ScharffSolution GuideCommented:
Yes, if you are encrypted then your only choices are pay or restore from backup.  Be careful with the pay option.  For instance is your data worth what they are asking?  Last I heard it was 10 bitcoins, which according to todays calculations is 222.91 USD/bitcoin or 2229.10 USD.  If it has gone up feel free to use the bitcoin calculator to figure your damage:
gerlisAuthor Commented:
He has a backup (hard drive) albeit dating from October last year. So we're going to take a look at that. Also upgrade his Win Xp machine to Win 7 or persuade him to buy a new PC. We'll then see what we can restore.
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
☠ MASQ ☠Commented:
Will wait to hear from asker but think there's enough here to accept comments.
gerlisAuthor Commented:
Apologies for not responding. In the end he purchased a new PC and we restored as much as we could from his 4 month old backup.

No attempt was made to repair the orginal infected machine, far too much risk and no certainly 1. it would work and 2. we wouldn't lose money.

Thanks to all who offered help.
David Johnson, CD, MVPRetiredCommented:
There are 2 answers that are applicable. Restore from backup is the only one that works. Suggest MASQ's answer be accepted ID: 40593044
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.