You are welcome to discuss various security topics with our professional team and other users like you!
Read our Registration Agreement and create your FREE account here!

*

HUpman

  • *
  • 2
  • +0/-0
      • View Profile
Encrypted files with .micro extension
« on: February 14, 2016, 08:27:20 pm »
Hi! I don't know if this is the correct place for my case.
My files also were encrypted with CriptoWall 3.0 RSA-4096 with extensión .micro 3 days ago. I already eliminate de infection and malwares and trojans with SpyHunter first (running 1 time in Windows 7 in normal mode and 2 times in Safe Mode and MalwareBytes Anti-Malware running 1 time in Safe Mode also)
My PC run Windows 7 Ultimate 64 Bits. Of course, my files remain encrypted and I was unable to recover almost nothing from the near 16 800 files encrypted.

In my case, I asume, the infection came from an update for Adobe Flash Player. A week and a half ago, when I rebooted my PC and login into my Windows account a window from Adobe Flash Player popup saying about an update, which I did, but 3 days ago, again after rebooting and loggin another window from Adobe Flash Player popup talking about another update. It seems a bit weird again another update, but I did it anyway and open full screen GOM video player, watching a movie for about 2 hours. When I close the video player I found a desktop background picture which read:

Begining of the message:


 __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! 

What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

How did this happen ?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http:// perc54hg47fhnkjnfvcdgvdc(.)clinkjuno(.)com/577416AA89B8808F
2. http:// dd7bsndhr45nfksdnkferfer(.)javakale(.)at/577416AA89B8808F
3. http:// yy46bdff329hfbcjhbme2f(.)evertmazic(.)com/577416AA89B8808F
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http:// www(.)torproject(.)org/projects/torbrowser(.)html.en
2. After a successful installation, run the browser and wait for initialization
3. Type in the address bar: fwgrhsao3aoml7ej(.)onion/577416AA89B8808F
4. Follow the instructions on the site.

!!! IMPORTANT INFORMATION:
!!! Your personal pages:
http:// perc54hg47fhnkjnfvcdgvdc.clinkjuno(.)com/577416AA89B8808F
http:// dd7bsndhr45nfksdnkferfer.javakale(.)at/577416AA89B8808F
http:// yy46bdff329hfbcjhbme2f.evertmazic(.)com/577416AA89B8808F
!!! Your personal page Tor-Browser: fwgrhsao3aoml7ej(.)onion/577416AA89B8808F
!!! Your personal identification ID: 577416AA89B8808F

End of the message.

All my files from My Documents, My Pictures, My Videos, My Downloads, etc. encrypted with a .micro extensión and in all my folders a .txt, .HTML and .jpeg files with text message written above.

In my case (and I have searched and reads a lot, a lot, a lot of forums, websites, documentation and tutorials across the Internet and never read nothing similar), the infection not only encrypted my files, but also deleted all restore points from Windows and all shadows copies from all folders, partitions and hard disks.
In my PC are 3 HD: the 1rst partitioned in 4 partititons: 1rst is System C: where Windows is installed, 2nd named "Work", 3rth named "CDs" and 4rth named "Games".
The 2nd and 3rth HD are only for storing data.

The infection cover the 1rst and 2nd partition of the 1rst HD, that is, the "System" partition and the "Work" partition. It does not affect the other partitions and hard drives. I think that was because of warnings about infected files that my antivirus Avast began to alert me and what made me close the GOM Player and meet the problem.

Finally, let me tell you that I could only recover about 20 image files, of which nearly half are incomplete. This was managed using EaseUS Data Recovery Wizard first and then iCare Data Recovery.

Sorry for my poor English and misuse. Most of the text has been written using Google Translator.

Edit by Sensadmin:
I modified the links so they are unclickable for safety purposes.
« Last Edit: February 15, 2016, 11:25:12 am by sensadmin »

*

never

  • *****
  • 122
  • +26/-0
  • Network Administrator and Malware Researcher
      • View Profile
Re: Encrypted files with .micro extension
« Reply #1 on: February 15, 2016, 09:17:44 am »
Dear Hupman,

Unfortunately at this point there is no relevant decryption method available for .micro files. We will keep you updated as soon as we receive more information. Meanwhile, you can see the updates in the following topic:

Restore Files Encrypted with .xxx, .ttt and .micro File Extensions


We have attempted many methods to decrypt the data with several decryptors and even though there are public keys in files, named "recover_file_{random numbers}.txt" we have tried to decrypt files encrypted with those ID keys and our attempts appeared to be unsuccessful.
« Last Edit: February 15, 2016, 11:29:01 am by never »

*

HUpman

  • *
  • 2
  • +0/-0
      • View Profile
Re: Encrypted files with .micro extension
« Reply #2 on: February 15, 2016, 07:43:46 pm »
Hi!
I did all posted in:
"Restore Files Encrypted via RSA Encryption. Remove CryptoWall and Other Ransomware Manually" in August 14, 2015.

and all run ok untill the part of:

python ./decrypt.py “María.txt.micro”

The Terminal only show:

[-] Error opening file “María.txt.micro”

and nothing more.
Any suggestion?

*

never

  • *****
  • 122
  • +26/-0
  • Network Administrator and Malware Researcher
      • View Profile
Re: Encrypted files with .micro extension
« Reply #3 on: February 17, 2016, 03:18:15 pm »
Dear HUpman,

Try renaming the file from Maria to M and let me know if it works.

Best Regards,

Never