Please help me with cryptoloker(or something similar)

[Mazamin]

So my father opened the spam(ARGH!) on his pc and downloaded an attached file report.pdf.exe (With a pdf icon) so it encrypted every file even on the backup drive. It's possible to decrypt them? I can provide you the virus executable

 

[The Real Jdbye]

If the files really are encrypted... They are probably lost unless your dad pays the ransom. They aren't kidding around with those ransomwares, if the files were easy to recover then people wouldn't pay the ransom. If you can find the name of the ransomware, there are probably instructions for removal on Google, those instructions tend to come with a warning that your files will be lost if you go through with the removal.

 

[Mazamin]

If the files really are encrypted... They are probably lost unless your dad pays the ransom. They aren't kidding around with those ransomwares, if the files were easy to recover then people wouldn't pay the ransom. If you can find the name of the ransomware, there are probably instructions for removal on Google, those instructions tend to come with a warning that your files will be lost if you go through with the removal.

Now my father sent the PC to a tecncian so I can't work on it, but now I have the backup drive, and I can access his mail to download(and not execute) the virus. I'll check the virus name on virustotal.

 

[The Real Jdbye]

Now my father sent the PC to a tecncian so I can't work on it, but now I have the backup drive, and I can access his mail to download(and not execute) the virus. I'll check the virus name on virustotal.

If the encryption key is stored on the PC and not on some remote server, there's a chance you could recover the files, but you'd have to read about the specific ransomware to know. Hopefully the files are recoverable.

 

[Mazamin]

If the encryption key is stored on the PC and not on some remote server, there's a chance you could recover the files, but you'd have to read about the specific ransomware to know. Hopefully the files are recoverable.

Now i'm trying with recuva, and I checked on the mail but he deleted the spam message. So I need to wait until the tecnician gives the computer back to my father and I can check the executable that hopefully he didn't deleted. DAMN

 

[CIAwesome526]

Now i'm trying with recuva, and I checked on the mail but he deleted the spam message. So I need to wait until the tecnician gives the computer back to my father and I can check the executable that hopefully he didn't deleted. DAMN

did you check the deleted folder in the inbox?

 

[Mazamin]

It was wiped

 

[FAST6191]

If you are asking these sorts of questions you are really not ready to go toe to toe with these sorts of things, at least beyond wiping the computer and starting again.

Some of the early stuff was implemented poorly and weaknesses in the crypto and implementations allowed you to pull things back. Today not so much; there is no preloaded key for any of the reports I have seen and it is all remote generated keys with proper crypto (no know plaintext options or stuff like that).

Unless you are going to pay the ransom (I would not encourage it, however they are your/your dad's files so not my decision at all) then while memory is fresh start piecing together files your dad might have sent via email, have on USB drives or otherwise have uploaded or stored in another location, even if you have to OCR a printout or update from an older version. Hopefully it did not encrypt any directory/file names so you have those as well (and hopefully your dad used a proper file naming scheme).

 

[Mazamin]

If you are asking these sorts of questions you are really not ready to go toe to toe with these sorts of things, at least beyond wiping the computer and starting again.

Some of the early stuff was implemented poorly and weaknesses in the crypto and implementations allowed you to pull things back. Today not so much; there is no preloaded key for any of the reports I have seen and it is all remote generated keys with proper crypto (no know plaintext options or stuff like that).

Unless you are going to pay the ransom (I would not encourage it, however they are your/your dad's files so not my decision at all) then while memory is fresh start piecing together files your dad might have sent via email, have on USB drives or otherwise have uploaded or stored in another location, even if you have to OCR a printout or update from an older version. Hopefully it did not encrypt any directory/file names so you have those as well (and hopefully your dad used a proper file naming scheme).

I don't think he'll pay the ransom, but the thing that i can't stand is that it encrypted even the file on the backup drive, it's unfair

 

[FAST6191]

I do not know if it deliberately encrypted the backup drive as it thought it was one, or just another drive with more files.

Anyway there is a reason we are told to have backups in more than one location, and in a cold state/offline state as well. Normally it is so when things get stolen, flooded. lightning struck or burned down that the backups do not go as well but this is also good. Or if you prefer RAID is not backup and this is a reason why.

 

[Mazamin]

Anyway, recuva finished scanning and I recovered 30% of the files of the backup drive, I hope I will be able to recover files from the pc drive tomorrow but I don't think so as the technician may have overwritten files with some tools to recover them.
I feel lucky as the virus hasn't overwritten the files but only deleted them. Thanks everyone on this thread