Question

Another victim of Ransomeware

Since last few days I have been expecting some packages so I regularly check my email for information. Always I get email when I have packages. Yesterday and today I got many SMS to collect the packages from the post office but they are not mine. Today I traced the package and I knew that it is in our local post office but they are not ready to pick up. After for a while I got an e-mail it looked like from the post office. It had a zip file I thought it won't be a problem. I opened the file then suddenly I got a lot of pop up windows and it said my files were encrypted and it gives some instructions to get into a website. I did not follow the instruction. Immediately I did System Restore. I thought it will be OK, but I was wrong.

I had some files on my desktop now all of them were encrypted I found two files for each folder one is notepad and another is a file to connect to a particular website. My PC has 6 drives including the drive C: . I started to check my eBooks and pdf files all of them were encrypted now. More than 10 years I have been collecting books, but they are useless now. Another drive for gardening VDOs and pictures files were also encrypted. I stopped further checking the files.

I read some advice on the internet so I installed Malwarebytes Anit-Malware it cleaned many files. The OS is Windows 10 Pro. I use only the Windows firewall and windows defender. Before I used Avast only last week uninstalled it.

I am requesting here for help, to get back my files. The OS has no problems still but I do not know what is going to happen in the next hours. Is this ransomeware a time bomb?

What should I do now!

Thanks

Discussion is locked

Follow
Reply to: Another victim of Ransomeware
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Another victim of Ransomeware
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Answer
Sorry to read another ransomware post.

Now with dozens of varents of ransomware the only good defense is you and your backups. After a decade of PC use I'm sure folk told you to backup what you can't lose.

Without a name of the ransomeware, no one may know which it was.

I've yet to find a ransomware that didn't involve opening some attachment in email or a web page. The zip file was likely the bomb and the post office to date has never sent zip files so that was the source.

If you ever find the name of the ransomware, ask here and on bleepingcomputer.com

Post was last edited on December 7, 2016 6:36 AM PST

- Collapse -
Thank you for the reply

I deleted the email with the attached file. They changed my wallpaper also it looked like exactly the same windows pop up when I opened the zip file.

I do not know how to find the name of the ransomeware. I took some picture with my mobilephone. The following are the copy.

" All your valuable data is now encrypted by CryptoLocker
Install TOR browser and visit our website to get solution" the background of this message is red colour.
" . UseInternet Explorer, Chrome or FireFox to access Tor Project website: www.torproject.org/download/download-easy.html.en"

" Press Download button, and download Tor Browser"
" Before you connect to the Tor network, you need to provide information about this computer's internet connection"
Which of the following best describes your situation?
I would like to connect directly to the Tor network.
This will work in most situations."
The name of the two strange files found in the folders are not in English local language.

Thank you for the reply.

- Collapse -
At least it claims it was "Cryptolocker."

Keep in mind there are variants of Cryptolocker. If it was the old version read how to get your files back at http://www.makeuseof.com/tag/cryptolocker-dead-heres-can-get-files-back/

If you do get them back, you will have learned a few things.

1. Never open attachments.
2. No antivirus is good enough. We remain the best guard against ransomware and such.
3. BACKUPS are not optional.

- Collapse -
PS. Checking for new decrypting site.
- Collapse -
Update. Try Kaspersky's tool. Link only.

Post was last edited on December 7, 2016 7:37 AM PST

- Collapse -
Thank you for the reply

I cannot submit the file. I got the following message.

" This site can’t be reached

www.decryptcryptolocker.com’s server DNS address could not be found."

Thank you

- Collapse -
That's why I updated.

Read "Update. Try Kaspersky's tool. Link only."

Post was last edited on December 7, 2016 8:35 AM PST

- Collapse -
Thank you again

Still now I cannot figure out which one I have to download. I will try the "Security Scan"

- Collapse -
That scan would not decrypt files

Only remove possible infections.

OK, for the benefit of all, removing infections does not undo the damage.
YES! Scan away for stuff but I take it you know that newer malware can be booby trapped so backups are never optional. I never work on the original drives. I clone the drives and work on the clones. That way if there is a bomb it destroys the clone and I get to research and try other methods.

NOW about the scan again. That may remove the pests but the decryption is done with other tools and we hope it's not a version of Cryptolocker that is newer than what was decoded.

- Collapse -
Really a good lesson

I downloaded the tools and scanned the PC.

I was really careless because I never had such type of serious problem before now I feel the pain.

I knew attached file should not be opened if it is from unknown senders but today I was so happy to get the package I expected so I was so careless. One single click destroyed all my book collections, audio video and other docs of more than ten years.

Should I try to get more help to decrypt the files or should I delete all the files and clean install the OS, I cannot decide. Still, do I have any chance to recover my files!

- Collapse -
I can't tell if you tried the last link and tool.

It's mildly complicated. If you want to save your files, get more help since I can't be there to clone drives and try the tools.

Be sure to post at bleepingcomputer.com and see if they note any other way. BE FAIR TO THEM and post a link to this discussion so they don't duplicate efforts.

- Collapse -
Thank you for your effort

I uploaded two encrypted files from my PC and I also did copy and paste and clicked upload but I got the message like this 'This site cannot be reach'. I will try again as you said.

Thank you for your effort to help me.

- Collapse -
I wonder about something.

Many of the new pests block repair sites. Take a .crypto file on a memory stick to another uninfected PC and retry.

Also, my first link was out of date as the decryption site is no more. Kaspersky has what looks to be live.

- Collapse -
Better to clean install

I did copy a file and opened with my another computer but it does not solve the problem. I think I better to do a clean installation of my OS.

Thank you.

- Collapse -
I'd now go for a "clean install".

When you get it right be sure to make regular backups.
Dafydd.

- Collapse -
That's not how I read to work the issue.

The .crypto file is sent from a clean PC since the locked one could be blocking web access to get a key.

If you value your files, time to talk to say drivesavers.com and see if they will do recovery.

- Collapse -
I think lesson learned Bob.

To quote, " we only lose what we don't backup." I was saying what I would do, but I have backups. Maybe it's time to "bite the bullet."
Dafydd.

- Collapse -
While they could.

Cryptolocker is often broke after a few months so they could pull the drives out for recovery when a free cure comes around.

- Collapse -
True Bob.

But can people wait these days?
Dafydd.

- Collapse -
They should. Why?

They have years of collections and a month or two seems to be cheap compared to the loss.

I worry they didn't follow the directions. I'm not there to check their work.

- Collapse -
I will wait sometimes

The machine is still working properly, so I would like to wait for sometimes. I feel lucky because some of the files are not encrypted may be there was not enough time to encrypt 100% of all the files but about 80 percent I lost.

Since last few days I have been receiving a lot of SMS messages from the post office too to collect packages but it is not real. I do not know it is a coincidence.

Thank you everyone, I will wait and check regularly this thread for any possible tips and help.

CNET Forums

Forum Info