Much appreciated Hayton
I've asked, not yet received an answer.
One thing I've found out is that Trojan.Encoder.94 almost certainly refers to a different version of ransomware, one which also encrypts files. This is the one that appends the 'EnCiPhErEd' suffix, and it came up in a thread in Security Awareness not long ago. This was the 'Koeserg (at) gmail.com' infection, and it shares some of the Police ransomware features - encryption and payment via Ukash. You can see how ideas and techniques are being tried out and copied - these people have their own forums for sharing ideas.
Dr Web, Kaspersky and others all say that ransomware has been a problem in Russia for some time but has only recently been adapted for other countries. The same people are behind most of the different versions of ransomware, they're almost certainly Russian or native Russian speakers, and they're making a lot of money out of it.
If you end up having to go to Dr Web don't be too surprised : even the guys at MajorGeeks are sending people there.
Message was edited by: Hayton on 02/05/12 18:38:23 ISTI understand. Appreciate everything you have done, and continue to do to assist in this matter
and let me know if a "before" and "after" file would help I can send something ASAP if so
I forwarded the details to Dr web, they have suggested me to inform the details to police . Still searching the way to decrypt the file. Its screw up some of my very important document. Please update the thread you get any clue about this virus.
Really appreciate your help
Regards
nit
I've had a response from Dr.Web - suggested that I inform the police, and sent me a link to download matsnu1decrypt.exe to decrypt the .docx files.
Trouble is, matsnu1decrypt.exe needs the original (unecrypted) file, in order to decrypt the encrypted one.
Perhaps I'm missing something obvious here, but if I had an original (unencrypted) copy of the file, I wouldn't have a problem !
@glitton, that must mean they can't determine yet what encryption method was used for this. They might soon have something to work with.
@glitton, I was wrong about that. Dr Web is saying to everyone who asks about unlocking files that you need a pre-infection version of (one of) the files.
I'm reading through a load of stuff from a French site - someone by the name of malekai has been tracking all these different ransomware programs for months. I'll post some links here or in the blog. He's got screenshots of all the variants I've seen except the WYP one. He says there's no easy way to get around the encryption, unfortunately.
I've also found a site where the authors of the ransomware are talking to someone and letting slip details of the source code. There are at least two people writing the programs : Anton and Alexan(der). They're discussing (among other things) how to disable Windows functions to stop you killing the program once it starts running. Fascinating stuff.
I got mail from Alexander with Decryption key.... fortuntely virus encrypted my Driving License Application form, i have downloaded the form again used it as orignial file, it works .
Now the decryption key is running and its doing something.
Thanks Hayton for all your help.
Alexander you are star .. Hats off to you.
Thanks
Nit
@nit2k, what was the address you used for Dr. Web? The link I have for sending encrypted files came from MajorGeeks :
... get help from DrWeb's Vladimir Martyanov via their service at
https://vms.drweb.com/sendvirus/?lng=en.
Attach crypted doc and txt files.
Edit : There are 3 articles about the spread of this ransomware :
- April 12th : Trojan.Encoder Heads West,
- April 19th : Trojan.Encoder habitat widens,
- April 26th : Beware of dangerous Trojan in spam
The likeliest route for infection still seems to be P2P and file streaming : watch out for any site that says you need to load a codec or driver, or Flash needs an update, in order to view content.
Still no word from McAfee Labs, I'm afraid. Looks like Dr Web have this field to themselves for the time being.
Message was edited by: Hayton on 02/05/12 21:28:25 IST
Message was edited by: Hayton - to remove a duplicate link to Dr.Web - on 02/05/12 22:43:13 IST
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA