Viewing 13 reply threads
  • Author
    • #3409

      I have a customer whos laptop has been hit with some form of virus/script/whatever. The end result is that all the document (.doc, .ppt etc) and music files have been changed to an unreadable state.

      The initial symptom is that the files are renamed to xxxx.doc.NCRYPTED.NCRYPTED.NCYRPTED.NCRYPTED.ncrypted

      Renaming the file to remove the rubbish on the end makes no difference as the file is still unreadable – appears the file header has been altered perhaps?

      There is also a text file left behind with the following:

      “Some files on your machine are encrypted and your private informations were collected and sent to us.
      To decrypt files so you could use them again, you have to buy our decryptor.
      After you buy decryptor, your files will be decrypted, and we will destroy your private informations from our system, and help you remove malicious software from your system.
      To buy decryptor, contact us at: or
      If you dont contact us, your private informations will be shared and you will loose all your data.”

      Normally, I would just run a format & reinstall the system but in this case the customer is desperate to keep their data since they have no backup.
      So far I have run multiple virus scans with NOD32 which has pulled off some 30+ infections. I have also run spyware scans but of course this has had no effect.
      Goggle has so far been unable to help and I’m not very confident of being able to get this resolved.

      Any ideas or help would be greatly appreciated! ???

    • #22349

      That is not good. I haven’t persionally seen ransomware but I have heard of it. Kaspersky cracked the easier keys, but the bad guys began using 1024 RSA for encryption so good luck.

      First, take the machine offline imediately and grab an image. If the malware isn’t the latest generation it may still contain the original files, but in unallocated space.

      Do you have any idea what “infections” the scan removed? Having those details may help you figure out exactly what you have been hit with.

    • #22350

      this kind of thing scares the hell out of me…  it’s no longer just a matter of wiping the virus off or reinstalling. 

      but I’ve always been calmed down when I think that all that needs to happen is for law enforcement to follow the money.  not sure how this would work internationally though…..

    • #22351

      Yup, these are some scary developments. However if  you follow best practice and backup (I know, there’s an elephant in the room…) then you can go back to wipe machine, restore backup (old enough not to be hijacked) and restore.

      User gets back online with minimal fuss and loss of work, gives you time to work out infection vector and mitigate (image of machine plus VM should help). With a bit of luck enough people dealing with Ransomware this way means the bad guys stop getting cash and give up on this business model.

      Additionally I’ve seen some ransomware knock-offs that have removed the link between .doc files and Word, along with a pop-up stating ‘you’re money or you files’. Those that know no better have been unable to open files with a double-click and paid up for the ‘fix’.

      Depending on the value of the data I’d suggest you could:

      • Contact law enforcement to handle the investigation, but I wouldn’t hold out much hopes of a result unless you work for a large company.
      • Hire a forensic guy/team to assist (or go solo if you’ve got the skills, just CYA)
      • Write off the data and reformat
      • Write off the loss and pay up (pride and ethics may get in the way here)
      • [s:3vqdm4p4]String up user to server as a warning…[/s:3vqdm4p4]

      Likely there’s nothing above you haven’t thought of, don’t think any of the above options are ‘good’. Ultimately this needs to be a decision that is best for the business as a whole, not a technical one.

      All the best with your problem, hope you get sorted.

    • #22352

      As for getting the data back, be sure to keep track of the malware before you clean it off of the machine. If you can find the particular nasty that was responsible for encrypting the data in the first place, then you stand a better chance of being able to undo the problem. If you really need the data back, this is the route that I would take.

    • #22353


      hey before having ur back up plz scan ur backup too as the virus or trojan might have been duplicated in ur actuall file name format… so better to check while taking the backup and retreving back the backup… todays trojan’s or worms are really smart 😛

    • #22354

      Hi Ne0,

      re-reading my post there is a fair amount that isn’t as understandable as I’d have liked.

      Checking backups before the restore was what I had meant by ‘old enough not to be hijacked’. Should be common practice but I know several people (myself included) who have been caught by the same issue.

      Thanks for catching the issue. I definitely wouldn’t want someone taking my advice word for word then complaining when they spent hours of work only to still be infected…


    • #22355

      i really agree with you , most of the time who are supposed to be taking care for others gets caught for them selfs …
      there is a saying, “in a world of Information Security, the only final sin is human stupidity…!”
      but its true , even i have caught with the same issues…
      we just need to alert always and bit more carefull..:)

    • #22356

      finally there is solution after i submit the sample files to Trend MicroUNISTLVWT16 detected in machine and they relased the pattern files 5.853 for the same. Unfortunately the deleted files cannot be recovered.
      The virus is termed as WORM_RANSOM.AQ by trend micro

    • #22357


      thanks for the update, I haven’t seen WORM_RANSOM.AQ around so I’ll keep my eye out for it. Can’t find much about it online, google shows a single site in foreign langauge (not sure which) and this tread. Do you know if this was a targetted attack at you employer or just something nasty that got you by accident?

      Best of luck with the clean-up

    • #22358

        Please find the url which will shows some details about the virus

    • #22359

      Thanks for the additional info. That’s a long list of file extensions that it encrypts 🙁

      Some of the recommendations for recovering original, non-encrypted versions of the files are interesting and not a possibility I had thought of. Just wonder how long it will be until the BadGuys[sup:4ezcpcu9]tm[/sup:4ezcpcu9] start scrubbing the original files rather than just deleting them though…

    • #22360

      BADGUYS were not always the badgusy, politics and there ppl make them for the cause of money , some do for fun and some do for revenge, and some do for there own business, this list might increase any time and might go to anylength, but who know there might be hidden stuff in the orginal files too, when ever there is positive there will always a negative for that, i just wonder wht the conficker might bring now…

    • #22361

      What would worry me the most in this situation, is the attacker talked about private information. I Would be worried about that, what do they consider private information. What did your client have on his computer that maybe would be more private than say login credential. Does your client hold any private personal records, that is what I would be worried about. Then unfortunately it is a lot scarier.

Viewing 13 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?