Link to home
Create AccountLog in
Avatar of dimensionav
dimensionavFlag for Mexico

asked on

Infected by a virus which has encrypted all the information

HI

Yesterday one of the users of our company has opened an email with an attachment that has infected the computers of the network, the main issue is that apparently this virus has encrypted all the information and of course the owner asks for money (a ransom) to decrypt all data.

This is the message that appears on the computers:
User generated image
Your help will be really appreciatted.
ASKER CERTIFIED SOLUTION
Avatar of Coolie Sheppard
Coolie Sheppard
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
If you have already removed the viruses and infections than my advice probably won't help.  Most of what has been mentioned above is true. HOWEVER, I have compiled MANY decryption tools together that may be able to decrypt the data. It is a long shot but I was successful a few times (3 out of 50) and I deal with these types of infections a lot in cyber security field.

Usually the first step is find the infected system and shut it DOWN before it spreads any further.  If it already HAS spread everywhere then you can try to run the tool I linked below.  Normally Kaspersky has been a good enough anti-virus to protect the infection from happening from beginning. The tools may not work if any antivirus already removed key files required to decrypt.

I don't want to link my personal program compilations since I am not sure the rules on this website forum since I am new to it but here is a link to reputable Kaspersky's tool.  https://noransom.kaspersky.com/
Julian,

I am surprised you are that successful, unless the encryption trojans are older ones (meaning cryptolocker and before), there are few C&C servers that have given up their decryption keys. It would take ~6.7 x 10e40 times longer than the age of the universe to exhaust half of the keyspace of one AES-256 bit key, according to this page https://www.reddit.com/r/theydidthemath/comments/1x50xl/time_and_energy_required_to_bruteforce_a_aes256/
It would mainly depend on when the encryption was discovered. If the process hasn't finished yet and encryption is still being done, the chances for recovery aren't bad, although it is still time consuming. When the encryption has finished and you are presented with the ransom note, then it usually is too late. The problem is that most people will only notice when it is too late.
Avatar of btan
btan

Decryption is not possible unless really like some ransomware has gaps in making their crypto unique and random to each victim infected. Even most brute force whether using intensive rich resource at backend or leaked private key database, is not guarantee sure to get back decryption key. The only bet as all mentioned is from backup and even preventing it early to deter and make it harder by app whitelisting.
Thomas

I agree, I don't consider that ratio successful though, haha.  It barely is 20%.   The decryption is only possible because the key servers are being taken over and ALL the keys were taken and combined into an algorithmn and are constantly being updated so the programs just match keys together and if there is a match out of the hundreds of thousands of keys than it will start decryption.

Consider though that there are MILLIONS+ keys out there so there is always a chance but it is slim.  Also if the malware is removed then the decryption chance is barely 1% now since it has some code inside it to identify the algorithm used.  Even paying the ransom, you have 80% chance of getting your data back and they MAY send the key required to decrypt.  Even that one key can help figure out the algorithm used to make the keys.  But that is if you have NO backups and is also assuming that data is worth the ransom.

Lastly Cryptowall 4.0 that just was released two weeks ago has TWO phases of encryption.  One at initial encryption and second on top of that one.  It also renames the file structure so you cant even use the programs I mentioned above to help find specific files you may need. It is getting harder but I will stay on top of it, haha.
Good luck.  I just saw the new CryptoJoker (http://news.softpedia.com/news/cryptojoker-ransomware-will-not-put-a-smile-on-your-face-498387.shtml) and it looks even worse.  Be careful, I have noticed many of the decryption keys are being sent with their own payload.  There was one instance in which all the files on a machine were decrypted after paying the ransom and then the machine infected the rest of the network before being stopped, with new malware that had come as part of the decryption key.  Luckily it wasn't one of my clients.
Yap Random32 (JS ransomware) using NW.js for platform agnostic wide infection is going wild and looking at such evolution, prevention will be tougher but minimally the baseline hardening in machine is a must rather than a good to have already. I rather not bother so much about getting back those keys since it is a losing battle as all shared and will stay as-is till crypto is flawed (doubt so)
Files are encrypted using AES-128 with a new key generated for every file. Victims are allowed to decrypt one file for free, but there is no indication that the ransomware’s encryption mechanism is flawed, which might allow users to recover their files without paying the ransom, such as in the case of the recently discovered Linux.Encoder malware.

Victims are instructed to pay 0.1 Bitcoin ($45) to recover the files, but the amount increases to 1 Bitcoin ($450) if the ransom is not paid within four days. The ransom note informs users that the keys needed for decryption will be destroyed permanently after one week.
Haven't even started to mention the java version of it.  It is getting worst.  You are right. I didn't mention to much detail though on the process.  Using Sandboxie (if paying the ransom) to prevent that exact issue but in a way, these new types of infections are actually hurting the cause.

With version 1 and 2, after infection, the consensus was at least if you paid it you will get your data back.  You would look at it as a $2000 penalty for not having a backup.  Now, with all the scammers hurting their own, thanks to that Russian kid for selling the code on deepweb lol, and now this joker version, there is no point really.

Work around II found now is disabling the cmd line of shadow copy so you can still have that version of backup so the malware cant use it to remove the copies. So even infection isn't too fatal if you want some precaution.