Virus Encoder Affected Files Recovery

Dec 28, 2015 12:52 PM

Hello Null-Byte Community! This is my first post (I am a newcomer) so I hope that this post is not irrelevant.

So, I recently started to work for my college IT Department, fixing various problems from minor internet connectivity ones to more advanced stuff such as protecting data, malware removal, and so on. Everything went smoothly until one of my Professors called regarding a problem with what he described at the time as a "virus encoder". I haven't even heard of such thing so, the next day, I check his computer.

I make a sober discovery as all data regarding our faculty has been encrypted (.doc, .pdf, .xls, .zip documents) with a weird extension. The final format was "original__file__name.id-9814822542av666@weekendwarrior55.com.

The attacker changed the background image, as well as implemented a PowerPoint script to run at startup containing the image, of a BSOD-like screen with all details regarding the decryption of the data. He claimed that the files are unrecoverable after 72 hours, and that if my Professor wants them back, he needs to contact the attacker via email in order to arrange a payment in exchange for the encryption key.

Without actually making a big deal out of the decryption, I proceeded in running Windows in Safe-Mode with Networking, installed MalwareBytes, HitmanPro and Spy Hunter, and runned them all in that particular order. Of course, I obliterated the virus out of existence, just to find a catch later on.

Then, I started posting these questions regarding the actual decryption on Internet Securities Forums - Kaspersky and BleepingComputer respectively. They both struggle with this encryption and I don't want to rush them, but I kinda start losing my patience. This problem is already a couple of weeks old. I talked to a Security Moderator at Kaspersky and they actually gave me a tool that recovered a pass, but unfortunately the so called "decrypted" files are still unreadable. I also found the catch about removing the virus completely - it would've been much more useful if there were active components of it sent to Kaspersky Labs in order to reverse engineer the encryption.

After many attemps of bruteforcing the password using an utility called RakhniDecryptor developed by Kaspersky with no result, I thought that booting up my old distribution of Kali 1.0 would help.

After all this story you may wonder, what does this guy ant after all? I need help desperately decrypting this files. I need to crack the encryption key and restore them to their initial state. I don't want to hack facebook, or Yahoo, I don't want to harm others, use my knowledge in malicious scopes like other wannabe hackers... I just want to hack (crack) an encryption a cyber-criminal put on a 20-years work of a college Professor. I don't believe there is a more "white-hatting" purpose out there.

I'm sorry if this last bit seemed acidic, but you have to understand, I lose my faith that these files will ever be recovered. If you had the patience to read this, thank you and I hope you guys at Null-Byte can help me.

Vik

Related Articles

637263493835297420.jpg

How to Use Zero-Width Characters to Hide Secret Messages in Text (& Even Reveal Leaks)

636455706472146367.jpg

How to Hide DDE-Based Attacks in MS Word

Comments

No Comments Exist

Be the first, drop a comment!