SensorsTechForum - How to Technology and PC Security Forum

PC Security and Protection => Malware Removal Questions and Guides => Topic started by: never on January 07, 2016, 09:20:24 am

Title: Files Encrypted With Random File Extensions
Post by: never on January 07, 2016, 09:20:24 am
Hello, this is an open topic created with the purpose to assist users who have had their files encrypted with random file extensions and changed file names. You may ask questions, share your experience or help other affected users in need.
Title: Re: Files Encrypted With Random File Extensions
Post by: cornelg7 on January 07, 2016, 09:28:11 pm
English! Sorry I'm not good with hi ;D
Hi! Sorry for the English mistakes, I'm not a native speaker.

Firstly, let me thank you guys for willing to give some help with the fight against these encryption viruses.
Secondly, let me mention that I personally didn't have any problems like this, below are some of a friend's files. I know how to defend and prevent myself from this and other types of viruses. Seeing how serious this site is, I may do a mini-tutorial on how to clean your computer and how to keep it like that.

Now, to get to the problem, I have attached screenshots of the beginning of one of the encrypted files opened with notepad and also the Help_Your_Files.png where they give information about the virus. Unfortunately, the picture is in french, so I used an online png-to-text converter and translated it via google translate in English. Here is the result: http://pastebin.com/tBEaFx06

So now I guess the main problem is not the decryption of the files, but discovering what actual ransomware caused it. I don't think it is the bitcrypt as that is not the extension of the files. Any help of any sort is highly appreciated. Thank you again for this post.
Title: Re: Files Encrypted With Random File Extensions
Post by: dakodaks on January 08, 2016, 03:20:26 am
As was requested, here's (see attached) the .png image that appears in every folder containing encrypted files in my computer; the image also shows the ransom message. With a little bit of reading, it seems that my misfortune really is consistent with the Cryptowall 4.0 infections. I also learned that there's nothing much I can do about it now so I'm just copying the encrypted files to an external hard drive hoping for a future solution, and trying to recover what can be recovered of the files I lost with a file-recovery software.

Please keep me posted. Much thanks.
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on January 08, 2016, 05:42:16 pm
@cornelg7, that seems like CryptoWall 3 or 4 - possibly a new version of one of them?
That is probably the toughest ransomware yet.
We will see what we can do as we are trying to find new methods to decrypt files.

Title: Re: Files Encrypted With Random File Extensions
Post by: cornelg7 on January 08, 2016, 05:53:28 pm
@Execute Thank you very much for your reply. Does anyone know how this cryptowall works? Does it delete the initial files first or just modifies them? Should I try to get them back with some Data Recovery tool?
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on January 08, 2016, 05:57:30 pm
@dakodaks, oh, so you are the friend of cornelg7?
You seem to have CryptoWall 4 alright. Nasty new extension too.

All attached files are downloaded and we see what we can come up with, for a possible decryption.
The attachments will remain hidden just as a security precaution.

We will keep you posted.

Kind Regards,
Execute
Title: Re: Files Encrypted With Random File Extensions
Post by: cornelg7 on January 08, 2016, 06:00:44 pm
@Execute Wait, no, he's someone else  ;D
My friend's encrypted files are too large to attach, they are ~3MB each, should I put them in some cloud and post the link?
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on January 11, 2016, 04:19:19 pm
@Execute Wait, no, he's someone else  ;D
My friend's encrypted files are too large to attach, they are ~3MB each, should I put them in some cloud and post the link?

Aah, okay. :D And yes, that is a good idea - upload them and send me the link in a PM (I will share it with our team) - more knowledge about this new variant might help to see if it's really CryptoWall or just a copycat like PhonyWall (http://sensorstechforum.com/remove-phonywall-ransomware-the-cryptowall-3-0-copycat/). If it is a copycat, there might be a higher chance to restore the files.

To your previous comment, older versions of CryptoWall are known to create copies of the files, encrypt these copies, and then delete the originals without modifying them. We are unsure if this is the case here, but you definitely should try to restore deleted files with a few recovery tools.
Title: Re: Files Encrypted With Random File Extensions
Post by: cornelg7 on January 11, 2016, 05:09:52 pm
@Execute
Hi again :D I send you the link in PM, hope you guys come up with a solution to this ransomwares. Good luck with that and let us know in this thread if you discover anything  ;D
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on January 12, 2016, 10:01:27 am
@cornelg7, files received.
Thanks, and yes - we will keep you posted when we have results or any breakthrough.

