You are welcome to discuss various security topics with our professional team and other users like you!
Read our Registration Agreement and create your FREE account here!

*

never

  • *****
  • 121
  • +24/-0
  • Network Administrator and Malware Researcher
Files Encrypted With Random File Extensions
« on: January 07, 2016, 09:20:24 am »
Hello, this is an open topic created with the purpose to assist users who have had their files encrypted with random file extensions and changed file names. You may ask questions, share your experience or help other affected users in need.
« Last Edit: May 25, 2018, 11:08:53 am by sensadmin »

*

cornelg7

  • *
  • 4
  • +0/-0
Re: Files Encrypted With Random File Extensions
« Reply #1 on: January 07, 2016, 09:28:11 pm »
English! Sorry I'm not good with hi ;D
Hi! Sorry for the English mistakes, I'm not a native speaker.

Firstly, let me thank you guys for willing to give some help with the fight against these encryption viruses.
Secondly, let me mention that I personally didn't have any problems like this, below are some of a friend's files. I know how to defend and prevent myself from this and other types of viruses. Seeing how serious this site is, I may do a mini-tutorial on how to clean your computer and how to keep it like that.

Now, to get to the problem, I have attached screenshots of the beginning of one of the encrypted files opened with notepad and also the Help_Your_Files.png where they give information about the virus. Unfortunately, the picture is in french, so I used an online png-to-text converter and translated it via google translate in English. Here is the result: http://pastebin.com/tBEaFx06

So now I guess the main problem is not the decryption of the files, but discovering what actual ransomware caused it. I don't think it is the bitcrypt as that is not the extension of the files. Any help of any sort is highly appreciated. Thank you again for this post.
« Last Edit: May 25, 2018, 11:09:07 am by sensadmin »

*

dakodaks

  • *
  • 1
  • +0/-0
Re: Files Encrypted With Random File Extensions
« Reply #2 on: January 08, 2016, 03:20:26 am »
As was requested, here's (see attached) the .png image that appears in every folder containing encrypted files in my computer; the image also shows the ransom message. With a little bit of reading, it seems that my misfortune really is consistent with the Cryptowall 4.0 infections. I also learned that there's nothing much I can do about it now so I'm just copying the encrypted files to an external hard drive hoping for a future solution, and trying to recover what can be recovered of the files I lost with a file-recovery software.

Please keep me posted. Much thanks.
« Last Edit: May 25, 2018, 11:09:16 am by sensadmin »

*

Execute

  • *****
  • 276
  • +46/-0
  • Your friendly neighbourhood IT guy
Re: Files Encrypted With Random File Extensions
« Reply #3 on: January 08, 2016, 05:42:16 pm »
@cornelg7, that seems like CryptoWall 3 or 4 - possibly a new version of one of them?
That is probably the toughest ransomware yet.
We will see what we can do as we are trying to find new methods to decrypt files.


*

cornelg7

  • *
  • 4
  • +0/-0
Re: Files Encrypted With Random File Extensions
« Reply #4 on: January 08, 2016, 05:53:28 pm »
@Execute Thank you very much for your reply. Does anyone know how this cryptowall works? Does it delete the initial files first or just modifies them? Should I try to get them back with some Data Recovery tool?

*

Execute

  • *****
  • 276
  • +46/-0
  • Your friendly neighbourhood IT guy
Re: Files Encrypted With Random File Extensions
« Reply #5 on: January 08, 2016, 05:57:30 pm »
@dakodaks, oh, so you are the friend of cornelg7?
You seem to have CryptoWall 4 alright. Nasty new extension too.

All attached files are downloaded and we see what we can come up with, for a possible decryption.
The attachments will remain hidden just as a security precaution.

We will keep you posted.

Kind Regards,
Execute

*

cornelg7

  • *
  • 4
  • +0/-0
Re: Files Encrypted With Random File Extensions
« Reply #6 on: January 08, 2016, 06:00:44 pm »
@Execute Wait, no, he's someone else  ;D
My friend's encrypted files are too large to attach, they are ~3MB each, should I put them in some cloud and post the link?

*

Execute

  • *****
  • 276
  • +46/-0
  • Your friendly neighbourhood IT guy
Re: Files Encrypted With Random File Extensions
« Reply #7 on: January 11, 2016, 04:19:19 pm »
@Execute Wait, no, he's someone else  ;D
My friend's encrypted files are too large to attach, they are ~3MB each, should I put them in some cloud and post the link?

