Encoded files

[EnigmaTech]

Got a machine in the workshop at the moment that has had a serious virus through it. The virus is removed and machine is operating normally....HOWEVER, all the users documents / jpgs etc come up as .ENCODED files.
Have tried removing the .ENCODED extension, changing the applicaiton the files open with, running a third party word recovery tool, but the files are still encoded.
So either the virus has shagged the contents of all files, or the user has somehow managed to encrypt the files (this is very likely, but they have no idea, so I cant get any more info out of them)

Any ideas?

Thanks
Tom

 

[Cambridge PC Support]

I presume you've already Googled this?

but have a look at this anyway:

http://www.bleepingcomputer.com/forums/topic364097.html

if it is ransomware then it looks like they'll have to cough up or lose the files

 

[Crgky127]

Turn it off right now, and break out photorec. The files aren't just renamed, they are heavily encrypted, the originals were deleted (but hopefully not overwritten if you haven't used it much).

As photorec won't get you the file names, Kaspersky has written a tool that will figure them out based on the file sizes of the encrypted version with the file name and the recovered version without. They have another one that can do some decrypting if the customer has the unencrypted version of a file (camera card etc). See here for info http://www.securelist.com/en/descriptions/old313444

 

[Cambridge PC Support]

Turn it off right now, and break out photorec. The files aren't just renamed, they are heavily encrypted, the originals were deleted (but hopefully not overwritten if you haven't used it much).

I read somewhere that the newer ones are careful to overwrite the space used by the original files, buy you never know, you might be lucky

 

[MrUnknown]

The newer ones write over the exact file, so yeah, there is no way to recover it. Hopefully the y have an older version.