Best Regards,
Execute
Title: Re: Files Encrypted With Random File Extensions
Post by: mihaipuiu on February 03, 2016, 05:49:49 pm
Hi guys,

Got a problem before winter holidays, 1 computer infected with ransomware virus wich encrypted all file types and renamed them by adding him0m extension. So, more than 1 month later, and after days of searching the web for solutions I'm out of ideas.

I'm uploading 1 of the files here; maybe you have a solution.

Thanks in advance,
Best regards,
Mihai
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on February 04, 2016, 09:44:37 am
Hello, mihaipuiu.

We are still trying to find a solution ourselves.
Your file is received and we will begin tests as soon as we possibly can.
We will notify you when we have results.

Best Regards,
Execute
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on February 11, 2016, 01:59:09 pm
@mihaipuiu / Mihai, hello again.

We couldn't recover your file, no matter what we tried.
For now we don't know a solution, but we will contact you if we find any new information.

As it is unknown if Shadow Volume Copies are deleted by this ransomware,
you can try recovering files with a Data Recovery Tool ( Examples: Recuva, UndeletePlus, TestDisk )

Kind Regards,
Execute
Title: Re: Files Encrypted With Random File Extensions
Post by: TJM9880 on March 21, 2016, 09:25:48 pm
Got Teslacrypt 3.0  MP3 extension on everything.  Backup was bad.  Paid ransom tried to decrypt files.  files now show up as decrypted_filename.pdf.mp3  If change the name its corrupt, otherwise will not open.  Any thoughts?  Thanks.
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on March 22, 2016, 10:17:49 am
Got Teslacrypt 3.0  MP3 extension on everything.  Backup was bad.  Paid ransom tried to decrypt files.  files now show up as decrypted_filename.pdf.mp3  If change the name its corrupt, otherwise will not open.  Any thoughts?  Thanks.

Hello, TJM9880. I am very sorry to hear you felt forced to pay the ransom. There are people who have paid other ransomware creators and they had luck in decrypting their files. But you got to understand, that paying the ransom is no guarantee for decryption.Even if it is, you are supporting cyber criminals who think of smarter ways to get their ransomware stronger and more effective. You probably know this, but I hate to see people paying, because most of the time - it doesn't work.

Now, there might be a way to open your files - try sending a few files to idunn0@abv.bg. Try sending if you have an encrypted and decrypted version of the same file. Seeing it first hand and also trying to open a file on a PC not being infected with the ransomware might help or give a new perspective. Other than that - you might try a few data recovery utilities to see if any of the original files were deleted and could be recovarable that way.

For now there is no known decryptor program that works with this extension - this topic will be updated if one is found.

Kind Regards,
Execute
Title: Re: Files Encrypted With Random File Extensions
Post by: never on April 04, 2016, 12:23:05 pm
Since we have seen tons and tons of ransomware, we have also seen users who were able to recover at least some of their files using data recovery software. Here is a video about it:

  Recover Your Data and Find Hidden Files (https://www.youtube.com/watch?v=P0sWqfRaZiU)

Bear in mind that you should also check the  Tips and Tricks regarding ransomware (http://sensorstechforum.com/forums/pc-tips-tricks/tips-about-ransomware/) which Execute has kindly created to assist you with this mess.

Best Regards,
Never
Title: Re: Files Encrypted With Random File Extensions
Post by: Fidelio on May 03, 2016, 05:41:15 pm
Hi to all,
I need your advice for my friend's sad case  :( . He got 7ev3n-HONE$T which renames files to R5A extension. If anyone know how to decrypt, it will be veeeery nice. His files are on D partition of lap top. But if there is no help, what will happen if we install new windows on infected C system drive? Will it make documents on D visible or it will be the same?
Thanx in advance and brgds,
Fidelio
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on May 04, 2016, 03:32:30 pm
Hello, @Fidelio.

For now there is no known method for decryption of .r5a locked files.
It doesn't matter on which partition he has the files. If you reinstall the Operating System with the partition of where that OS is located, it might not get rid of the ransomware. But one thing is 100% sure - even if you manage to remove it, the files will remain locked. There is nothing keeping them in that state - it's a done matter. (Just like a door - if you lock it - it stays locked).

However, removing the virus is good, so it stops spreading to different networks and external devices if you connect them to the laptop.
You might try some Data Recovery tools. Although paid ones are recorded to be better, free ones also have successfully recovered files encrypted by ransomware. First try with some Free tools. If you see it works and the result is pleasing to you - make a decision if you want to pay for better tools.

