Ransomware Corrupted Document and Media Files
Results 1 to 9 of 9

Thread: Ransomware Corrupted Document and Media Files

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    127

    Ransomware Corrupted Document and Media Files

    A client brought in a machine that was infected with a ransomware application. He System Restored it and was able to use the machine but all the document and media files were changed to "filename"."filetype".html If the .html extension is removed, the file will open the appropriate application but the program cannot read the file. Has anyone seen this before? I don't know what the name of whatever infected him was. Is there a way to automate (batch) removing the .html extension across many selected folders? Any ideas on what the malware did to break the files?
    sandwich.

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi Bob,

    What version of Windows is this? It sounds as if it recognises the corrected extension or I would expect a message along the lines that it can't find a suitable application.

    Do all the files have different sizes and look OK from that viewpoint?...................I don't trust blackmailers and they might just have trashed all the data.

    Copy a small document (.doc?) file and change its name to .txt

    Now open it in notepad or wordpad and look at the first couple of lines, to see what the filetype is there. I haven't come across anything like this for a few years, but I think that one way is to give the file some silly extension in its header? If you remove the .html extension it looks like a regular file and Windows should use the file associations table to decide what to try to open it with.

    When that application tries to open the file it finds the corrupted header and cannot proceed. Do you get any error messages from the apps along those lines?

    Obviously, just writing a batch app to get rid of the phoney .html extension won't really help you, as you will just end up with hundreds of files you cannot open.

    You might try applications such as Malwarebytes and Superantispyware to see if they find traces of the ransomware. If we know what it is we might find out exactly what it has done.

    Good luck mate!
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    127
    Hey Nihil, it's been a while. I had considered opening the file in a hex editor or notepad and checking for similarities that may just corrupt the file instead of encrypt it but it looks like this is related to a Vundo variant. Malwarebytes removed the infection when I first accessed the machine and I was hoping that would help unlock the files but it didn't. Panda and Kaspersky have decryptors for a different algorithm created by the Rannoh trojan. I tried this just in case but it didn't work. These follow the format of "Locked-filename.ext.xxxx". Mine however was "filename.ext.html". There are 2 decryptors I found for Vundo, FileUnlocker and FixXrupter, but these can't fix the problem. Know of any other decryptors?
    sandwich.

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi Bob,

    I am afraid that this does not sound too promising, as it seems to be a true encryptor? probably using AES256 or the like.

    I haven't actually seen a new variant myself, but I am told that they use local system data to generate a unique local encryption key rather than a generic one, which is probably why the generic tools don't work. I have attached a link and instructions for one I don't think you have tried? but I am afraid that like the others it won't work either.

    If there are picture files then you might try a photo recovery tool but I don't hold out much hope as the modern variants ovewrite the original file.

    It doesn't sound like any variant of Vundo that I have heard of, but more like one of the newer malware.

    I would send samples to AV providers for confirmation of this, and whether or not there is any hope of recovery.


    This is the other tool that I mentioned:

    Update:
    The MajorGeeks malware team has found a possible fix for this ransomware. If you are infected with this new strain, download and run:


    http://majorgeeks.com/Dr._Web_Trojan...tor_d7716.html

    You must run it with "-k 85" as a parameter (without the quotes).

    Example:

    Put te94decrypt.exe in C:\

    From run (windows+R) type and hit enter:
    C:\te94decrypt.exe -k 85

    If te94decrypt with key 85 (-k 85) does not work, I suggest sending a couple of the encrypted files to https://vms.drweb.com/sendvirus/

    Good Luck mate!
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    127
    Thanks for the recommendations. I'll try them out and let you know how it goes.
    sandwich.

  6. #6
    Junior Member
    Join Date
    Apr 2013
    Posts
    1

    Same problem here ..

    I viewed this thread and am having the same problem. Looks like I got hit by the same or similar ransomware. Files have been changed to [filename].[filetype].html. I tried decrypt tools from Panda and Kaspersky and neither work. They seem to be looking for files that start with "locked", or perhaps it's something else. Open to any suggestions I do have some samples of working and encrypted versions of several files if that might help. Right now, I'm stuck!!

    Regards,
    Bob

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    127
    Recovery (R-Studio) did not find the unencrypted files and the last tool did not decrypt the files. I told the client the situation and that he should keep the files in case a new tool for that encryption becomes available. Thanks for all the help.
    sandwich.

  8. #8
    Junior Member
    Join Date
    Apr 2013
    Posts
    2
    There are possible scanners that will decrypt the code. Microsoft made one of those, check this out http://www.microsoft.com/security/re...re-whatis.aspx I hope it will help solve your case. Cheers

  9. #9
    @ΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,689
    Check for hidden files. That would cause the data to disappear, without showing up in standard file recovery searches. I've seen similar forms of malware recently.
    Real security doesn't come with an installer.

Similar Threads

  1. SoundForge Warez Files In Windows Media Player
    By the_JinX in forum AntiOnline's General Chit Chat
    Replies: 2
    Last Post: November 17th, 2004, 05:59 AM
  2. Audio media files replay Fast?
    By Und3ertak3r in forum Operating Systems
    Replies: 11
    Last Post: April 10th, 2004, 06:26 AM
  3. Real media files conversations!!!
    By neozoon in forum AntiOnline's General Chit Chat
    Replies: 1
    Last Post: January 12th, 2003, 08:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides