Virus Encrypted Flash Drive

[jeremyb]

A client sent me a flash drive that he says was encrypted by a virus... any ideas which virus or how to recover?
Every jpeg and doc file starts with the same 16 bytes, all other files are untouched.

Filesystem appears fine otherwise, no FAT table corruption.

Attachments

Capture.JPG (50.69 KiB) Viewed 9551 times

[fzabkar]

Upload your file to http://www.virustotal.com.

The file will be scanned by about 40 AV products.

[labtech]

..all other files are untouched.

Did you mean to say "all other bytes are untouched", in any one file?
If yes, along with the other details, sound like a Ransomware virus of some sort.

[arvika]

viewtopic.php?f=3&t=27348&hilit=cryptolocker
Check this. Maybe it is similar.

[Sasha Sheremetov]

Hi Jeremy,

I've had something similar couple of times, but it was kind of different - alphabet replacement cryptoalgo.
It damaged first sectors of particular file formats (JPEGs, office), file system was just fine.
Found half of alphabet, but gave up because dev didn't worth a time spent.

[dick]

Is there any chance the system the flash drive was plugged in to/used with, has a shadow copy of the files which were present on the flash drive?

[jeremyb]

..all other files are untouched.

Did you mean to say "all other bytes are untouched", in any one file?
If yes, along with the other details, sound like a Ransomware virus of some sort.

Let me rephrase, the entire file is filled with random data except the first 16 bytes which are always the same...
It sounds like ransomware.

http://forum.hddguru.com/viewtopic.php?f=3&t=27348&hilit=cryptolocker
Check this. Maybe it is similar.

I think you are correct...

Hi Jeremy,
I've had something similar couple of times, but it was kind of different - alphabet replacement cryptoalgo.
It damaged first sectors of particular file formats (JPEGs, office), file system was just fine.
Found half of alphabet, but gave up because dev didn't worth a time spent.

The entire file is modified not just individual bytes

Is there any chance the system the flash drive was plugged in to/used with, has a shadow copy of the files which were present on the flash drive?

Its not an XOR overlay or USB Error message, the file system is intact, only specific files are targeted. Crypto doesn't appear to be ECB..

I think ransomware is the answer, stupid question but I might as well ask, has anyone ever cracked one?

[HaQue]

yes, there have been solutions for a few variants. Companies such as F-Secure has put out tools.

The criminals are learning though... not leaving keys in registry for example.

some of the more recent variants you are S.O.L.

[jeremyb]

I got two more flash drives in with the same encryption.

[data-medics]

I just handled a CryptoWall virus case that encrypted all the images, documents, and even PST files on a businesses computer. The tech then backed up the encrypted files to a USB and reinstalled the OS on the same drive (also wiping out the previous versions option which might have fixed it).

I had to run a RAW recovery just to find the txt file with the link to pay the criminals $500 in bitcoin. Which the customer had no choice but to pay, and the thieves very professionally provided a program to decrypt the data.

I felt bad having to tack my data recovery charge on top of the $500 they already paid the thieves, but business is business.

[data-medics]

Look for a file or link on their desktop/documents folder named something like DECRYPT_INSTRUCTION. It's probably CryptoWall or another variant of it, which will encrypt not only the HDD but also anything USB connected and even mapped as a network drive.

[biggerpizza]

There is a new version recently. It encrypts all image, txt,rar, office, pdf files. It covers all local, network, usb drives. It encrypts the first 2MB, rest of the file is fine. But 2MB is enough to kill all your important files.
It should be AES128 or AES256, I guess no solution at the moment.

[HaQue]

Not a single person I have warned about this type of malware has changed their behaviour. I just look like a scaremonger, and a bit crazy. I doubt anyone even believes the criminals are making millions of dollars out of this.

still people say yeah I know I have viruses because my computer is slow, but don't do anything about it. Even when I offer to go clean their PC -FOR FREE- it is too much of an inconvenience to stay away from facebook for a few hours.

meanwhile we put aside other work to spend many hours on this rubbish, and get stressed out trying to save crying customers more heartache.

is there any hope for this species??

[GreyDKang]

Looks some bytes xored 0x08 in Sasha sample. different as Jeremy sample.