Aah, okay. :D And yes, that is a good idea - upload them and send me the link in a PM (I will share it with our team) - more knowledge about this new variant might help to see if it's really CryptoWall or just a copycat like PhonyWall. If it is a copycat, there might be a higher chance to restore the files.

To your previous comment, older versions of CryptoWall are known to create copies of the files, encrypt these copies, and then delete the originals without modifying them. We are unsure if this is the case here, but you definitely should try to restore deleted files with a few recovery tools.
« Last Edit: January 11, 2016, 04:21:34 pm by Execute »

*

cornelg7

  • *
  • 4
  • +0/-0
Re: Files Encrypted With Random File Extensions
« Reply #8 on: January 11, 2016, 05:09:52 pm »
@Execute
Hi again :D I send you the link in PM, hope you guys come up with a solution to this ransomwares. Good luck with that and let us know in this thread if you discover anything  ;D

*

Execute

  • *****
  • 276
  • +46/-0
  • Your friendly neighbourhood IT guy
Re: Files Encrypted With Random File Extensions
« Reply #9 on: January 12, 2016, 10:01:27 am »
@cornelg7, files received.
Thanks, and yes - we will keep you posted when we have results or any breakthrough.

Best Regards,
Execute

*

mihaipuiu

  • *
  • 1
  • +0/-0
Re: Files Encrypted With Random File Extensions
« Reply #10 on: February 03, 2016, 05:49:49 pm »
Hi guys,

Got a problem before winter holidays, 1 computer infected with ransomware virus wich encrypted all file types and renamed them by adding him0m extension. So, more than 1 month later, and after days of searching the web for solutions I'm out of ideas.

I'm uploading 1 of the files here; maybe you have a solution.

Thanks in advance,
Best regards,
Mihai
« Last Edit: May 25, 2018, 11:09:39 am by sensadmin »

*

Execute

  • *****
  • 276
  • +46/-0
  • Your friendly neighbourhood IT guy
Re: Files Encrypted With Random File Extensions
« Reply #11 on: February 04, 2016, 09:44:37 am »
Hello, mihaipuiu.

We are still trying to find a solution ourselves.
Your file is received and we will begin tests as soon as we possibly can.
We will notify you when we have results.

Best Regards,
Execute

*

Execute

  • *****
  • 276
  • +46/-0
  • Your friendly neighbourhood IT guy
Re: Files Encrypted With Random File Extensions
« Reply #12 on: February 11, 2016, 01:59:09 pm »
@mihaipuiu / Mihai, hello again.

We couldn't recover your file, no matter what we tried.
For now we don't know a solution, but we will contact you if we find any new information.

As it is unknown if Shadow Volume Copies are deleted by this ransomware,
you can try recovering files with a Data Recovery Tool ( Examples: Recuva, UndeletePlus, TestDisk )

Kind Regards,
Execute

*

TJM9880

  • *
  • 1
  • +0/-0
Re: Files Encrypted With Random File Extensions
« Reply #13 on: March 21, 2016, 09:25:48 pm »
Got Teslacrypt 3.0  MP3 extension on everything.  Backup was bad.  Paid ransom tried to decrypt files.  files now show up as decrypted_filename.pdf.mp3  If change the name its corrupt, otherwise will not open.  Any thoughts?  Thanks.

*

Execute

  • *****
  • 276
  • +46/-0
  • Your friendly neighbourhood IT guy
Re: Files Encrypted With Random File Extensions
« Reply #14 on: March 22, 2016, 10:17:49 am »
Got Teslacrypt 3.0  MP3 extension on everything.  Backup was bad.  Paid ransom tried to decrypt files.  files now show up as decrypted_filename.pdf.mp3  If change the name its corrupt, otherwise will not open.  Any thoughts?  Thanks.

Hello, TJM9880. I am very sorry to hear you felt forced to pay the ransom. There are people who have paid other ransomware creators and they had luck in decrypting their files. But you got to understand, that paying the ransom is no guarantee for decryption.Even if it is, you are supporting cyber criminals who think of smarter ways to get their ransomware stronger and more effective. You probably know this, but I hate to see people paying, because most of the time - it doesn't work.

Now, there might be a way to open your files - try sending a few files to [email protected]. Try sending if you have an encrypted and decrypted version of the same file. Seeing it first hand and also trying to open a file on a PC not being infected with the ransomware might help or give a new perspective. Other than that - you might try a few data recovery utilities to see if any of the original files were deleted and could be recovarable that way.

For now there is no known decryptor program that works with this extension - this topic will be updated if one is found.

Kind Regards,
Execute