datom Posted May 13, 2019 Report Share Posted May 13, 2019 Files on my PC in different folders are entcrypted and infected. In every entcrypted folder is a blackmail letter. blackmail letter: #_#RAD_README#_#.rtf RAD-files: [[email protected]].5a6kYvoZ-JO895COb.RAD Thank you for your ideas and help to restore my data. Link to comment Share on other sites More sharing options...
datom Posted May 13, 2019 Author Report Share Posted May 13, 2019 Link to comment Share on other sites More sharing options...
Amigo-A Posted May 13, 2019 Report Share Posted May 13, 2019 Hello I think I know, which Ransomware worked here. Attach the file #_#RAD_README#_#.rtf to the message Link to comment Share on other sites More sharing options...
datom Posted May 13, 2019 Author Report Share Posted May 13, 2019 Hello, thank you for your help. Here is the message. Link to comment Share on other sites More sharing options...
Amigo-A Posted May 13, 2019 Report Share Posted May 13, 2019 Yes. This is Matrix Ransomware At the moment there is no known free way to decrypt files after this Ransomware. Alas. Link to comment Share on other sites More sharing options...
datom Posted May 14, 2019 Author Report Share Posted May 14, 2019 Hello community, I want to share my latest experience. I tried to extract the files with 7-Zip and it worked surprisingly ... step by step: I have a loads of infected and big data - this is only one folder to test the "7-zip" method. My open questions: 1. what did the Matrix Ransomware have done with my data? 2. are the infected data and the result data in the same folder or dispersed on the hole drive? STEP 0: Infected data with readme Step 1: 7-Zip Step 2: Overwriting Yes or No ? -> i seletcted Auto Rename Step 3: Message of 7-Zip Step 4: Result - > folder with xl and word data is created Result: folder with word Data Result folder with xl Data: End. Cheers, Tom Link to comment Share on other sites More sharing options...
GT500 Posted May 14, 2019 Report Share Posted May 14, 2019 12 hours ago, datom said: 1. what did the Matrix Ransomware have done with my data? It's possible that it tried to use WinRAR, 7-Zip, or another program with a command-line tool that can create archives to compress your files with a password and simply got the syntax wrong or forgot the password. We can't really say for certain unless you attach a few of the encrypted files to a reply for us to take a look at, or unless you have a copy of the malicious program somewhere that we can take a look at (which is the preferred option since we can analyze the encryption algorithm it uses). 12 hours ago, datom said: 2. are the infected data and the result data in the same folder or dispersed on the hole drive? It depends on the ransomware. Most will try to encrypt data in the most common places for people to save files, and some will just take the "shotgun" approach and encrypt everything on the entire drive as long as it file extensions are on its list of files to encrypt. Then there are the "dumb" ransomwares that just encrypt everything except a few critical system files, and break almost everything on the system. We really can't know how sophisticated the ransomware is without being able to analyze it. Link to comment Share on other sites More sharing options...
GT500 Posted May 14, 2019 Report Share Posted May 14, 2019 Scratch all of the above. From the screenshots you posted, it looks like you extracted the contents of the ransom note, and not the contents of the encrypted files. Link to comment Share on other sites More sharing options...
Recommended Posts