Office docs being encrypted and held for ransom

Discuss Malware removal, techniques, trends, etc. and repairing Windows after removal.
Forum rules
1. Try to give more than you take, when possible.
2. Don't be a prick.

Office docs being encrypted and held for ransom

Postby GEGeek » Sun Jul 21, 2013 1:55 pm

Was just reading about a new trojan out there that encrypts all your docs, pics , pdf's, etc,etc. They threaten deletion of all your files unless the ransom is paid. Also if you enter one wrong passcode it will automatically delete all the files. Not good! As of my reading so far, there is no fix for it! There is a tool I saw on Panda that will decrypt only certain file types and they give you more details about it on their site. Click here There was also a claim that Kapersky had a fix, but I am not sure about that though.
BriTec made a video (click here) showing how to intercept the decrypt password using Wireshark, but also says the password keeps changing so it's of no real help. I don't know if anyone else has seen this yet, but if anyone hears of a fix please post back for all.
There is a new nasty hitting the Web aimed at Office documents using what appears to be an Adobe PDF exploit, even though this last part is still to be confirmed. It does this when you visit a compromised site and when launched will look for a wide range of media files, JPEG images, MPEG audio files, as well as all Microsoft Office files.
The attack, which Sophos has identified as Troj/Ransom-U, changes the user’s Windows desktop wallpaper to deliver the first part of the ransom message, which tells the user their files have been encrypted. It adds that they must act quickly to get their files decrypted, and must not tell anyone about the attack.

Here's a pic of the ransom message:
ransom.jpg
ransom.jpg (82.4 KiB) Viewed 8780 times
GEGeek - I don't reinvent the wheel, I just link to it.
Image
http://www.gegeek.com
GEGeek
 
Posts: 158
Joined: Wed Feb 13, 2013 8:20 am
Location: NJ

Re: Office docs being encrypted and held for ransom

Postby GEGeek » Wed Jul 24, 2013 1:03 pm

OK, Still doing research on this issue. I have personally not seen it yet, just trying to stay informed and ready. Found an article posted from Tuesday, 25 June 2013 by Tomas Meskauskas labeled - Everything on your computer has been fully encrypted - Virus, but I have a couple of issues with this. Trying to seek out advice on this one. I read the article and it uses "Spyhunter 4.0", which I remembered from a while back as having bad reviews. Correct me if I am wrong on this one please. Then he recommends you download this decryption tool from the Emsisoft Development Team. I went to the site and could not find this tool. I dunno, the hairs on my neck are twitching here.
Anyone familiar with this site, article, or the programs he is using to fix this issue?
Anyone hear anything about this encryption ransom issue?
Thanks
Mike
GEGeek - I don't reinvent the wheel, I just link to it.
Image
http://www.gegeek.com
GEGeek
 
Posts: 158
Joined: Wed Feb 13, 2013 8:20 am
Location: NJ

Re: Office docs being encrypted and held for ransom

Postby GEGeek » Wed Jul 24, 2013 3:25 pm

OK, well apparently that decryption tool is valid. I saw that BriTec amended it to his last video. Link to the tool is confirmed:
http://tmp.emsisoft.com/fw/decrypt_birele.zip = Emsisoft Decrypter
Also it looks like Mlawarebytes/HitManPro can now clean the virus, but then afterwards you still need to run this tool to decrypt your files.
I also found a video he made recently to demonstrate how's it done @ http://www.youtube.com/watch?v=4NXZj7UzhVs
In the video he also provided a key - "encryptkey1111111111111111111111" (I believe it was 22 One's)
Still think Spyhunter should be avoided. One review I read said it captured 7 out of 314 possible infections on a test machine.
OK, well I hope this helps someone out there. Couldn't imagine what it be like to have all your data encrypted, with the threat of deletion.
Mike
GEGeek - I don't reinvent the wheel, I just link to it.
Image
http://www.gegeek.com
GEGeek
 
Posts: 158
Joined: Wed Feb 13, 2013 8:20 am
Location: NJ

Re: Office docs being encrypted and held for ransom

Postby gthomas39 » Thu Sep 26, 2013 2:12 pm

Here is an article on removing a similar infection.

