Rocco 0 Posted April 29, 2016 Report Share Posted April 29, 2016 The decrypter could not determine a valid key for your system Tried to use decrypt_autolocky Virus was activated on one workstation (Windows 10) but infected files on the server Server 2008r2. Where do I run the decryption tool. Running it on server gives me the key file not found. I would like to run a test first to see what happens to the data. If some one could tell me where and how to look for the key file it would be helpful. I am working on a dental system and trying to unlock digital image files. Of course the locky disabled the shadow copies and the backup has not run since last July. Yes they are in trouble so if anyone has any useful info please advise. Link to post Share on other sites
Elise 277 Posted April 29, 2016 Report Share Posted April 29, 2016 Hello, I'm sorry to hear about this. To confirm this is indeed AutoLocky, can you let me know what the name of the ransom notes is and how the name of the encrypted files looks. Unfortunately, if this is AutoLocky and the decrypter is not able to find a key, then decryption is not possible. Link to post Share on other sites
Rocco 0 Posted April 29, 2016 Author Report Share Posted April 29, 2016 _HELP_instructions.bmp this file is the ranson note in a bmp here is the name of a file DB303AED06A80C42B194C9322305946A.locky hope you can help Link to post Share on other sites
Elise 277 Posted April 29, 2016 Report Share Posted April 29, 2016 Thank you for the additional information, this confirms the ransomware variant. You'll need to run the decrypter preferably on the computer where the infection originated from. If it cannot find a key, then unfortunately decryption is not possible. Link to post Share on other sites
Rocco 0 Posted April 29, 2016 Author Report Share Posted April 29, 2016 Does this mean that if the ransom is paid we will still be unable to decrypt the files Link to post Share on other sites
Elise 277 Posted April 29, 2016 Report Share Posted April 29, 2016 That is very hard to say, Based on what I've seen so far, I'd say that it should work, but while I understand it is important to recover the data, it is always a risk. Generally speaking, decryption after paying the ransom should work (even cyber criminals realize that people won't pay the ransom if they cannot guarantee decryption). Link to post Share on other sites
Rocco 0 Posted April 30, 2016 Author Report Share Posted April 30, 2016 Thanks so far you have been very responsive and given me a lot of information. One more question Then why can't your software find a decryption key. Maybe I am just using it incorrectly I am just running it as administrator from the desktop is that correct. The Dr. is willing to pay the ransom which is steep 3 Bit coins. She know she did a very stupid thing by opening the email and enabling the macros. But worse she has not checked her backup in over a year and it has not been successful in a while and shadow copy had been disabled by the virus. So as you can see this is a disaster if the ransom solution doesn't work. What are your thoughts. Kind of name does the key file usually present itself as? Thanks for your help. Link to post Share on other sites
Elise 277 Posted April 30, 2016 Report Share Posted April 30, 2016 There are various ransomware variants and even each family may get "updates" (which means that certain vulnerabilities/bugs that we use to decrypt files, are eliminated). This means that the key file likely is no longer present on the system, but stored remotely. It does not mean that decryption after paying the ransom is not possible, usually this will work, although decrypters may be buggy (I haven't heard this about AutoLocky though). When it comes to ransomware prevention, aside from having a good security solution that detects the malware before it can touch your files, a backup really is extremely important. There are various excellent backup solutions available that store your backup remotely (and require you to enter a password before you can access them). I would definitely recommend that if managing a local offline backup is not possible. This is not free, but at least the data is safe (not only very useful when a system is infected, but also when for example a hard disk goes bad). Link to post Share on other sites
Recommended Posts