Perhaps the wrong place to post this but I'll give it a go. Have come across a rare version of UKash infections that have encrypted customers data. Each file has CR_M0x04ì at the beginning followed by several thousand bytes of crap. Having done a little research it would appear that this infection encrypts each file using a unique key....

I don't suppose anyone has come up with any solution to this? Im quite prepared to believe there isn't actually going to be a solution but worth an ask. Im sure some of the larger places have seen a few of these since the turn of the year.

Thanks

we have received a a couple jobs lately of a Ransomware virus, not the same as yours. We determined that all the files in our was the same key, but the decryption password was 40 digits long, using Upper and lower case, numbers and symbols. We figured this out by comparing the encrypted version and a identical unencrypted version of one of the files on a backup drive.

Also our clients virus encrypted the files then zero wiped the original.. so no hope for deleted data either.

So it was not going to be cracked in our lifetime.

i think your client is screwed. That seems a little over the top to think that the virus people wrote a program to encrypt every file with a different password. that would mean that they would need to store thousands, or even millions of passwords for each user... that is if they do ..which i doubt....

I am pretty sure even if they pay... you are not getting the decryption for the files.

the files will be encrypted if you connect the drive up external
because the scamware will still run on the drive
you can remove this no problem but the damage is when the files wont recovery also

what folders are encrypted ?????

try and do a safe mode and restore it or by er commander 2013

ok got a test machine here and infected it with the virus


got rid of the virus no problem but the folders are encrypted

encryption keys use a random key per a file and then it encrypt the data again.

once it does this the information is then sent to a remote server with the unlock key

when someone pays them they remote unlock and the server unlocks your files.


it looks like there might be a cure after all



http://majorgeeks.com/Dr._Web_Trojan.En ... d7716.html

You must run it with "-k 85" as a parameter (without the quotes).

Example:

Put te94decrypt.exe in C:\

From run (windows+R) type and hit enter:
C:\te94decrypt.exe -k 85



If te94decrypt with key 85 (-k 85) does not work, I suggest sending a couple of the encrypted files to https://vms.drweb.com/sendvirus/


also try this


To decrypt it is very simple

Just download ftp://ftp.drweb.com/pub/drweb/tools/te94decrypt.exe

Then, you need to put your files in a directory created in drive C:\ with the name _Directory (This is just to be faster the decryption)

After, you run cmd and go to the directory where is te94decrypt

Now, you run this program with the parameters -k 85



If it doesn't work, run with another parameter (try -k 87 or -k 88 or -k 90) (one at a time)



application from the command promt with parameter - k 186

that would be:

te94decrypt -k 196



http://www.drweb.com

There are several variations of this ransomware, each variant using different methods of encryption. For some, there are solutions, for others, there is nothing.

We have seen variations of this before but have managed to get data back by as far as I remember using a Kaspersky tool to compare a file it its encrypted and unencrypted state and figuring out the key from that. This is a bit different in that the file sizes are different so it cant do that.

I dont think client will pay the amount that its gonna cost for me to spend weeks at this so they will just have to live without the data since their last backup!

Ill maybe have a go with the te94 tool but i wont hold by breath

Thanks

the only place this type of virus is hidden is in porn sites

I dont agree. We have received similar cases from large corporate clients who Im pretty sure dont visit porn sites. Also, the source for several variations of this can be found on a number of 'rootkits' making it accessible to many people who could use it maliciously via places other than porn sites.

NOT true.

I also have a few folders with pictures encrypted by some Ramsomware crap...

Tried the tools above and nothing...

_________________
http://www.pclab.com.pt facebook.com/PCLAB.A.T
ACELab partner