Jump to content

read to decrypt! virus

TravisHeath
 Share

Recommended Posts

TravisHeath

TravisHeath

Posted
Posted

I got a virus that  has locked me out of my files.  In every folder all my files are hidden and there is a HTML document that says the following:

I was ale to unide the files but I cannot open them. It asks for a conversion when I do otry to open them.

 

PLZ HELP

 

 

 

YOU ID: 717bd4d643a2661f5afd454cf5525bec

Warning!
All of your important documents and files are encrypted by crypto-algorithm!
You will not able to decrypt data without the key phrase.
Do not worry, we have the key phrase and you will get it.

Follow next steps and you will get your data back decrypted:

1) Run Internet Explorer or another Internet browser

2) Go to link: https://launchpad.net/i2p/trunk or https://code.google.com/p/i2p/ and download i2pinstall_0.9.7_windows.exe

3) Open folder with downloaded application and run it (in case of JAVA error please install Java and run the installation again).

4) Use default settings during the installation process.

5) After successful installation click Start, and then click Start I2P (no window)

6) If firewall will ask about an internet access, please allow it (if necessary).

If you are using LAN connection, you should do next steps:

1) Click Start and then click Control Panel.

2) Click Network and Internet and click Internet Options.

3) In the Internet Options dialog box click the Connection tab.

4) Click the LAN Settings button.

5) To enable use a proxy server check the box "Use a proxy server for your LAN"

6) Enter IP address 127.0.0.1 in the Address text field.

7) Enter the 4444 port number in the Port field.

8) Select "Bypass proxy server for local address" checkbox.

9) Click OK to complete the proxy configuration process.



If you are using dial-up or VPN you should do next steps:

1) Click Start->Control Panel. Then click Network and Internet->Internet Options->Connections tab.

2) Under Dial-up and Virtual Private Network Settings, click the connection you want to work with and then click Settings.

3) In the Connection Settings dialog box, enable the use of a proxy server by checking the box for "Use a proxy server for this connection (These settings will not apply to other connections)."

4) Enter the IP address 127.0.0.1 in the Address text box.

5) Enter the 4444 port number in the Port field.

6) Click OK to complete the proxy configuration process.

After finalizing all the configuration process please run Internet Explorer or another browser and go to the link:

http://nzv3m4nyc7k4ndmxwnhfw2mg7abjkfwreonino2qmj7mtbofop5q.b32.i2p

If the given page is not available, please try again later. Sometimes this page opens very slowly.


REMEMBER!
THIS IS THE ONLY WAY TO DECRYPT YOUR DATA!
DO NOT ATTEMPT TO RECOVER YOUR FILES BY YOURSELF! IT IS IMPOSSIBLE WITHOUT KEY PHRASE!
You have only 7 days to get your personal key phrase. At the end of the seven days, your key phrase will be permanently removed from the database and all your files will be lost forever.

 

Link to post
Share on other sites
TravisHeath

TravisHeath

Posted
  • Author
Posted

I was hoping to find someone that has encountered this same virus.  I have scoured the net and only found 2 other people that has got it.  One person on this forum who is still trying to work it out and another on a link somewhere that didnt post back any results.  I have the actual files.  when I try to open them it asks to convert them into a different format.

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

This is a case of what is called cryptovirolgy and of the worst kind.  Actual personal data file encryption held for ransom by a malicious actor.

 

While a "virus" is possible with cryptovirolgy, more often than not the payload is that of a trojan and not a virus.

 

With the release of the Microsoft Crypto Application Programming Interface (aka; Crypto API) this concept was made much easier.

 

Decryption of data files is not an easy task.  Often a malware crypto analyst may work on a given problem for very long periods and not come up with a key for decryption.  Sometimes it is possible for a limited family of trojans but is short lived.  Often that work requires that particular trojan that was used to encrypt your data.

 

You need to understand that the expectation for a positive outcome is EXTREMELY low.  Even if you paid a security company it may be costly and still not have a positive outcome.

 

You should not even consider paying any ransom.  That can actually lead to you being the target of further malicious activity as you will branded a willing "mark".

 

I think the best course of action would be to consider the situation as a total loss as if your hard disk had a catastrophic failure requiring you to obtain a hard disk replacement.

 

With that in mind, extract the data that has not been encrypted and wipe the hard disk and reinstall the OS of choice or by using a manufacturer's Recovery Disk.

 

** IF and only IF you have the actual malware that caused this please upload it at UploadMalware.Com

Link to post
Share on other sites
TravisHeath

TravisHeath

Posted
  • Author
Posted

This is a case of what is called cryptovirolgy and of the worst kind.  Actual personal data file encryption held for ransom by a malicious actor.

 

While a "virus" is possible with cryptovirolgy, more often than not the payload is that of a trojan and not a virus.

 

With the release of the Microsoft Crypto Application Programming Interface (aka; Crypto API) this concept was made much easier.

 

Decryption of data files is not an easy task.  Often a malware crypto analyst may work on a given problem for very long periods and not come up with a key for decryption.  Sometimes it is possible for a limited family of trojans but is short lived.  Often that work requires that particular trojan that was used to encrypt your data.

 

You need to understand that the expectation for a positive outcome is EXTREMELY low.  Even if you paid a security company it may be costly and still not have a positive outcome.

 

You should not even consider paying any ransom.  That can actually lead to you being the target of further malicious activity as you will branded a willing "mark".

 

I think the best course of action would be to consider the situation as a total loss as if your hard disk had a catastrophic failure requiring you to obtain a hard disk replacement.

 

With that in mind, extract the data that has not been encrypted and wipe the hard disk and reinstall the OS of choice or by using a manufacturer's Recovery Disk.

 

** IF and only IF you have the actual malware that caused this please upload it at UploadMalware.Com

I already backed the files and re-installed the os.  I was just holding out hope that I had some hope of getting it back.  Being that the files remained it their correct folders (just hidden) and how generic the HTML file looked I was hoping the person who made it used some rudimentary tool to convert my files.  

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

I already backed the files and re-installed the os.  I was just holding out hope that I had some hope of getting it back.  Being that the files remained it their correct folders (just hidden) and how generic the HTML file looked I was hoping the person who made it used some rudimentary tool to convert my files.  

 

A researcher would need the trojan that did the damage.  Then he might get a "clue" of how the files were modified.  Knowing how they were encrypted would be used in employing a decryption.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.