Most of my files in my Windows 8 got encrypted; Windows is still running

6

Around 90% files of my files, including *.doc, *.jpg, got converted into *.micro!

There are two files left:

  • help_recover_instructions+iyf.html
  • help_recover_instructions+iyf.txt

These files say:

*What happened to your files?
All of your files were protected by a strong encryption with RSA-4096. More information about the encryption RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen?
Especially for you, on our server was generated the secret keypair RSA-4096 – public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our Secret Server!!!

What do I do?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

Does anyone know what is going on?

hkguie

Posted 2016-01-16T04:40:37.440

Reputation: 273

Your files are encrypted, they cannot be recovered unless you get the key, to reverse the process. Format your machine and restore from a backup. – Ramhound – 2016-01-27T11:57:12.657

@Ramhound, I think this is bad advise. First make a backup of the encrypted files, than format the machine and restore from backup. Because the encryption key might become public in the future and files can still be saved as I explained in my answer (http://superuser.com/a/1031984/246895).

– CousinCocaine – 2016-01-27T12:23:46.153

@CousinCocaine - The moment he attaches an external drive, the malware will likely infect it, if he has a current backup he doesn't need to backup the encrypted files. – Ramhound – 2016-01-27T13:15:21.177

http://www.bleepingcomputer.com/news/security/teslacrypt-3-0-released-with-new-encryption-algorithm-and-xxx-file-extensions/ – hkguie – 2016-01-29T13:40:21.340

Answers

3

This is a very nasty virus category, known as Ransomware. There is further information on it here.

The bad news is that the encryption used is realistically uncrackable. If you don't have backups, there is not a lot you can really do. The virus will demand payment to decrypt your files, which, lets face it, they may not do and may just take the money and run. There is no other way to decrypt it without the exact keys they provide. Paying the ransom is the only chance you would have to get the data back without backups, but if they don't comply after payment, you have no action of recourse and have just lost your files and your money.

The instructions above detail how to remove the virus, however, it is likely too late for your data. You can try the following as a last resort if you don't have backups (Remove the virus first using the above link, or it may just re-encrypt them):

There is only one known way to remove this virus successfully, barring actually giving in the to the demands of the people who created the virus – reversing your files to a time when they were not infected.

There are two options you have for this:

The first is to do a full system restore. This can take care of the file extension for you completely. To do this just type System Restore in the windows search field and choose a restore point. Click Next until done.

Your second option is a program called Shadow Volume Copies.

Open the Shadow Explorer part of the package and choose the Drive (C or D usually) you want to restore information from. Right click on any file you want to restore and click Export on it.

Jonno

Posted 2016-01-16T04:40:37.440

Reputation: 18 756

not possible to decrypt the files? – hkguie – 2016-01-16T05:02:15.690

@hkguie No. There is a summary of this here - "you can return "practically infinite" as cracking time for all key lengths. A typical user will not break a 1024-bit RSA key, not now and not in ten years either." - That's for a possible 309 digit encryption key (I think - I'm not perfectly sure on the math behind cryptography). Your data has, I think, a 1,234 digit encryption key. It would take *many* human lifetimes to decrypt without knowing the key.

– Jonno – 2016-01-16T05:08:05.003

i use bitdender but don't detect any virus – hkguie – 2016-01-16T05:17:32.517

@hkguie Did you try the instructions here? Viruses can make themselves undetectable once they're in, or Bitdefender may not be up to date or have the heuristic for this particular virus.

– Jonno – 2016-01-16T05:19:33.050

Later versions of this randsomware delete or get rid of Shadow Copies. AV solutions are horrible at finding malware like what you are infected with – Ramhound – 2016-01-27T11:59:27.653

3

If you have backups, your best option is to wipe your computer, restore from backup, and start over.

Otherwise, if you are very very lucky, you may have been infected with ransomware from incompetent developers who made mistakes allowing you to recover your files or find the key somewhere. Or, you may be infected with ransomware that has been "hacked back" to steal the keys. I'm not sure exactly where to figure that out; but I'd personally probably start by trying the support line for whatever antivirus you have. At the very least I'd hope they can direct you somewhere and give you cleanup advice.

But as the other answer says, your files are probably gone. If they are not completely irreplaceable, like if they are the only baby pictures you have of your kid who died of cancer at 5, then PLEASE resist the urge to pay the scumbags who infected you.

Above all, don't panic and make rash decisions due to their deadline. As much as it may inconvenience you, they're just files after all, and paying them will only give them money to keep funding their crimes.

Edit: With recent version of Windows, sometimes you can restore your files from a Shadow Volume Copy, however well-made ransomware will apparently also delete the shadow copies preventing this from working. So you may need to resort to a backup still. Even if you do successfully get your files back, restoring from backup is a good idea, to ensure your system is clean of the malware.

Ben

Posted 2016-01-16T04:40:37.440

Reputation: 2 050

1

Decryption is possible when decryption keys are known

As a listener of the 'Security Now' podcast by i.a. Steve Gibson, I was informed about Kaspersky's decription-tool.

As explained in the podcast (podcast nr 503), some encryption keys were found and therefor decryption is possible. Based on these keys a decription tool is made by Kaspersky.

Check https://noransom.kaspersky.com for more info and for a download link to the decryption tool. Always check the url (and checksum) before downloading (and using) this kind of software.

From https://noransom.kaspersky.com :

The National High Tech Crime Unit (NHTCU) of the Netherlands’ police, the Netherlands’ National Prosecutors Office and Kaspersky Lab, have been working together to fight the CoinVault and Bitcryptor ransomware campaigns. During our joint investigation we have obtained data that can help you to decrypt the files being held hostage on your PC. We are now able to share a new decryption application that will automatically decrypt all files for Coinvault and Bitcryptor victims. For more information please see this how-to guide. We are considering this case as closed. The ransomware authors are arrested and all existing keys have been added to our database.

ps. To my best knowledge, you can always make a backup/copy of your encrypted files, mightbe a decription key will be found in the (near) future.

CousinCocaine

Posted 2016-01-16T04:40:37.440

Reputation: 129

How do you know the author is infected with either those specific versions of CoinVault and Bitcryptor? Your answer seems to indicate that he will be able to decrypt his files, even if he wasn't infected with a vulnerable version of those infections, which isn't the case. – Ramhound – 2016-01-27T13:14:16.023

The decrypt software is updated continuously with new keys. But indeed, I have no clue which ransom ware is used in this case. – CousinCocaine – 2016-01-27T13:17:54.583

You should probably find that out, from the user, before you say its possible then. – Ramhound – 2016-01-27T13:19:47.650

You are right, I might give the wrong impression here. What I meant is that decryption is possible when de keys are known. – CousinCocaine – 2016-01-27T13:22:10.813

-4

Ransomware. You get infected and your computer probably gets bot'd out. Then in encrypts your HDD or files/folders. Then you must contact them and get the key to decrypt.

Unfortunately, you must comply, because there is no 'fix' for the encryption. If you do not have a backup.

Xeno555

Posted 2016-01-16T04:40:37.440

Reputation: 21

2Complying is a terrible idea and there are several cases where doing so won't get your files back anyway. – ChrisInEdmonton – 2016-01-27T12:18:14.253

Asked: 2016-01-16T04:40:37.440

Viewed: 2 569 times

Active: 2016-03-11T01:34:04.403