Solved

Ransom-FSA!txt - Decrypt Files

Posted on 2015-02-12
17
498 Views
Last Modified: 2015-02-15
I manage a large network and one of our VIP's laptop got infected with Ransom-FSA!txt or so as it was call in McAfee EPO 5.1 and VirusScan 8.8i.

I have tried all of the suggestions and tools online. I have tried sever from Kaspersky to decrpt such files and all have failed to do so. Please note I running the scans in safe mode. I even tried calls McAfee support and they said with out he private key which the attacker used I am out of luck.

I have found some tools that may be able to decryt the files by referencing a copy of the file before it was infected. My problem is the user does not have a backup copy of data and no restore points.

Are there any problems that could guess the keys to decrypt the files? I am open to any suggestions.
0
Comment
Question by:compdigit44
  • 6
  • 6
  • 2
  • +2
17 Comments
 
LVL 92

Expert Comment

by:John Hurst
ID: 40606812
You cannot decrypt the files, and paying the ransom is a waste of money that likely will not work. You need to restore from backup, so your VIP has just learned a harsh lesson.
0
 
LVL 48

Expert Comment

by:dbrunton
ID: 40606860
It really depends on how valuable the data is.  If he is a VIP and I presume well off he could pay the ransom.

The people behind this scheme believe in satisfied customers

From http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#ransom

Will paying the ransom actually decrypt your files?

Yes, paying the ransom will allow you to download a decrypter that will decrypt your files. Once you pay the ransom and it is verified, a link will be made available where you can download the decrypter and your personal decryption key. You can then use the program to start decrypting your files. Please note that the decryption process can take quite a bit of time.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 40607002
I would not do this because you are giving into them. There has to be some other way......
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 40607009
There has to be some other way......   Nope. The files are gone.
0
 
LVL 9

Expert Comment

by:nattygreg
ID: 40607289
only pay if you're the files are really important.
0
 
LVL 23

Accepted Solution

by:
NVIT earned 167 total points
ID: 40607305
Is this infection different from CryptoLocker? Where you can get the decryptor at https://www.decryptcryptolocker.com/
0
 
LVL 19

Author Comment

by:compdigit44
ID: 40607681
Is that website legit?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 40608244
I tried upload a sample file to  https://www.decryptcryptolocker.com/ and it stated the file was not encrypted with Crypto
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 92

Expert Comment

by:John Hurst
ID: 40608281
There has been very little (if any) success with software to decrypt your files. Remember you are dealing with thieves and criminals here.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 40608717
I have tried all the decrupt tools from Panda, Kaspersky the online line another expert post nothing has worked

The decryptcyrptolocker.com stated it was not a crypto virus.  Any other idea's I am at wits end at this point with a very unhappy VIP..
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 40608733
I think your files were encrypted as you first stated. There is really nothing you can do without a backup. Harsh lesson learned.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 40608754
I found out the user did have a back on an external drive but this got infected as well :-(
0
 
LVL 92

Assisted Solution

by:John Hurst
John Hurst earned 166 total points
ID: 40608759
You need to isolate all the infected devices and clean of the virus before re-attaching to your network.
0
 
LVL 48

Assisted Solution

by:dbrunton
dbrunton earned 167 total points
ID: 40608787
There's no known solution to unencrypt the files at this stage.  There may never be a solution.

If they are that desperate tell the very unhappy VIP to pay the ransom.  If they've left it for too long the ransom price doubles.   It's a risk but how desperate are they?

For future reference:  Now the user did have backups but only one external drive.  Needs to really use two drives and alternate between them and keep the second drive off site.  Also needs to use Chrome as a browser because of the built in security and built in Flash.  Also needs to beware of clicking on attached documents in email which is probably the source of infection.
0
 
LVL 19

Author Closing Comment

by:compdigit44
ID: 40611178
Thank you for all of the suggestions everyone. This was a nasty virus and a learning lesson as well.
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 40611191
@compdigit44 - yes, those viruses are nasty. Hopefully your user will keep good backups going forward.
0
 
LVL 23

Expert Comment

by:NVIT
ID: 40611213
@compdigit44... Thanks for the update. Take care.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now