April 12th, 2013, 09:42 PM
Ransomware Corrupted Document and Media Files
A client brought in a machine that was infected with a ransomware application. He System Restored it and was able to use the machine but all the document and media files were changed to "filename"."filetype".html If the .html extension is removed, the file will open the appropriate application but the program cannot read the file. Has anyone seen this before? I don't know what the name of whatever infected him was. Is there a way to automate (batch) removing the .html extension across many selected folders? Any ideas on what the malware did to break the files?
April 13th, 2013, 12:11 AM
What version of Windows is this? It sounds as if it recognises the corrected extension or I would expect a message along the lines that it can't find a suitable application.
Do all the files have different sizes and look OK from that viewpoint?...................I don't trust blackmailers and they might just have trashed all the data.
Copy a small document (.doc?) file and change its name to .txt
Now open it in notepad or wordpad and look at the first couple of lines, to see what the filetype is there. I haven't come across anything like this for a few years, but I think that one way is to give the file some silly extension in its header? If you remove the .html extension it looks like a regular file and Windows should use the file associations table to decide what to try to open it with.
When that application tries to open the file it finds the corrupted header and cannot proceed. Do you get any error messages from the apps along those lines?
Obviously, just writing a batch app to get rid of the phoney .html extension won't really help you, as you will just end up with hundreds of files you cannot open.
You might try applications such as Malwarebytes and Superantispyware to see if they find traces of the ransomware. If we know what it is we might find out exactly what it has done.
Good luck mate!
April 13th, 2013, 04:17 PM
Hey Nihil, it's been a while. I had considered opening the file in a hex editor or notepad and checking for similarities that may just corrupt the file instead of encrypt it but it looks like this is related to a Vundo variant. Malwarebytes removed the infection when I first accessed the machine and I was hoping that would help unlock the files but it didn't. Panda and Kaspersky have decryptors for a different algorithm created by the Rannoh trojan. I tried this just in case but it didn't work. These follow the format of "Locked-filename.ext.xxxx". Mine however was "filename.ext.html". There are 2 decryptors I found for Vundo, FileUnlocker and FixXrupter, but these can't fix the problem. Know of any other decryptors?
April 14th, 2013, 12:41 PM
I am afraid that this does not sound too promising, as it seems to be a true encryptor? probably using AES256 or the like.
I haven't actually seen a new variant myself, but I am told that they use local system data to generate a unique local encryption key rather than a generic one, which is probably why the generic tools don't work. I have attached a link and instructions for one I don't think you have tried? but I am afraid that like the others it won't work either.
If there are picture files then you might try a photo recovery tool but I don't hold out much hope as the modern variants ovewrite the original file.
It doesn't sound like any variant of Vundo that I have heard of, but more like one of the newer malware.
I would send samples to AV providers for confirmation of this, and whether or not there is any hope of recovery.
This is the other tool that I mentioned:
The MajorGeeks malware team has found a possible fix for this ransomware. If you are infected with this new strain, download and run:
You must run it with "-k 85" as a parameter (without the quotes).
Put te94decrypt.exe in C:\
From run (windows+R) type and hit enter:
C:\te94decrypt.exe -k 85
If te94decrypt with key 85 (-k 85) does not work, I suggest sending a couple of the encrypted files to https://vms.drweb.com/sendvirus/
Good Luck mate!
April 16th, 2013, 06:13 PM
Thanks for the recommendations. I'll try them out and let you know how it goes.
April 18th, 2013, 01:45 AM
Same problem here ..
I viewed this thread and am having the same problem. Looks like I got hit by the same or similar ransomware. Files have been changed to [filename].[filetype].html. I tried decrypt tools from Panda and Kaspersky and neither work. They seem to be looking for files that start with "locked", or perhaps it's something else. Open to any suggestions I do have some samples of working and encrypted versions of several files if that might help. Right now, I'm stuck!!
April 21st, 2013, 09:34 PM
Recovery (R-Studio) did not find the unencrypted files and the last tool did not decrypt the files. I told the client the situation and that he should keep the files in case a new tool for that encryption becomes available. Thanks for all the help.
April 23rd, 2013, 02:24 AM
There are possible scanners that will decrypt the code. Microsoft made one of those, check this out http://www.microsoft.com/security/re...re-whatis.aspx I hope it will help solve your case. Cheers
April 23rd, 2013, 09:43 AM
Check for hidden files. That would cause the data to disappear, without showing up in standard file recovery searches. I've seen similar forms of malware recently.
Real security doesn't come with an installer.
May 7th, 2014, 08:13 AM
What is the perfect solution of these corrupted documents?
By the_JinX in forum AntiOnline's General Chit Chat
Last Post: November 17th, 2004, 06:59 AM
By Und3ertak3r in forum Operating Systems
Last Post: April 10th, 2004, 07:26 AM
By neozoon in forum AntiOnline's General Chit Chat
Last Post: January 12th, 2003, 09:16 PM