Please help me with cryptoloker(or something similar)

Discussion in 'General Off-Topic Chat' started by DrCrygor07, Jan 27, 2016.

  1. DrCrygor07
    OP

    DrCrygor07 Italian Wario Ware bootleg©

    Member
    1,710
    633
    Sep 4, 2014
    Italy
    So my father opened the spam(ARGH!) on his pc and downloaded an attached file report.pdf.exe (With a pdf icon) so it encrypted every file even on the backup drive. It's possible to decrypt them? I can provide you the virus executable
     
    Last edited by DrCrygor07, Jan 27, 2016
  2. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,288
    5,313
    Mar 17, 2010
    Norway
    Alola
    If the files really are encrypted... They are probably lost unless your dad pays the ransom. They aren't kidding around with those ransomwares, if the files were easy to recover then people wouldn't pay the ransom. If you can find the name of the ransomware, there are probably instructions for removal on Google, those instructions tend to come with a warning that your files will be lost if you go through with the removal.
     
  3. DrCrygor07
    OP

    DrCrygor07 Italian Wario Ware bootleg©

    Member
    1,710
    633
    Sep 4, 2014
    Italy
    Now my father sent the PC to a tecncian so I can't work on it, but now I have the backup drive, and I can access his mail to download(and not execute) the virus. I'll check the virus name on virustotal.
     
  4. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,288
    5,313
    Mar 17, 2010
    Norway
    Alola
    If the encryption key is stored on the PC and not on some remote server, there's a chance you could recover the files, but you'd have to read about the specific ransomware to know. Hopefully the files are recoverable.
     
  5. DrCrygor07
    OP

    DrCrygor07 Italian Wario Ware bootleg©

    Member
    1,710
    633
    Sep 4, 2014
    Italy
    Now i'm trying with recuva, and I checked on the mail but he deleted the spam message. So I need to wait until the tecnician gives the computer back to my father and I can check the executable that hopefully he didn't deleted. DAMN
     
    Last edited by DrCrygor07, Jan 27, 2016
    nxwing likes this.
  6. CIAwesome526

    CIAwesome526 Im ugly and im proud

    Member
    1,242
    2,254
    Mar 25, 2014
    United States
    The Lake, Kalos Region
    did you check the deleted folder in the inbox?
     
  7. DrCrygor07
    OP

    DrCrygor07 Italian Wario Ware bootleg©

    Member
    1,710
    633
    Sep 4, 2014
    Italy
    It was wiped
     
  8. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,701
    9,571
    Nov 21, 2005
    United Kingdom
    If you are asking these sorts of questions you are really not ready to go toe to toe with these sorts of things, at least beyond wiping the computer and starting again.

    Some of the early stuff was implemented poorly and weaknesses in the crypto and implementations allowed you to pull things back. Today not so much; there is no preloaded key for any of the reports I have seen and it is all remote generated keys with proper crypto (no know plaintext options or stuff like that).

    Unless you are going to pay the ransom (I would not encourage it, however they are your/your dad's files so not my decision at all) then while memory is fresh start piecing together files your dad might have sent via email, have on USB drives or otherwise have uploaded or stored in another location, even if you have to OCR a printout or update from an older version. Hopefully it did not encrypt any directory/file names so you have those as well (and hopefully your dad used a proper file naming scheme).
     
  9. DrCrygor07
    OP

    DrCrygor07 Italian Wario Ware bootleg©

    Member
    1,710
    633
    Sep 4, 2014
    Italy
    I don't think he'll pay the ransom, but the thing that i can't stand is that it encrypted even the file on the backup drive, it's unfair:nayps3:
     
  10. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,701
    9,571
    Nov 21, 2005
    United Kingdom
    I do not know if it deliberately encrypted the backup drive as it thought it was one, or just another drive with more files.

    Anyway there is a reason we are told to have backups in more than one location, and in a cold state/offline state as well. Normally it is so when things get stolen, flooded. lightning struck or burned down that the backups do not go as well but this is also good. Or if you prefer RAID is not backup and this is a reason why.
     
  11. DrCrygor07
    OP

    DrCrygor07 Italian Wario Ware bootleg©

    Member
    1,710
    633
    Sep 4, 2014
    Italy
    Anyway, recuva finished scanning and I recovered 30% of the files of the backup drive, I hope I will be able to recover files from the pc drive tomorrow but I don't think so as the technician may have overwritten files with some tools to recover them.
    I feel lucky as the virus hasn't overwritten the files but only deleted them. Thanks everyone on this thread
     
    Last edited by DrCrygor07, Jan 27, 2016