Important things you should consider:

1. Data Recovery Tools will only work if you haven't reinstalled your OS.
2. Ransomware usually deletes files and encrypts their copies and that's why a Data Recovery software might work.
3. If you have already re-installed the OS, recovery software might work for files found initially in the other drive.
(If free programs don't recover anything after reinstallation, do not think paid ones to work - they work on almost the same exact principle).

Here is more information about the virus - http://sensorstechforum.com/7ev3n-honest-virus-the-return-of-the-ransomware/ (http://sensorstechforum.com/7ev3n-honest-virus-the-return-of-the-ransomware/)

You should also try to prevent this from happening to your friends, by looking at these tips (http://sensorstechforum.com/forums/pc-tips-tricks/tips-about-ransomware/) and these Anti-Ransomware Tools (http://sensorstechforum.com/the-most-popular-free-anti-ransomware-tools/).

Best Regards,
Execute
Title: Re: Files Encrypted With Random File Extensions
Post by: Raj on June 27, 2016, 02:35:11 pm
Hi, is there any way of converting encrypted files (.crypz) as all my photos have been hacked into and encrypted.

Thanks
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on June 27, 2016, 04:29:56 pm
Hi, is there any way of converting encrypted files (.crypz) as all my photos have been hacked into and encrypted.

Thanks

Hello there, Raj.
As the ransomware is a variant of Cryp1 Ransomware (http://sensorstechforum.com/remove-cryp1-ultracrypter-ransomware-restore-cryp1-files/) it might be possible to recover some files with TrendMicro's File Decryptor (http://esupport.trendmicro.com/solution/en-US/1114221.aspx) for previous variants. You might get a partial decryption this way.

Other than that - no official way exists to recover 100% of the data. As ransomware often deletes files before encrypting them, I can suggest a Data Recovery program, like Stellar Phoenix Photo Recovery (http://sensorstechforum.com/stellar-phoenix-photo-recovery-software-review/) or a similar one specifically made for photo restoration.

Researchers have previously decrypted some of the past variants of the ransomware, so there is hope yet. If nothing works - save your files somewhere and wait. Don't pay the ransom as the ransomware makers' own decryptor doesn't work according to recent reports.

If you have any other questions - feel free to ask.

Best Regards,
Execute
Title: Re: Files Encrypted With Random File Extensions
Post by: Niscpa on February 07, 2017, 01:41:40 am
i received the osirus virus the end of january.  a new compjuter was built because i needed it badly.  the data that could be restored was and is working fine, however none of my tax data was restored.  I sent the hard drives out to be recovered and according to the report it looks like all the tax data is there.  with the normal extensions i believe.  the recovering company cannot guarantee that the virus is still not there.  they are going to send me a file to see if it worked but not sure i will be able to load it without all the rest of the files i would need to run the program efficiently.  not sure what the encryption would look like in these files.  can someone please help. 
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on February 07, 2017, 04:54:23 pm
Hello @Niscpa,

With this particular case, an encrypted file will have an extension .osiris, and you will see it if you have enabled to see extensions on your computer.
Encrypted files will have a different size compared to their original ones (typically larger size). Because these files can't be opened and have a changed extensions, their icon might be changed, too.

If you haven't removed the ransomware, and the place you gave your disks did not remove it, open the disks with no Internet connection on, and scan them with a security software. As the ransomware doesn't seek to encrypt files with a lot of different file extensions, some files won't be encrypted even if the virus is still on the system.

A decryptor for the ransomware does not exist for now and none is expected in the near future.

I hope I helped with the information you needed.
If there is something you are curious about you can always ask and also refer to the following link, where you can read more about the .osiris version of Locky ransomware (http://sensorstechforum.com/osiris-extension-virus-remove-locky-ransomware/).
Title: Re: Files Encrypted With Random File Extensions
Post by: paynep on May 02, 2017, 02:28:23 am
Can someone PLEASE help me?  I have Cryptolocker on my computer and it is holding my files and pictures for a ransome.  I my both grandmother's pictures dating back to 1928 and csannot get to them.
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on May 02, 2017, 03:24:08 pm
Can someone PLEASE help me?  I have Cryptolocker on my computer and it is holding my files and pictures for a ransome.  I my both grandmother's pictures dating back to 1928 and csannot get to them.

Hello, paynep.

There are a couple of things you can do, but depending on which variant of Cryptolocker you have, decryption may not be possible.

You can read more information about this ransomware virus from the article below:

http://sensorstechforum.com/remove-cryptolocker-ransomware-virus/ (http://sensorstechforum.com/remove-cryptolocker-ransomware-virus/)

Does the ransom note have any similarity with the ones displayed in the article? What extension are your files encrypted with?

