Ransomware virus, help please

[REDACTED]

Hi,

a few days ago Avast free edition (which I satisfactory use for around 8 years) warned me of a malware stopped "just in time".
Today I realised all my windows 7 SP1 PC directories contained a @README.HTML file which when opened in my other linux OS chrome browser (I have a multi-boot PC, windows and linux) stated that  my files were strong encrypted and gave me directions to how I could have the password to decrypt them back paying some bitcoins.
I didn't notice any encrypted files so I thought it must have been the malware Avast stopped a few days earlier and kept a copy of the @README.HTML file, send to Avast Lab a msg explaining what happened attaching the stopped malware dll from the virus chest.
In the evening I found some 50% of all my HD files encrypted with hexadecimal long names and extensions.
I quit windows and now from linux I'm writing this msg.
I tried to identify the ransomware using https://id-ransomware.malwarehunterteam.com/ but it says it's an unknown virus at the moment, to backup my encrypted files and hope someday a decrypter is released.

As of now I'm not sure at all it was the malware avast stopped some days ago, even if the creation date and time of all the @README.HTML files is almost exactly (a few seconds difference) the one from the avast virus chest, the latter makes it quite likely but it would mean avast failed to actually stop it.

I'm going to backup everything  encypted and not on usb external disk from linux and then reinstall win7.

Anybody else faced this virus, some help from the avast team?

TIA and best regards
Vik   

[Asyn]

Try it here: https://www.nomoreransom.org/

[REDACTED]

Hi,

thanks for reply.
I tried the site you pointed out, filled in what asked in https://www.nomoreransom.org/crypto-sheriff.php twice but does nothing, it just reloads the home page with no answer.

I've sent yesterday (before realizing the virus was up and running, encrypting my HD) a report to the Avast virus lab from my Avast copy itself describing what happened and attaching to the report what I am 90% sure is the virus dll which did that.
My Avast account has the same email of the Avast registered free edition from which I sent the report thus you could track me down.
Any idea, from that, about the ransomware virus type and a possible solution to decrypt my files back?

I won't pay a single bitcoin to those guys but at the moment I cannot even login to my windows 7 OS because the virus  would just finish the work with the rest of my precious data files.

I will backup every windows 7 partition data files (virus encrypted ones too in case of future decrypter release), logging from my other linux OS partition only, to external HD (long and painful but only solution I can see as of now) and then format and re-install win7.

Any  better ideas?
Is Avast interested in this, presumably brand new, very dangerous ransomware virus?
How to collaborate to defeat it and have back the precious data without paying those bandits?
Just tell me, please.

Thanks for your time,
Vik

[Eddy]

https://www.nomoreransom.org/decryption-tools.html
If those tools can't decrypt the files and you do not have a clean backup, consider them lost.

The page you mentioned is working fine for me.

[Asyn]

I've sent yesterday (before realizing the virus was up and running, encrypting my HD) a report to the Avast virus lab from my Avast copy itself describing what happened and attaching to the report what I am 90% sure is the virus dll which did that.

As you submitted it, wait for a reply from the viruslab.
But be patient, it's weekend...

[REDACTED]

Thanks very much you both guys :-)

I don't know why that page shows nothing when I upload the two requested encrypted files,  the ransom instructions file as asked and hit "Go find it!" button.
I tried it out twice, just reloads the home page with no additional msg.

I'm not impatient , sorry I may sound like that :-), just wanted to know if Avast was willing to give a look into this and how to help as I could.

I'll never pay those guys, whatever happens to my files.
I'll try with the tools you pointed out.
They are important work files and if it doesn't work I'll try to get them back as much as I can from backups and PCs at workplace.

Thanks for your help and time
Vik

[Asyn]

You're welcome and good luck.

[REDACTED]

Hi,

I would like to add a few questions:

I'm proceding in backupping salvaged files and I noticed that in some directories while all other files are encrypted, the exe files, installation executable files and VMWARE virtual machines ones look like untouched from the virus.
Is it possible that they have been infected and left there on purpose? I know it is possible, I'd like to know if it is probable that this kind of virus does such a thing and in case if there's a way to check those files against a potential infection.
As of now I'm backupping such files in a directory named "Potentially_Unsafe" so to see later.
Is there a way to remove the virus from the infected win7 partition so to have a chance to run a scan with Avast when it's virus database gets updated for this specific virus?
Would in such case be Avast able to detect a change in the former executable files so to see if they are infected? In particular vmdk vmware virtual machine disk files (even if not strictly executable files)? 

I know it's hard to say for an unknown virus, I'd just like to know if for similar already known viruses and common sense this kind of infection already occurred in the past, if  such doubts are feasible and how to behave to solve the problem.

Thanks for any insights and help you may give me.

[Pondus]

in case if there's a way to check those files against a potential infection.

You can upload and test suspicious files here >  www.virustotal.com  /  www.metadefender.com  /  www.jotti.org

If file is scanned before, always click rescan for a fresh result, there may be changes in scan result, additional detections added or false positive detections removed

[REDACTED]

Thanks for reply,

some of them are huge files (several GB for the vmware vmdk disk files) which makes them unfeasible to upload.
Furthermore they contain my work reserved information so I'd rather prefer an offline solution.

What do you mean exactly for "rescan", you mean if they were scanned before by Avast? And if yes, where should I find this "rescan" option/command?

For the future, are you aware of any windows software to make an md5 so to check later or I should do it from linux?
Is this already an Avast feature?

Thanks

[Pondus]

What do you mean exactly for "rescan", you mean if they were scanned before by Avast?

No by the online scanner

example: uploading a random file from my computer windows system32 folder

as you see from the scan time it was don 8 months ago
https://www.virustotal.com/en/file/8728c02322fba1be78755606e4f6b725d19d3772b93ef23588e5125a1378c206/analysis/


here after rescan you can see scan time was 0 minutes ago
https://www.virustotal.com/en/file/8728c02322fba1be78755606e4f6b725d19d3772b93ef23588e5125a1378c206/analysis/1469974245/

extra file info is found using the additional tabs, like who made it / digitally signed / first time scanned by VT .... and lots more

also use the tabs at top to find FAQ info about virustotal, change language .....

[Pondus]

seems the scan time was changed to latest on both links bc i had two tabs open on same file scan, if you click additional tab and scroll down you find first time scanned by VT

anyway thats how it works, just try with a random system file.
The popup box will have option to view lates scan result or rescan if scanned before

files detected by  Advanced heuristic and reputation engines and monitored by cloudsystems will show at the bottom under additional info tab

example can be seen here > click additional information tab and scroll down
https://www.virustotal.com/en/file/47b8db81218cdb7469486b7727b689db061369dc3622e12dff404be98aadc924/analysis/

[REDACTED]

Thank you,

I'll give it a shot 

[REDACTED]

Still got no reply from the Avast team.
Not interested in such a virus?
How to know if they are looking into this?

[Eddy]

avast only contact you if they need/want more information about the file(s) you have submitted.

Furthermore they contain my work reserved information so I'd rather prefer an offline solution.

The mentioned online scanners don't care what information is in the file(s).
They just check for (possible) malware.
Best offline solution > format the drive(s) and start from scratch.