gerlis
asked on
Malware: Affected all pdf files (CTB Locker?)
A client with a Win XP machine has problems with their accounts system (a UK software called Pegasus Opera). However when my colleague who supports it looked more closely at the accounts system and the machine realised that all PDFs had been compromised with an added set of random characters on the file extension. e.g. filename.pdf.ajajnhe (the same set of characters on all PDFs).
However don't know what state the accounts system is in. Won't start. I don;t know anythign about how it works. At one point client told me he had seen error message referring to CTB-Locker (CBT?), the ransomware, though no messages demanding money have appeared (yet). I have ran Malwarebytes, twice, it has found about 30 or so items each time. I've ran CCleaner. I've read articles saying to do these in safe mode? Will also run McAfee Stinger. Lots and lots about CTB (cbt) on Web but many solutions require downloading other (dodgy?) programs. Found this MS article, but in essence it is just saying to do a restore from a backup, rather than any repair attempt?
So, in summary, I have two related problems here, to sort out the actual malware (and hopefully the accounts sytem) then recover the PDFs.
All suggestions welcomed.
However don't know what state the accounts system is in. Won't start. I don;t know anythign about how it works. At one point client told me he had seen error message referring to CTB-Locker (CBT?), the ransomware, though no messages demanding money have appeared (yet). I have ran Malwarebytes, twice, it has found about 30 or so items each time. I've ran CCleaner. I've read articles saying to do these in safe mode? Will also run McAfee Stinger. Lots and lots about CTB (cbt) on Web but many solutions require downloading other (dodgy?) programs. Found this MS article, but in essence it is just saying to do a restore from a backup, rather than any repair attempt?
So, in summary, I have two related problems here, to sort out the actual malware (and hopefully the accounts sytem) then recover the PDFs.
All suggestions welcomed.
David Johnson, CD
the pdf's are history unless you pay the ransom and since you cleaned out the stuff then these files can't be unencrypted so you have to restore from a backup or a shadow copy..
That is so if they are indeed encrypted. Have you tried making a copy of one and renaming?
Bulk renaming software is free and easy to use.
Bulk renaming software is free and easy to use.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, all. This has helped me to better understand the situation. I will try making a copy of one and renaming, as suggested. On a different machine.
I will also take a closer look at the Accounts software files.
I will also take a closer look at the Accounts software files.
ASKER
Found a file on the system called "Decrypt-All-Files-ajajnhe
Contains instructions, but they're a honey trap, surely?
--------------------------
Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.
If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.
Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org
in your browser. They are public gates to the secret server.
If you have problems with gates, use direct connection:
1. Download Tor Browser from http://torproject.org
2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/
Note that this server is available via Tor Browser only.
Retry in 1 hour if site is not reachable.
Copy and paste the following public key in the input form on server. Avoid missprints.
RWQURWM-S7AMEV7-42YABP3-L3
YOWLANT-CTCEGYX-LXNNNSK-XH
OKMO4UC-WXGHOQC-LG63FBY-EI
Follow the instructions on the server.
Contains instructions, but they're a honey trap, surely?
--------------------------
Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.
If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.
Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org
in your browser. They are public gates to the secret server.
If you have problems with gates, use direct connection:
1. Download Tor Browser from http://torproject.org
2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/
Note that this server is available via Tor Browser only.
Retry in 1 hour if site is not reachable.
Copy and paste the following public key in the input form on server. Avoid missprints.
RWQURWM-S7AMEV7-42YABP3-L3
YOWLANT-CTCEGYX-LXNNNSK-XH
OKMO4UC-WXGHOQC-LG63FBY-EI
Follow the instructions on the server.
ASKER
I copied one of the infected PDFs to another machine (in effect sandboxed it as suggested), renamed it to remove the dodgy extension and tried to open it in Acrobat, no joy.
Been checking it out and all of the .DBF (database) files which relate to the accounts system have also been infected, plus Word files and I suspect most, if not all, Office files on the system.
I think this machine is beyond repair and is well-ransom-wared!
Been checking it out and all of the .DBF (database) files which relate to the accounts system have also been infected, plus Word files and I suspect most, if not all, Office files on the system.
I think this machine is beyond repair and is well-ransom-wared!
Yes, pretty much as in the screenshot above. Each infection generates a different key
Hopefully you have backups
As far as Honey Trap goes - not really just a means to anonymously extract Bitcoin ransoms You enter the public key and a bot server somewhere gives you a chance to transfer ฿ and then provides a private key to decrypt (you need to put the Trojan back on the machine to do this) - bizarrely it's in the criminal's interest to ensure that the decryption works to "encourage" other victims to pay up. (And no I'm not recommending this as a solution!)
Hopefully you have backups
As far as Honey Trap goes - not really just a means to anonymously extract Bitcoin ransoms You enter the public key and a bot server somewhere gives you a chance to transfer ฿ and then provides a private key to decrypt (you need to put the Trojan back on the machine to do this) - bizarrely it's in the criminal's interest to ensure that the decryption works to "encourage" other victims to pay up. (And no I'm not recommending this as a solution!)
Yes, if you are encrypted then your only choices are pay or restore from backup. Be careful with the pay option. For instance is your data worth what they are asking? Last I heard it was 10 bitcoins, which according to todays calculations is 222.91 USD/bitcoin or 2229.10 USD. If it has gone up feel free to use the bitcoin calculator to figure your damage:
http://preev.com/
http://preev.com/
ASKER
He has a backup (hard drive) albeit dating from October last year. So we're going to take a look at that. Also upgrade his Win Xp machine to Win 7 or persuade him to buy a new PC. We'll then see what we can restore.
I've requested that this question be deleted for the following reason:
Not enough information to confirm an answer.
Not enough information to confirm an answer.
Will wait to hear from asker but think there's enough here to accept comments.
ASKER
Apologies for not responding. In the end he purchased a new PC and we restored as much as we could from his 4 month old backup.
No attempt was made to repair the orginal infected machine, far too much risk and no certainly 1. it would work and 2. we wouldn't lose money.
Thanks to all who offered help.
No attempt was made to repair the orginal infected machine, far too much risk and no certainly 1. it would work and 2. we wouldn't lose money.
Thanks to all who offered help.
There are 2 answers that are applicable. Restore from backup is the only one that works. Suggest MASQ's answer be accepted ID: 40593044