Solved

Ransom-FSA!txt - Decrypt Files

Posted on 2015-02-12
17
553 Views
Last Modified: 2015-02-15
I manage a large network and one of our VIP's laptop got infected with Ransom-FSA!txt or so as it was call in McAfee EPO 5.1 and VirusScan 8.8i.

I have tried all of the suggestions and tools online. I have tried sever from Kaspersky to decrpt such files and all have failed to do so. Please note I running the scans in safe mode. I even tried calls McAfee support and they said with out he private key which the attacker used I am out of luck.

I have found some tools that may be able to decryt the files by referencing a copy of the file before it was infected. My problem is the user does not have a backup copy of data and no restore points.

Are there any problems that could guess the keys to decrypt the files? I am open to any suggestions.
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
  • +2
17 Comments
 
LVL 95

Expert Comment

by:John Hurst
ID: 40606812
You cannot decrypt the files, and paying the ransom is a waste of money that likely will not work. You need to restore from backup, so your VIP has just learned a harsh lesson.
0
 
LVL 49

Expert Comment

by:dbrunton
ID: 40606860
It really depends on how valuable the data is.  If he is a VIP and I presume well off he could pay the ransom.

The people behind this scheme believe in satisfied customers

From http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#ransom

Will paying the ransom actually decrypt your files?

Yes, paying the ransom will allow you to download a decrypter that will decrypt your files. Once you pay the ransom and it is verified, a link will be made available where you can download the decrypter and your personal decryption key. You can then use the program to start decrypting your files. Please note that the decryption process can take quite a bit of time.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40607002
I would not do this because you are giving into them. There has to be some other way......
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 
LVL 95

Expert Comment

by:John Hurst
ID: 40607009
There has to be some other way......   Nope. The files are gone.
0
 
LVL 13

Expert Comment

by:Natty Greg
ID: 40607289
only pay if you're the files are really important.
0
 
LVL 24

Accepted Solution

by:
NVIT earned 167 total points
ID: 40607305
Is this infection different from CryptoLocker? Where you can get the decryptor at https://www.decryptcryptolocker.com/
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40607681
Is that website legit?
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40608244
I tried upload a sample file to  https://www.decryptcryptolocker.com/ and it stated the file was not encrypted with Crypto
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40608281
There has been very little (if any) success with software to decrypt your files. Remember you are dealing with thieves and criminals here.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40608717
I have tried all the decrupt tools from Panda, Kaspersky the online line another expert post nothing has worked

The decryptcyrptolocker.com stated it was not a crypto virus.  Any other idea's I am at wits end at this point with a very unhappy VIP..
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40608733
I think your files were encrypted as you first stated. There is really nothing you can do without a backup. Harsh lesson learned.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40608754
I found out the user did have a back on an external drive but this got infected as well :-(
0
 
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 166 total points
ID: 40608759
You need to isolate all the infected devices and clean of the virus before re-attaching to your network.
0
 
LVL 49

Assisted Solution

by:dbrunton
dbrunton earned 167 total points
ID: 40608787
There's no known solution to unencrypt the files at this stage.  There may never be a solution.

If they are that desperate tell the very unhappy VIP to pay the ransom.  If they've left it for too long the ransom price doubles.   It's a risk but how desperate are they?

For future reference:  Now the user did have backups but only one external drive.  Needs to really use two drives and alternate between them and keep the second drive off site.  Also needs to use Chrome as a browser because of the built in security and built in Flash.  Also needs to beware of clicking on attached documents in email which is probably the source of infection.
0
 
LVL 20

Author Closing Comment

by:compdigit44
ID: 40611178
Thank you for all of the suggestions everyone. This was a nasty virus and a learning lesson as well.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40611191
@compdigit44 - yes, those viruses are nasty. Hopefully your user will keep good backups going forward.
0
 
LVL 24

Expert Comment

by:NVIT
ID: 40611213
@compdigit44... Thanks for the update. Take care.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question