HELP VIRUS!!! Can anyone please advice urgently

embalse

embalse

embalse

Associate
Joined
13 Jun 2007
Posts
1,143
Location
Dorset
My wife opened an email this morning and without thinking clicked on an attachment without thinking.
The computer has been completely infected all the files now end in .sh#t and are either corrupted or password protected.
The desktop has this message which is self-explanatory.

Normally in this scenario I would either do a system restore or a complete clean install.
The problem is it has not only corrupted all the files on my O/S drive, but also all the other drive with all her work.

Having scanned with windows defender I do not want to proceed further without advice. Hopefully someone here has had this same virus.







 
malware and antivirus won't help, the files have been encrypted.

you have 3 choices:

1) pay the ransom and hope that it's 100% successful in decrypting them
2) investigate the virus/team behind it and hope that someone has figured out a way of fixing it (very unlikely)
3) start from scratch and start keeping backups off the network
 
Linux Live CD and see if you can recover the files that way, it should at least allow you to get at your photos, documents.

Ubuntu/Linux Mint or Manjaro, you will need a 4-8gb usb stick and a clean windows computer/laptop if you have access to one.
 
Be worth looking here: http://www.bleepingcomputer.com/forums/f/239/ransomware-help-tech-support/ and here https://id-ransomware.malwarehunterteam.com/index.php if you haven't already

May help to identify it, and any possible decryption methods.


Additionally if you do try to decrypt (or aren't able to and need to reinstall the system), I would take a copy of the drive before you decrypt and keep it to one side. Worst case that way you don't make anything any worse, and best case it gives you another opportunity e.g. in the future if a different method of decryption is found,
 
CEUOTC said:
Linux Live CD and see if you can recover the files that way, it should at least allow you to get at your photos, documents.

Ubuntu/Linux Mint or Manjaro, you will need a 4-8gb usb stick and a clean windows computer/laptop if you have access to one.
Click to expand...

Do this to see if at least some of your files are accessible and not encrypted (whilst praying). If they all are then :(.
 
These are pay, restore, or sacrifice.

If you don't have a backup, it becomes pay or sacrifice. :(
 
embalse said:
Have they just corrupted the files or taken uploaded info?
Click to expand...

It looks like a Locky cryptolocker variant.

Files are usually just encrypted, but it's hard to say for sure. It's unlikely they would have stolen any files since the majority would be of questionable value.
 
This is called 'ransomware' OP, they've encrypted your files and will only decrypt them if you send them money, i.e. they've held your files to ransom. Note paying out should be a last resort as they could just keep your money and still not decrypt your files!

Many of them are badly written and can be fixed, see e.g. https://noransom.kaspersky.com/.

There are quite a few ransomwares out there now so I don't know how you identify which one you've got specifically. The Rakhni type use a file extension of '.oshit', which could be a clue. If you still have the attachment you could try putting it through an online scanner like https://www.virustotal.com/
 
Last edited:
restore from a backup, pay the ransom or take the hit on the files.

I have had quite a few customers with this virus or variants of it, one wanted to pay but didn't have enough time so went from £360 to £800 as the longer you take to pay the more they increase the ransom. they payment was in bitcoins to a wallet that they linked him too.

I even said if he does pay it doesn't mean he is going to get the files back.

Do you have a backup of the files?
 
This is why I've taken to having duplicate offline backups :| some variants of this are a lot more sophisticated and can spread in network environments even if your PC itself is fairly well locked down against attack from the internet. They are slowly evolving to be sophisticated enough to hide away in the firmware, etc. of the "internet of things" type devices including some brands of routers, managed switches and so on.
 
I feel for you op, I really do. There is very little that can be done. I've heard of people paying the ransom and still not being able to decrypt half of their files :(
 
Given that human error was involved (opening and attachment) and Windows Defender did not protect the computer, would having any other anti-virus software installed have prevented this?


.
 
They are swines! Backup should be 2nd nature now as this has been around for quite some time.

With me, i dont keep any important files etc on my pc.
 
embalse said:
Given that human error was involved (opening and attachment) and Windows Defender did not protect the computer, would having any other anti-virus software installed have prevented this?


.
Click to expand...

Malwarebytes have a Beta of some anti ransomware. Defender will detect some attacks but not all but that is the same for any protection software.
Andi.
 
There's a faint possibility that it's fake. The important thing is to turn off the PC, because it's encrypting more files in the background. If at all possible, remove the HDD and work on it on another PC.
 
You must log in or register to reply here.
Back
Top Bottom