cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Re: West Yorkshire Police Virus

Jump to solution

Much appreciated Hayton

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 22 of 124

Re: West Yorkshire Police Virus

Jump to solution

I've asked, not yet received an answer.

One thing I've found out is that Trojan.Encoder.94 almost certainly refers to a different version of ransomware, one which also encrypts files. This is the one that appends the 'EnCiPhErEd' suffix, and it came up in a thread in Security Awareness not long ago. This was the 'Koeserg (at) gmail.com' infection, and it shares some of the Police ransomware features - encryption and payment via Ukash. You can see how ideas and techniques are being tried out and copied - these people have their own forums for sharing ideas.

Dr Web, Kaspersky and others all say that ransomware has been a problem in Russia for some time but has only recently been adapted for other countries. The same people are behind most of the different versions of ransomware, they're almost certainly Russian or native Russian speakers, and they're making a lot of money out of it.

If you end up having to go to Dr Web don't be too surprised  : even the guys at MajorGeeks are sending people there.

Message was edited by: Hayton on 02/05/12 18:38:23 IST

Re: West Yorkshire Police Virus

Jump to solution

I understand. Appreciate everything you have done, and continue to do to assist in this matter

Re: West Yorkshire Police Virus

Jump to solution

and let me know if a "before" and "after" file would help I can send something ASAP if so

nit2k
Level 7
Report Inappropriate Content
Message 25 of 124

Re: West Yorkshire Police Virus

Jump to solution

I forwarded the details to Dr web, they have suggested me to inform the details to police . Still searching the way to decrypt the file. Its screw up some of my very important document. Please update the thread you get any clue about this virus.

Really appreciate your help

Regards

nit

glitton
Level 7
Report Inappropriate Content
Message 26 of 124

Re: West Yorkshire Police Virus

Jump to solution

I've had a response from Dr.Web - suggested that I inform the police, and sent me a link to download matsnu1decrypt.exe to decrypt the .docx files.

Trouble is, matsnu1decrypt.exe needs the original (unecrypted) file, in order to decrypt the encrypted one.

Perhaps I'm missing something obvious here, but if I had an original (unencrypted) copy of the file, I wouldn't have a problem !

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 27 of 124

Re: West Yorkshire Police Virus

Jump to solution

@glitton, that must mean they can't determine yet what encryption method was used for this. They might soon have something to work with.

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 28 of 124

Re: West Yorkshire Police Virus

Jump to solution

@glitton, I was wrong about that. Dr Web is saying to everyone who asks about unlocking files that you need a pre-infection version of (one of) the files.

I'm reading through a load of stuff from a French site - someone by the name of malekai has been tracking all these different ransomware programs for months. I'll post some links here or in the blog. He's got screenshots of all the variants I've seen except the WYP one. He says there's no easy way to get around the encryption, unfortunately.

I've also found a site where the authors of the ransomware are talking to someone and letting slip details of the source code. There are at least two people writing the programs : Anton and Alexan(der). They're discussing (among other things) how to disable Windows functions to stop you killing the program once it starts running. Fascinating stuff.

nit2k
Level 7
Report Inappropriate Content
Message 29 of 124

Re: West Yorkshire Police Virus

Jump to solution

I got mail from Alexander with Decryption key.... fortuntely virus encrypted my Driving License Application form,  i have downloaded the form again used it as orignial file, it works   .

Now the decryption key is running and its doing something.

Thanks Hayton for all your help.

Alexander you are star .. Hats off to you.

Thanks

Nit

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 30 of 124

Re: West Yorkshire Police Virus

Jump to solution

@nit2k, what was the address you used for Dr. Web? The link I have for sending encrypted files came from MajorGeeks :

... get help from DrWeb's Vladimir Martyanov via their service at

    https://vms.drweb.com/sendvirus/?lng=en.

    Attach crypted doc and txt files.

Edit : There are 3 articles about the spread of this ransomware :

- April 12th : Trojan.Encoder Heads West,  

- April 19th : Trojan.Encoder habitat widens, 

- April 26th : Beware of dangerous Trojan in spam

The likeliest route for infection still seems to be P2P and file streaming : watch out for any site that says you need to load a codec or driver, or Flash needs an update, in order to view content.

Still no word from McAfee Labs, I'm afraid. Looks like Dr Web have this field to themselves for the time being.

Message was edited by: Hayton on 02/05/12 21:28:25 IST

Message was edited by: Hayton - to remove a duplicate link to Dr.Web - on 02/05/12 22:43:13 IST

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community