http://www.bleepingcomputer.com/virus-r ... -encrypted
gthomas39
 
Posts: 3
Joined: Thu Sep 26, 2013 1:55 pm

Re: Office docs being encrypted and held for ransom

Postby GEGeek » Thu Sep 26, 2013 2:59 pm

Thanks for the link. Need all the help we can get.
Mike
GEGeek - I don't reinvent the wheel, I just link to it.
Image
http://www.gegeek.com
GEGeek
 
Posts: 158
Joined: Wed Feb 13, 2013 8:20 am
Location: NJ

Re: Office docs being encrypted and held for ransom

Postby How_Weird » Wed Oct 09, 2013 8:06 pm

Well I have a machine coming in that has Cryptolocker on it, customer just got it less than 2 hours ago. so I have 72 hours to play with it. you can read more about it here.
http://www.bleepingcomputer.com/forums/ ... try3165383

This is the first one I have seen in person so I am excited, customer is crying...
How_Weird
 
Posts: 39
Joined: Wed Apr 24, 2013 4:18 pm

Re: Office docs being encrypted and held for ransom

Postby Washer » Thu Oct 10, 2013 7:15 am

Today a client asked me if I can remove the Trojan Kryptik ransomware (As identified by Malwarebytes) ....Disinfecting was simple my only problem is that all the ms office documents and pdf files are all encrypted... excel word and pdf files would open with this warning “File is in a different format than specified by the file extension”

The document file names and their extensions had not been altered which suggests that the encryption used is a variant of the same ransomware mentioned in GEGeeks post. I ran the recommended decrypt tools from Emsisoft and Panda on the affected documents and had no success as they are designed for a different version of encryption.

Unfortunately the prognosis for this infection isn’t good, the encryption level used by some of these variants is impossible to reverse engineer, some are even saying pay the ransom if you are running a business because it’s the only option at the moment.

There is a solution posted on the Technibble forum that doesn’t decrypt the files it extracts the shadow copies using software called ShadowExplorer. This worked for me and I got the files back this time! http://www.shadowexplorer.com/downloads.html

Shadow Copy
From time to time, Windows Vista / 7 / 8 creates point-in-time copies of your files. This allows you to retrieve older versions from files you accidentally deleted or altered. This service is turned on by default on all versions of Windows Vista/7, but Microsoft grants access to these copies only in Ultimate, Business, and Enterprise editions. This is where ShadowExplorer comes into play. For more information on Shadow Copy, visit Microsofts website.
User avatar
Washer
 
Posts: 66
Joined: Fri Feb 08, 2013 1:45 pm
Location: Scotland

Re: Office docs being encrypted and held for ransom

Postby How_Weird » Thu Oct 10, 2013 3:16 pm

Yeah, after reading around I used, d7 on a CD, ran kill'em all ( ran a few times making sure that the infections would not start back up, this one did not), Shadow Explorer to restore folders to an external HDD, and now running malwarebytes. So far so good.
How_Weird
 
Posts: 39
Joined: Wed Apr 24, 2013 4:18 pm

Re: Office docs being encrypted and held for ransom

Postby wmmiller » Thu Oct 10, 2013 6:23 pm

Just a thought.

I wonder if one could clone the infected drive and isolate it to stop the clock on this thing and then hope like hell a fix that will truly work comes along if all else fails.

Here’s a link I received and read in an email from my brother in-law that talks of this issue.
http://www.reddit.com/r/sysadmin/commen ... ptolocker/
"Resist We Much"
wmmiller
 
Posts: 73
Joined: Thu Feb 14, 2013 9:50 pm

Re: Office docs being encrypted and held for ransom

Postby wmmiller » Thu Oct 10, 2013 10:47 pm

Here’s some in information from Emsisoft on what they know about it so far.

http://blog.emsisoft.com/2013/09/10/cry ... e-variant/

@ GEGeek, I didn’t see any mention of the decryption tool you posted in the description from them on how it works. However, I didn’t notice a date on it either. Where did you find that link? Was there any information where you found it?
Bill

EDIT: Da! The date is in the link name. :lol:
"Resist We Much"
wmmiller
 
Posts: 73
Joined: Thu Feb 14, 2013 9:50 pm


Return to Malware Removal