All file extension converted to .ba91 - Virus? Ransomware?

[daRecoM]

Good day,

All file extension in this HDD had converted to .ba91 when the user tried to open up a .cab file that he downloaded from email.

I tried Google it, find nothing about .ba91. Is there a way for me to know whether this is a computer virus or ransomware?
Thanks

[MindMergepk]

in case of ransomware there should be a ransom note (readme or something like this) text or htm file in each folder. most likely a ransomware.

Last edited by MindMergepk on November 14th, 2016, 5:55, edited 1 time in total.

[dick]

Have you tried the obvious? Rename a sample from the photos to .jpg or documents to .docx etc

[colanco]

....10 random characters and a random 4 character extension ....

is CERBER V4

[daRecoM]

Hi guys,

Yea it is ransomware. We found README.hta in every sub-folder.

Hi Spildit,
What can we see from hex editor? Sorry, this is the first time I receive ba91 file don't really know how to deal with it.

"The extension ba91 is not allowed." received this message when I tried to attach a sample file here

Thanks

[daRecoM]

....10 random characters and a random 4 character extension ....

is CERBER V4

Hi colanco, I noticed Trend Micro has the decryptor but do you think it works for Cerber v4 (it mentioned Cerber V1 on the website)

Is there any other way to decrypt the files other than paying for ransom (did anyone even get it decrypted after paying the ransom, I wonder) ..?

Gosh, this is so malicious..

[northwind]

It is Cerber 4 and unfortunately there is no way to decrypt

[daRecoM]

It is Cerber 4 and unfortunately there is no way to decrypt

OK.
Thanks northwind.