HELP! Encrypted data on client's laptop
This is a new one for me... My client, who is computer illiterate, downloaded a file from FilesAnywhere that he had previously uploaded. He says that all of a sudden the desktop went haywire and his files were renamed with weird stuff (screen shot attached). I have never run into this before and I'm not sure what happened but it looks to me like his files got encrypted. 
There is a folder on his desktop called "Ultrasonic.Key" and I'm not sure what that is. Can anybody figure this out? Willing to pay for help!
There have been no "ransomeware" popups and the computer scans clean for viruses.
There is a folder on his desktop called "Ultrasonic.Key" and I'm not sure what that is. Can anybody figure this out? Willing to pay for help!
There have been no "ransomeware" popups and the computer scans clean for viruses.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
CompProbSolv
I have had very good success with eradicating ransomware viruses with common programs, though the data doesn't come back. John's recommendation to reformat and start over is certainly the safer one. Before doing that, I'd certainly check for any data files that you don't have backed up. Depending on how long it was run after the infection, there may be some files that haven't gotten hit yet.
ASKER
Update: Ran TDSSKiller and found 1 file Unsigned Service: tcsd_win32.exe. Malwarebytes found several PUPs (Conduit) and SuperAntiSpyware found 468 items which were removed.
Renaming the files and trying to open them causes 'errors' in Powerpoint.
There are no usable data files that I can find. Guess a reformat is in order. Don't think he has an up to date backup (will chide him properly for this but I am sure he feels bad enough). Wish there were a way to decrypt, he might even consider paying the ransom if there were some guarantee and it was a car payment and not a house payment LOL.
Thanks for your input... greatly appreciated.
Renaming the files and trying to open them causes 'errors' in Powerpoint.
There are no usable data files that I can find. Guess a reformat is in order. Don't think he has an up to date backup (will chide him properly for this but I am sure he feels bad enough). Wish there were a way to decrypt, he might even consider paying the ransom if there were some guarantee and it was a car payment and not a house payment LOL.
Thanks for your input... greatly appreciated.
ASKER
Thanks for your input.
try to use another anti-virus application for you to identify what kind of virus infects the computer system.
A lot of encrypted files proved to be decryptable after all, because not all ransomwares are professional ones. Deleting the files is not the right choice. Keep a backup in case a decrypting software is offered by AV guys.
As McKnife said, keep a backup, I would keep a whole backup including the malware binaries and helper files. It may be necessary to have them at hand to use the decryption tool, depending on how the decryption was defeated. Most easy way. Remove the infected HDD from the device if possible and install a new Harddrive and install the OS and software back on the new drive. Keep the old drive and wait if there is a decryption tool available later for your version of ransomware.