Virus encrypts jpeg files

[quinnlaup]

I got a Dell laptop running Windows 7 in last week with a ukash ransomware infection. We removed the infection without too many problems however we noticed that most of the customers photos would not display properly instead they showed a image which stated that they were encrypted and that the only way to decrypt them was run a program called dirty decrypt.exe. I booted the customers laptop using a linux boot disc and tried to view the photos but they still show this warning image. Has anyone else come up against this before? Is there a way to recover the photos?

kind regards

quinnlaup

 

[Ccomp5950]

More than likely the files were copied or zipped somewhere. Encrypting a file doesn't make it show something else, it copied a file over them, and that's what you are seeing.

 

[FremontPC]

Sounds like another FBI virus variant (Interpol, etc. over in Europe). Take a look at this as a comparison:

http://www.technibble.com/forums/showthread.php?t=47231

On the whole, it would probably be a good to back these drives up before making any changes. What you have to do to get the customer's data back (assuming it's affected in the first place) would depend on how the malware was engineered. I've heard of some that do little more than display the warning screen (simply remove it from the startup apps) while others go far deeper into the system. It all depends on how the author put it together and I would imagine whether various attempts were blocked by the A/V on the affected system.

Where the malware was able to encrypt files (per the link above, some just delete the victim's data without archiving anything) you may need information/codes from the original warning screen to get the customer's data back. I understand Kaspersky and Dr. Web have made some inroads that allow decryption of the customer's data without paying the "ransom", but the steps that are necessary depend on the method the author used. Again, some report that the data was simply deleted and no archives were created. If this is the case, then it would be especially important to get a clone/image backup of the drive ASAP, then apply data recovery techniques or send the drive out for recovery.

 

[quinnlaup]

@Fremont PC

Thanks for link to the other thread i remember scanning through it last week, I checked with the customer as to when this infection started because i wanted to try a system restore and she told me that someone else had looked at it before we got near it. The files on this particular machine all have a .jpg file extension. I am starting to wonder if it may be too late to recover the photos. I've been researching it and i believe that both Panda and Bitdefender are making limited progress in decrypting the files.

 

[Xander]

From what I've been reading on this virus, it looks like there are two main variants: One overwrites files with another filetype (html or jpg, it seems); the other encrypts them with (last I read) no known way to recover them.

Either way, the customer is pooched if they don't have a backup.

 

[DocGreen]

Its seems that there are a lot of variants of the randomized floating around with each one having a different payload. It also seems like they're not being identified as "different" until after the virus is removed, at which point data recovery gets more difficult. Maybe we should start making it a habit to treat these jobs like data recovery jobs from the start and make a full image of the drive before doing anything else. This way, we at least (hopefully) have the original virus to submit to the security folks so they can reverse-engineer it.

It would also be good if we could find ways to identify the variants that are safe to remove... the ones that don't encrypt or delete files.

 

[altrenda]

This sounds like a very good idea.

 

[quinnlaup]

Thanks to everyone for taking the time to contribute to this thread going to ring the customer and explain their options hopefully they have a recent backup!! Just thought i would include a link for the panda ransomware decrypt tool hopefully someone gets lucky with it http://www.pandasecurity.com/uk/homeusers/support/card?id=1675

regards

quinnlaup

 

[Xander]

Nice find, Quinnlaup. Look at it, it says it needs one original and its corresponding encrypted file. Have these infections been leaving any originals behind?

 

[FremontPC]

Have another look at it, just to make sure the customer's files aren't marked with hidden or hidden and system attributes. Don't know if your boot disk shows those files by default.

Check Uprighttech's post (#54) in the other thread, the one he had marked the customer's files and folders as hidden/system, then wouldn't allow you to uncheck "Hide Protected Operating System Files".

 

[quinnlaup]

I'm out of the office at the minute but i will post back asap.

 

[Galdorf]

try this tool:
http://support.kaspersky.com/downloads/utils/rannohdecryptor.exe

 

[Xander]

DL page for Galdorf's link:
http://support.kaspersky.com/viruses/utility.

Kaspersky's decryptor, too, needs an original but that still begs my other question: Are any of these variants leaving an original untouched? I would imagine these things work file by file so, unless you catch it just as it has encrypted a file but before it deletes the original, I'm thinking you've still got to be working off of a backup. In which case, you're just rescuing any NON-backed up files, really...which is still good.

 

[Larry Sabo]

It would be interesting to know if it encrypts any system files with the vulnerable extensions. If so, an original from another system might serve as a proxy for a backup of the encrypted file, just to break the encryption key. Probably wishful thinking.

 

[quinnlaup]

I didn't manage to get to speak to the customer today so i think i will image this drive before i take it any further. I had a quick look through the system for original unmodified files but haven't found any yet. I've also run sfc /scannow and found no issues so i'm not sure if it is modifying any system files.

regards

quinnlaup

 

[Xander]

Quinn, have you looked in Previous Versions? Without a proper backup, I think that might be one of the few avenues left.

 

[FremontPC]

Quinn -

Boot off your Linux Live CD and set it to show hidden files (CTRL + H in Ubuntu) just in case.

 

[quinnlaup]

Just had a thought!! Customer may not have a complete backup of all phOtos but if they even have one of the original photos that could be enough to decrypt the rest? I will try the hidden files suggestion and update the thread asap. Any how it's nearly 2:30 am goin to bed really got to learn to switch off from work!

Kind regards

Paul

 

[Larry Sabo]

Customer may not have a complete backup of all phOtos but if they even have one of the original photos that could be enough to decrypt the rest? I will try the hidden files suggestion and update the thread asap.

That's my understanding of how the Kaspersky tool works, although I haven't had occasion to try it.

If they don't have a backup of any file and previous versions is borked/disabled, try using a data recovery program to recover a deleted file that hasn't been revised, as far as the customer knows.

Edit: On reflection, if it's been deleted, it wouldn't have still been available to be encrypted. If it had been revised and the revised version encrypted, they won't be identical so the recovered file won't be useful to help decrypt the revised version, unless the exact same revisions can be applied to the recovered file.

 

[DocGreen]

Really anxious to hear how this goes!