Forum Thread: Virus Encoder Affected Files Recovery

Virus Encoder Affected Files Recovery

Hello Null-Byte Community! This is my first post (I am a newcomer) so I hope that this post is not irrelevant.

So, I recently started to work for my college IT Department, fixing various problems from minor internet connectivity ones to more advanced stuff such as protecting data, malware removal, and so on. Everything went smoothly until one of my Professors called regarding a problem with what he described at the time as a "virus encoder". I haven't even heard of such thing so, the next day, I check his computer.

I make a sober discovery as all data regarding our faculty has been encrypted (.doc, .pdf, .xls, .zip documents) with a weird extension. The final format was "original__file__name.id-9814822542av666@weekendwarrior55.com.

The attacker changed the background image, as well as implemented a PowerPoint script to run at startup containing the image, of a BSOD-like screen with all details regarding the decryption of the data. He claimed that the files are unrecoverable after 72 hours, and that if my Professor wants them back, he needs to contact the attacker via email in order to arrange a payment in exchange for the encryption key.

Without actually making a big deal out of the decryption, I proceeded in running Windows in Safe-Mode with Networking, installed MalwareBytes, HitmanPro and Spy Hunter, and runned them all in that particular order. Of course, I obliterated the virus out of existence, just to find a catch later on.

Then, I started posting these questions regarding the actual decryption on Internet Securities Forums - Kaspersky and BleepingComputer respectively. They both struggle with this encryption and I don't want to rush them, but I kinda start losing my patience. This problem is already a couple of weeks old. I talked to a Security Moderator at Kaspersky and they actually gave me a tool that recovered a pass, but unfortunately the so called "decrypted" files are still unreadable. I also found the catch about removing the virus completely - it would've been much more useful if there were active components of it sent to Kaspersky Labs in order to reverse engineer the encryption.

After many attemps of bruteforcing the password using an utility called RakhniDecryptor developed by Kaspersky with no result, I thought that booting up my old distribution of Kali 1.0 would help.

After all this story you may wonder, what does this guy ant after all? I need help desperately decrypting this files. I need to crack the encryption key and restore them to their initial state. I don't want to hack facebook, or Yahoo, I don't want to harm others, use my knowledge in malicious scopes like other wannabe hackers... I just want to hack (crack) an encryption a cyber-criminal put on a 20-years work of a college Professor. I don't believe there is a more "white-hatting" purpose out there.

I'm sorry if this last bit seemed acidic, but you have to understand, I lose my faith that these files will ever be recovered. If you had the patience to read this, thank you and I hope you guys at Null-Byte can help me.

Vik

2 Responses

Screenshots would help...
Is this happening to only 1 computer or multiple?
What OS are the infected computers using?

Hello Endi!

Thank you for your fast reply.

Here is the BSOD-like photo the attacker set as desktop and used in the PowerPoint script - > http://workupload.com/file/dDj0AupY

Here is one of the encrypted files, as well as the "decrypted" by RakhniDecryptor version of the file - > http://workupload.com/file/pqaYspcz

ADDITIONAL INFO:

  1. The infected PC is running Windows XP.
  2. The virus was contracted by the Professor while searching the web. Two main sites that I believe got injected with the malware are : www.fanatik.ro and www.sport.ro
  3. He was using IE and Yahoo Mail service for communication. I uninstalled IE and also unchecked it in the Control Panel section.

Thank you in advance,
Vik

Share Your Thoughts

  • Hot
  • Active