Jump to content

Recommended Posts

Posted

From what I read on the web the situation is hopeless but thought I'd give this forum a whirl:

 

Does anybody have any suggestions for salvaging files that have been encrypted by the cerber ransomware?

 

Not my computer, fortunately, but a Cambodian coworker lost everything to these scoundrels and can hardly pay the ransom demanded. It affects not only him but the work of many other people as he is in charge of monitoring/evaluation for a large project.

 

Files in question are Word and Excel documents, Windows 7. It's an HP computer.

 

Already tried system restore, the ransomware blocks it. Tried a variety of other things and scoured the web. Seems there was a tool released in August to decrypt buy the hackers already circumvented in and nothing else available.

 

Any ideas?

 

Posted

Depends re: the backup and what kind of backup. But if the system restore would include the files in question, if the restore isn't too old, you should be able to move the backup file containing the restore, presumably an image file, off the computer, wipe it, reinstall Windows, and restore the image file from the new install.

Posted (edited)

please will you tell us the name of ngo in question. there is a lot of bad feeling towards ngo's in cambodia.

people might be more willing to help you if you can show yourselves to be one of the good guys.

also there are all sorts of technical questions like

if the files were so important why did you not back them up

and why were you not running a good anti virus like avg

which is being recommended on this forum

and how did you acquire the virus in the first place - usb game - email - visit to a porno web site?

just educate your people about the importance of security and tell them

not to do these things. it is difficult i know

and the temptation is to treat a computer like a new toy.

Edited by jobsworth
Posted
2 hours ago, Sheryl said:

It affects not only him but the work of many other people as he is in charge of monitoring/evaluation for a large project.

 

Could he not ask the project owners to help out with the payments ?

 

 

Posted

Hello,

 

First step is to stop the ransom-ware (anti-virus, anti-ransome-ware).

 

Most of the ransom-wares delete the original file after encrypting it. You might be lucky and recover them with a program like Recuva, UndeleteMyFiles or Disk Drill.

 

I can provide you a copy of "Recuva" if you need it (contact by PM) :whistling:

Posted

I have googled, extensively.

 

Consensus is that there are no tools that can decrypt. There was one, but they got around this.

 

This is not an NGO, not that it is anyone's business. It is a government office...which should pretty well answer most of the other non-IT questions asked.

 

Thanks for the suggestion Jedsada3 - already tried one program for restoring deleted files with no success but will try Recuva tomorrow.

 

Anti-virus and anti-malware programs have been installed and scans done etc. But that is locking the barn door....

 

 

Posted

How good are they with computers ?

 

if it was me I would make an exact copy or 2 on external Hard drives , 

one I would not touch , hoping later someone discovers a fix

 

with another one I would try some of the fixes , but since they could  erase everything you want a clean back-up or 2

 

How much $$$$$ are they asking for ransom ?

Posted

I was ransomewared, but by changing user I was able to carry on as normal. I gather that is not a normal fix, and it takes more than that usually, but it worked for me. Perhaps all ransomeware is not the same. I spoke to my friendly tech guy, and he was saying it is normally a very complicated process to get rid of it.

 

I am puzzled, though, as why your friend hadn't backed everything up on a removable drive every day, especially as it was important? I thought everyone knew to do that.

I am backed up on 5 different external drives.

Posted
22 hours ago, Sheryl said:

I have googled, extensively.

 

Consensus is that there are no tools that can decrypt. There was one, but they got around this.

 

This is not an NGO, not that it is anyone's business. It is a government office...which should pretty well answer most of the other non-IT questions asked.

 

Thanks for the suggestion Jedsada3 - already tried one program for restoring deleted files with no success but will try Recuva tomorrow.

 

Anti-virus and anti-malware programs have been installed and scans done etc. But that is locking the barn door....

 

 

Are you saying he didn't even have anti virus on his computer?

Posted

I suffered a similar attack in April this year, I lost 1.25 million unbacked up files some over 20 years old, The backups of my older files mostly worked but the big losses were current files which had been continuously used but whose backups were more than a month old. The Crypto key could not be found and negotiation with the " Owner " just resulted in the reduction of their ransom price to $3,800 USD.

It usually does no good to recover these files because the recovery key sets the virus into the data somehow and even if you reformat the drive, or use a 3 stage proxy plan to copy your data back, the virus returns after 14 - 28 days and demands another payment.

Posted
4 hours ago, kevin2852 said:

 

It usually does no good to recover these files because the recovery key sets the virus into the data somehow and even if you reformat the drive, or use a 3 stage proxy plan to copy your data back, the virus returns after 14 - 28 days and demands another payment.

What is 3 stage proxy plan?

Posted

The 3 stage proxy is to first create a proxy drive on another machine as stage 1. Then restore your data into the new proxy, fully disinfect it and sieve the data looking for any file which may have changed. The normal attack phase is to take a regular windows file which is not much used and then to alter it slightly to include the bogus algorithm and then save it back to the drive with it's original name . These are always just a couple of hundred bytes larger than the original so by comparing the size of the file, you can delete most faulty files. Then stage 3 to manually copy back the sieved and filtered data from the proxy and reinstall it into the New Windows file on a reformatted drive.

 

Slow, tedious amd mind blowingly effective, except for this one. It actually seems to modify one of the driver files in Windows, perhaps even in the Video driver, I have not been able to find any trace of it but I know it is there somewhere and somehow, it is transferred with the data to the new copy. Many thousands of people around the world have a hard drive in cold storage waiting for someone to crack the encryption, but after 3 years, we are all still waiting. The Owner is a company registered in Cypress who seems to be completely immune  to any form of illegality charge. I have a frozen copy of the virus injector in safe storage if anyone wants to play with it

Posted

You might ask this person if he knows the key for your friends encrypted files.

The tweet was re-tweeted by @mikko, who is a long term security and antivirus expert from F-secure.

 

 

 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...