cancel
Showing results for 
Search instead for 
Did you mean: 
nit2k
Level 7
Report Inappropriate Content
Message 31 of 124

Re: West Yorkshire Police Virus

Jump to solution

i have directly used their email address ..@drweb.com

gizmagis
Level 11
Report Inappropriate Content
Message 32 of 124

Re: West Yorkshire Police Virus

Jump to solution

Hi folks...

UnF***believible... IT WORKED !!!

20 Gb of files unencrypted !

I thouhg I will never solve this for our customer....

THANKS AGAIN !

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 33 of 124

Re: West Yorkshire Police Virus

Jump to solution

@All : I heard back from McAfee. Not the best of news - decryption might be possible but would be too time-consuming and expensive. What little I know about cryptography backs that up - unless you already have a shrewd idea of the method used for encryption you have to throw a lot of resources at the problem. I wonder if Dr.Web - a Russian outfit - have somehow managed to tap into the Russian-language underground forums and pick something up that gave them a clue? It's one of the things that Brian Krebs manages to do quite often, and researchers share information all the time, so it's possible.

Edit - Yes, yes, of course, as was pointed out to me, if you have a before- and after-infection file the decryption is easy enough provided that there has only been one encryption pass. There are ways to complicate the process so that you can't just do a simple transposition but they take longer and won't be used in most of the cases we're likely to see. I make no comment as to why in that case the file fix isn't being offered by McAfee. Perhaps it will be, if any of their business customers fall foul of this.

For the moment Dr.Web is the best bet for anyone with encrypted files - if, it must be said, you've got backup copies of at least some of them.

The Malakai material and the chats with the (supposed) authors of this ransomware will have to go into the blog. A pity that I'm not going to be around much for the next couple of days, but duty calls elsewhere. I'll catch up as and when I can.

Message was edited by: Hayton on 03/05/12 01:30:53 IST
glitton
Level 7
Report Inappropriate Content
Message 34 of 124

Re: West Yorkshire Police Virus

Jump to solution

Quick update...

I've now found an old (unencrypted) copy of just one of the files. 

Good news -- feeding that into matsnu1decrypt.exe was enough for it to decrypt all 300-odd affected files. (my daughter wasn't  best pleased at having "lost" all of her A level coursework etc, but she's a very happy bunny again now !)

cheers.

overc
Level 7
Report Inappropriate Content
Message 35 of 124

Re: West Yorkshire Police Virus

Jump to solution

I have been reading the thread with horror, as I work in my office here, knowing what awaits me at home.  My home computer was infected with this virus, and it is a (German splash start up page after the log on screen) variant.  Yes, encryption has taken place on alot of the files, I just finished finding a rescue disk to startup my computer from and get the restoration process going.

Glitton, a summarized explanation of what steps you followed would do the world of good to someone who has almost 20 years of photographs and videos from the family on the verge of meeting the electronic afterlife. 

Good news -- feeding that into matsnu1decrypt.exe was enough for it to decrypt all 300-odd affected files. (my daughter wasn't  best pleased at having "lost" all of her A level coursework etc, but she's a very happy bunny again now !)

cheers.

nit2k
Level 7
Report Inappropriate Content
Message 36 of 124

Re: West Yorkshire Police Virus

Jump to solution

@Johnny Appleseed  download the decryptor from  ftp://ftp.drweb.com/pub/drweb/tools/matsnu1decrypt.exe, and provide Encrpted file and original file. It will decrypt all the encrypted files from computer. This is what i did. 

overc
Level 7
Report Inappropriate Content
Message 37 of 124

Re: West Yorkshire Police Virus

Jump to solution

Thank you so much Nit2k.  Basically that's all I wanted, was the link for the decrypter.  Hopefully I will have no problem booting to get a stable enough place to run the decrypter from.

Crossing fingers.

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 38 of 124

Re: West Yorkshire Police Virus

Jump to solution

Thanks, nit2k.  I'm sure there are (or will be) others who appreciate that advice.

The authors haven't gone for anything complicated, then. The same decryption works for all the files. They could so easily have made it a lot more difficult ...

Message was edited by: Hayton on 03/05/12 15:14:56 IST
glitton
Level 7
Report Inappropriate Content
Message 39 of 124

Re: West Yorkshire Police Virus

Jump to solution

Hayton wrote:

Thanks, nit2k.  I'm sure there are (or will be) others who appreciate that advice.

The authors haven't gone for anything complicated, then. The same decryption works for all the fles. They could so easily have made it a lot more difficult ...

The info from Dr.Web that made it clear to me:

---x---

This trojan uses RC4 encryption and derives encryption key from md5 hash of random string with fixed prefix. It doesn't store decryption key on the PC after encryption. You just have to find original file. May be you have encrypted manual, original of which can be downloaded, or some encrypted photo which still preserved on the camera's memory stick, or might be binary files of some software were encrypted and you can find original installer of that software - anything will do.

---x---

Highlighted

Re: West Yorkshire Police Virus

Jump to solution

This fix totally worked and my files are getting decrypted now! Thank you so much everyone for the help!

Of course, I am being sure to save all my stuff in FOUR different places now and it seems I have to keep my system harddrives as blank as possible in case this ever happens again, I fear this stuff is only going to get more complex and difficult to stop.

One last thing, once it decrypts, it seems to leave the locked file behind, so I am having to delete the locked files manually so my HD doesn't fill up whilst it is essentially "doubling" the space, is there a fix to eliminate the locked files automatically, or am I being greedy?

Thanks everyone who helped