With Regards,
Execute
Title: Re: Files Encrypted With Random File Extensions
Post by: TEKILA on April 20, 2018, 04:06:29 am
hola buenas tardes me gustaria saber si puededn ayudarme con unos archivos corruptos que tengo, me sale esto en algunas partes del testo !~!1, garcias por su ayuda
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on April 20, 2018, 04:43:05 pm
hola buenas tardes me gustaria saber si puededn ayudarme con unos archivos corruptos que tengo, me sale esto en algunas partes del testo !~!1, garcias por su ayuda

Buenas tardes, TEKILA.

Could you provide more information? And please write in English if you can?

Currently I cannot find a ransomware virus that encrypts with the "!~!1"extension specifically.

Maybe it is a known variant of an old ransomware, which places different extensions to different victims.

If you have a text file with ransomware instructions - can you copy/paste the text?
Title: Re: Files Encrypted With Random File Extensions
Post by: Vtchoula on August 09, 2018, 02:39:25 pm
Hello,
i'm a victim of the ransomware that encrypted all my file. i've try diferent versions of globimposter, but no way. i receive the message "the decrypter could not determine a valid key for your system, please drag and drop both encrypted file as well as its uncencrypted counterpart onto the decrypter to determine the correct key. Files need to be at least 128 bytes long" .

The extension of my file is .BIG_SITE
Can you tell me plz how to do to decrypt?

the email adress bigbig_booty@aol.com is for the harker, I paid the ranson but he no longer responds to the email I sent him and especially he did not send the right decryptor

thanks in advance
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on August 20, 2018, 10:59:45 am
Hello @Vtchoula,

have you been trying to decrypt with the Emsisoft decryption tool hosted here:
https://decrypter.emsisoft.com/globeimposter (https://decrypter.emsisoft.com/globeimposter) ?

On that page there is even a "Detailed usage guide" that you can open to see if you were missing something.
If it still doesn't work, then I am afraid you have a newer variant of the virus and decryption is not yet possible.

Tell us what has happened after you read the guide.
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on February 19, 2019, 04:30:21 pm
The new GandCrab decryptor is a fact - works for every version of GandCrab until 5.1 (including 5.1). It does not work for version 5.2!
Grab it from BitDefender Labs: https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/ (https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/)
Title: Re: Files Encrypted With Random File Extensions
Post by: bvitorio on March 05, 2019, 10:16:10 pm
Hello friends
Sunday this happened to my company.
All shared data files on a Windows Server 2008 R2 server have been encrypted.
All were left with the extension: .fastrecovery @ xmpp.jp
an example below:
y+=iziiCEMAz5hAKZwYt9qviAMwLZx8DqmlY93psEKIWN6smZKlZHWo7AjQpAUT=ApSoqDLKREes+lsaK15hIco3tp3J8i7LUJ995GJ2ACjIZoIgC9mn567FhlAjNGvwJnEyWA.fastrecovery@xmpp.jp

The rescue .txt file is this:
      
      The file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.

====================================================================================================
            To decrypt files, please contact us by jabber:

               fastrecovery@xmpp.jp

====================================================================================================
               
      If you do not have a jabber. To write to us to register: https://www.xmpp.jp

====================================================================================================
Your files are encrypted!
Your personal identifier:
+4IAAAAAAAC9wDrhJZLBE0QkCAN=AaEExNzY=2Y2aT4EJF60=rJHn7jjpVqeZ6sJrvnX0=Jacb6zp39ti7arIvhHVROvjiBXxWpi
Cg9XtUdhtv7p1OeqZtURy0ywbXQe0yxWtOnhwqso5wqSku+FOSenX49RT25p88zL=UIZt+Pj9vuh6G0drb260FxMPVFQpGXHazMU
ghyTr5u=SGypy5e=+RBwVOtnzgmZWfYrv7ENgWZ6g90GlTfU1DG7ZeCesAOlqeb2v+Isd1vZL1EB4HRBOv5va1i6AgwbWbtZFyAo
mP0BxQAwN+BBbC4aElSyBf0=Qp4cp+zITRk1sKEG+I1gsZ=ZbHLugYQEBqTrFNgEFYU7OsW60nL1zOQucDtMJxkGwBMjBPdnAIl9
Jh4S9Xtwc6WoWNip5jjAPXJzmpb4lPoA
====================================================================================================

From what I browsed on various sites and forums, there is still no solution to decrypt these my "hijacked" files.
Does anyone here know of any tool that turns my files back to what it was before?
I'm really desperate because even the backup that was done was also infected.
Sorry to bother you, and I really appreciate any help from you.
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on March 06, 2019, 11:10:22 am
@bvitorio,
this seems to be a variant of Scarab-Danger Ransomware.
Multiple similar email addresses to Jabber have been used by this cryptovirus in the past.

You can read more in the article here: Remove Scarab-Danger Ransomware (https://sensorstechforum.com/remove-scarab-danger-ransomware-restore-xmpp-jp-files/)

A free decryption method does not exist. Some people say that there is a decrypter, but you have to pay for it and takes 7 days to decrypt the files, which is a lot of load and use of computer resources and power.

Very unfortunate that it has hit your backup.

Just wait for the decryption tool to be optimised and released for free, if you can wait. It might never happen or it could take months/years, but unless you pay to decryption experts, I don't see a way to recover the files for free.

Maybe try a data recovery tool, but it is unknown if the ransomware deletes the files before encrypting copies of them.

Best Regards,
Execute
Title: Re: Files Encrypted With Random File Extensions
Post by: bvitorio on March 07, 2019, 03:31:24 pm
@EXECUTE
Thank you very much for the answer.
I had already read the material indicated, I used Spyhunter 5 to clean my server.
The biggest problem besides having infected the BKP, was that I did not put it in the cloud.

I am using a data recovery programs to try to grab some file before it happened.
I am using GETDATABACK FOR NTFS and another is STELLA PHEONIX WINDOWS DATA RECOVERY
I do not know if it will work, but it's a hope.
If it does not work, I'll leave for a company to try to solve.

Thank you so much for your help one more time. I'm really grateful.
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on March 13, 2019, 11:47:00 am
@bvitorio,

we are trying our best to help, but sometimes the malware has already done the damage and it could be irreparable.
Wishing you best of luck with the programs, hopefully you find a solution.

Best Regards,
Execute
Title: Re: Files Encrypted With Random File Extensions
Post by: dwanawijaya on April 13, 2019, 04:22:42 pm
Hi most files in my laptop D-partition were encrypted with a .browec extension  :'( :'( :'(   Apparently, it's some type of ransomware, because I'm asked to send money.

Those files are no longer readable despite renaming them.  I'm not an IT guy, what steps should I try to decrypt these files?  Is a decryptor already available for this? 

What I've done is using an antivirus program to have all viruses removed.  But this certainly does not help with decrypting.

Thank you in advance.
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on April 15, 2019, 04:35:51 pm
@dwanawijaya

Unfortunately, there is no decryption tool available for .browsec virus.
You can backup your files and wait for a decryptor - if such a tool is released, we will publish it here or inside the article:

https://sensorstechforum.com/browec-files-virus-remove/ (https://sensorstechforum.com/browec-files-virus-remove/)
Title: Re: Files Encrypted With Random File Extensions
Post by: Tangoloo2 on May 25, 2019, 12:52:21 pm
I 've cought a ransomware with .docm extension but haven't found anyone with this problem. Is there any cure for my files?
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on May 27, 2019, 10:57:42 am
I have replied to you in the other thread you have started:

http://sensorstechforum.com/forums/malware-removal-questions-and-guides/problem-with-ransomware-docm/ (http://sensorstechforum.com/forums/malware-removal-questions-and-guides/problem-with-ransomware-docm/)
Title: Re: Files Encrypted With Random File Extensions
Post by: magoskarlata on June 06, 2019, 07:29:10 am
Greetings, my files were added the extension .lanset, someone could help me recover my files
Title: Re: Files Encrypted With Random File Extensions
Post by: Execute on June 06, 2019, 10:14:20 am
Greetings, my files were added the extension .lanset, someone could help me recover my files

.lanset extension virus is part of the STOP ransomware family. There is a decryption tool for older variants of the virus, but not for .lanset.
You should remove the virus and try out the decryptor:

How to Remove .lanset Ransomware Virus (https://sensorstechforum.com/remove-lanset-virus/)

Decrypt Files Encrypted by STOP Ransomware (https://sensorstechforum.com/decrypt-files-stop-ransomware/)


If the decryption tool doesn't work, then you should wait for the malware researchers to update it.

Kind Regards,
Execute
Title: Re: Files Encrypted With Random File Extensions
Post by: blocker1 on July 07, 2019, 03:43:24 pm
 :) I am contented to tell you that by just changing the extension of the file doesn't affect the format of the file. Of you rae willing to change/convert the file you need to change it by using different converters.