?
Solved

Ransom-FSA!txt - Decrypt Files

Posted on 2015-02-12
17
Medium Priority
?
587 Views
Last Modified: 2015-02-15
I manage a large network and one of our VIP's laptop got infected with Ransom-FSA!txt or so as it was call in McAfee EPO 5.1 and VirusScan 8.8i.

I have tried all of the suggestions and tools online. I have tried sever from Kaspersky to decrpt such files and all have failed to do so. Please note I running the scans in safe mode. I even tried calls McAfee support and they said with out he private key which the attacker used I am out of luck.

I have found some tools that may be able to decryt the files by referencing a copy of the file before it was infected. My problem is the user does not have a backup copy of data and no restore points.

Are there any problems that could guess the keys to decrypt the files? I am open to any suggestions.
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
  • +2
17 Comments
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40606812
You cannot decrypt the files, and paying the ransom is a waste of money that likely will not work. You need to restore from backup, so your VIP has just learned a harsh lesson.
0
 
LVL 49

Expert Comment

by:dbrunton
ID: 40606860
It really depends on how valuable the data is.  If he is a VIP and I presume well off he could pay the ransom.

The people behind this scheme believe in satisfied customers

From http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#ransom

Will paying the ransom actually decrypt your files?

Yes, paying the ransom will allow you to download a decrypter that will decrypt your files. Once you pay the ransom and it is verified, a link will be made available where you can download the decrypter and your personal decryption key. You can then use the program to start decrypting your files. Please note that the decryption process can take quite a bit of time.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40607002
I would not do this because you are giving into them. There has to be some other way......
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 97

Expert Comment

by:Experienced Member
ID: 40607009
There has to be some other way......   Nope. The files are gone.
0
 
LVL 14

Expert Comment

by:Natty Greg
ID: 40607289
only pay if you're the files are really important.
0
 
LVL 25

Accepted Solution

by:
NVIT earned 668 total points
ID: 40607305
Is this infection different from CryptoLocker? Where you can get the decryptor at https://www.decryptcryptolocker.com/
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40607681
Is that website legit?
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40608244
I tried upload a sample file to  https://www.decryptcryptolocker.com/ and it stated the file was not encrypted with Crypto
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40608281
There has been very little (if any) success with software to decrypt your files. Remember you are dealing with thieves and criminals here.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40608717
I have tried all the decrupt tools from Panda, Kaspersky the online line another expert post nothing has worked

The decryptcyrptolocker.com stated it was not a crypto virus.  Any other idea's I am at wits end at this point with a very unhappy VIP..
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40608733
I think your files were encrypted as you first stated. There is really nothing you can do without a backup. Harsh lesson learned.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40608754
I found out the user did have a back on an external drive but this got infected as well :-(
0
 
LVL 97

Assisted Solution

by:Experienced Member
Experienced Member earned 664 total points
ID: 40608759
You need to isolate all the infected devices and clean of the virus before re-attaching to your network.
0
 
LVL 49

Assisted Solution

by:dbrunton
dbrunton earned 668 total points
ID: 40608787
There's no known solution to unencrypt the files at this stage.  There may never be a solution.

If they are that desperate tell the very unhappy VIP to pay the ransom.  If they've left it for too long the ransom price doubles.   It's a risk but how desperate are they?

For future reference:  Now the user did have backups but only one external drive.  Needs to really use two drives and alternate between them and keep the second drive off site.  Also needs to use Chrome as a browser because of the built in security and built in Flash.  Also needs to beware of clicking on attached documents in email which is probably the source of infection.
0
 
LVL 20

Author Closing Comment

by:compdigit44
ID: 40611178
Thank you for all of the suggestions everyone. This was a nasty virus and a learning lesson as well.
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40611191
@compdigit44 - yes, those viruses are nasty. Hopefully your user will keep good backups going forward.
0
 
LVL 25

Expert Comment

by:NVIT
ID: 40611213
@compdigit44... Thanks for the update. Take care.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question