primo
18-05-2016, 10:53
i have discovered that .crypt extension added to about half of my files (pdf, djvu, txt, zip, rar) but not epub, html, mht, audio, video, pictures, exe, com.
there is a file !Recovery_8D6DB179AF8B.txt/html added to every destroyed folder contains this message:
-----------------------------------------
@@@@@@@ NOT YOUR LANGUAGE? USE https://translate.google.com
@@@@@@@ What happened to your files ?
@@@@@@@ All of your files were protected by a strong encryption with RZA4096
@@@@@@@ More information about the en-Xryption keys using RZA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
@@@@@@@ How did this happen ?
@@@@@@@ !!! Specially for your PC was generated personal RZA4096 Key , both publik and private.
@@@@@@@ !!! ALL YOUR FILES were en-Xrypted with the publik key, which has been transferred to your computer via the Internet.
@@@@@@@ !!! Decrypting of your files is only possible with the help of the privatt key and de-crypt program , which is on our Secret Server
@@@@@@@ What do I do ?
@@@@@@@ So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way
@@@@@@@ If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment
Your personal ID: 8D6DB179AF8B
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1 - http://x (http://xxxxx)xxxxx
2 - http://x (http://xxxx)xxxxx
3 - http://x (http://xxxx)xxxxx
If for some reasons the addresses are not available, follow these steps:
1 - Download and install tor-browser: http://www.x (http://www.xxxxx)xxxx
2 - After a successful installation, run the browser
3 - Type in the address bar - http://x (http://xxxxx)xxxxx
4 - Follow the instructions on the site
Be sure to copy your personal ID and the instruction link to your notepad not to lose them.
---------------------------------------------------------------------
since i have thousands of pdf, djvu, txt files i wonder if this action begins in time more than 2 days ago, when i feel the computer was too slow at certain moment while i was running Tor Browser on archive.org (archive.org block me so i have used tor browser from about two weeks to access archive.org)
usualy my C:\ primary drive running windows xp is protected with old version of returnil virtual system, so no files are damaged on it, it is only all the other partitions 2 primary and 2 logical and one small one for returnil, what was infected almost totaly is the primary partitions and to less degree the other 2 logical partitions
what makes me suspect the attack was through tor browser is that i was running tor browser when first time noticed slowness, and interestingly the message the criminals leave suggest to download and install tor-browser. the message file !Recovery_8D6DB179AF8B.txt date is 09 jan 1601 while !Recovery_8D6DB179AF8B.html date is 12 march 1601 for all the folders with the same file name.
i have installed avast and seems removed some dangerous files because the adware removed from the web pages. but i don't know if keeping the *.crypt files is safe because i need its names to recover it from external hard drive .
a typical pdf file have something like this %PDF-1.6 at the first line in it but a pdf.crypt have random characters so removing the .crypt extension will not make the pdf available.
from 2 days and i connect seldom to the web.
seems that exe who changed all these files was very busy and can't believe this happened in one day every time i run tor browser from 2 weeks. it is not possible that exe installed on my C:\ because no files damaged on my C:\ protected by returnil.
long story but may be useful so every one must backup his files on other media than his pc .
there is a file !Recovery_8D6DB179AF8B.txt/html added to every destroyed folder contains this message:
-----------------------------------------
@@@@@@@ NOT YOUR LANGUAGE? USE https://translate.google.com
@@@@@@@ What happened to your files ?
@@@@@@@ All of your files were protected by a strong encryption with RZA4096
@@@@@@@ More information about the en-Xryption keys using RZA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
@@@@@@@ How did this happen ?
@@@@@@@ !!! Specially for your PC was generated personal RZA4096 Key , both publik and private.
@@@@@@@ !!! ALL YOUR FILES were en-Xrypted with the publik key, which has been transferred to your computer via the Internet.
@@@@@@@ !!! Decrypting of your files is only possible with the help of the privatt key and de-crypt program , which is on our Secret Server
@@@@@@@ What do I do ?
@@@@@@@ So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way
@@@@@@@ If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment
Your personal ID: 8D6DB179AF8B
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1 - http://x (http://xxxxx)xxxxx
2 - http://x (http://xxxx)xxxxx
3 - http://x (http://xxxx)xxxxx
If for some reasons the addresses are not available, follow these steps:
1 - Download and install tor-browser: http://www.x (http://www.xxxxx)xxxx
2 - After a successful installation, run the browser
3 - Type in the address bar - http://x (http://xxxxx)xxxxx
4 - Follow the instructions on the site
Be sure to copy your personal ID and the instruction link to your notepad not to lose them.
---------------------------------------------------------------------
since i have thousands of pdf, djvu, txt files i wonder if this action begins in time more than 2 days ago, when i feel the computer was too slow at certain moment while i was running Tor Browser on archive.org (archive.org block me so i have used tor browser from about two weeks to access archive.org)
usualy my C:\ primary drive running windows xp is protected with old version of returnil virtual system, so no files are damaged on it, it is only all the other partitions 2 primary and 2 logical and one small one for returnil, what was infected almost totaly is the primary partitions and to less degree the other 2 logical partitions
what makes me suspect the attack was through tor browser is that i was running tor browser when first time noticed slowness, and interestingly the message the criminals leave suggest to download and install tor-browser. the message file !Recovery_8D6DB179AF8B.txt date is 09 jan 1601 while !Recovery_8D6DB179AF8B.html date is 12 march 1601 for all the folders with the same file name.
i have installed avast and seems removed some dangerous files because the adware removed from the web pages. but i don't know if keeping the *.crypt files is safe because i need its names to recover it from external hard drive .
a typical pdf file have something like this %PDF-1.6 at the first line in it but a pdf.crypt have random characters so removing the .crypt extension will not make the pdf available.
from 2 days and i connect seldom to the web.
seems that exe who changed all these files was very busy and can't believe this happened in one day every time i run tor browser from 2 weeks. it is not possible that exe installed on my C:\ because no files damaged on my C:\ protected by returnil.
long story but may be useful so every one must backup his files on other media than his pc .