Nixxy79 0 Report post Posted June 12, 2017 HI hoping I can get some help here, Sons been using my laptop for the past few weeks and has come to me today saying he cannot get into my laptop properly !. Ive just tried myself and found that all my personal files, documents, pictures, the lot are all in accessible and all of the shortcuts on my desktop will not open either !. Most of the folders with my files in are still there with their original names but have a string of numbers added to the end of the filename (526047338) and all seem to have a README.txt file in that says this .... https://translate.google.com Hello! Your files have been automatically protected using RSA-2048 to prevent any possible case of identity theft, this is for your own security. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such us the Internet. To resolve this issue kindly contact us on by email: [email protected] or [email protected] With your ID number attached. Please contact me by e-mail:[email protected] or [email protected] UserID: 526047338 Also all windows backgrounds on my laptop and destop images have changed along with Windows notification sounds !. Any ideas ?? not to fussed if I have to format the laptop to recover Windows from this but desperately need my files back !. Some of the pics on here are irreplaceable ones of my kids growing up etc !!. have read the initial post and run both EEK and FRST... Log reports for both are attached to this thread ... many thanks for your help scan_170612-161604.txt Addition_12-06-2017 17.10.03.txt FRST_12-06-2017 17.10.03.txt Quote Share this post Link to post Share on other sites
alpha1145 0 Report post Posted June 14, 2017 I am helping a friend with this same infection. Her computer was infected sometime on or before 0345 MDT today (6/13). I am interested in hearing from anyone who either removed this infection, recovered the encryption key or actually paid the ransom. We emailed both the email addresses at about 1700 MDT today, but as of this post, have not received a response. Attached is a screenshot of the desktop background listing the ransomware information. Download Image Quote Share this post Link to post Share on other sites
Fabian Wosar 390 Report post Posted June 14, 2017 Can you please upload the ransom note and one encrypted file to https://id-ransomware.malwarehunterteam.com and post the result link here? Thanks. 1 Quote Share this post Link to post Share on other sites
alpha1145 0 Report post Posted June 14, 2017 Fabian, Thanks for the hot tip on the ransomeware ID tool. The result is: Cry9 This ransomware is decryptable! Identified by sample_extension: .<id> sample_bytes: [0xDC00 - 0xDC43] 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000036E97EC0 Click here for more information about Cry9 Quote Share this post Link to post Share on other sites
alpha1145 0 Report post Posted June 14, 2017 Update: I am running the decrypt_cry9.exe process now. ETA for results is about 5 hours. I will update the thread with the results when the process is complete. Quote Share this post Link to post Share on other sites
alpha1145 0 Report post Posted June 15, 2017 Great news! The decrypt_cry9.exe process worked! My friend has her files back!!! I can't tell you how happy she is to have her 10 years of photos recovered. Let me know where we can send the beer money as a token of thanks. I will sing your praises on social media. Quote Share this post Link to post Share on other sites
