My files are encrypted with .problem Extension

[vostoski]

We have been hit with a ransomware that encrypts file with a .problem extension.

 

Ransom Note as below

 

Hello, all files has been encrypted.

Send your ID: 6xxxxxxx3 to [email protected] and [email protected] as fast as possible.

!IMPORTANT!

Don't try to restore files by yourself, because after it we cant guarantee that decryptor will work correctly.

Also don't waste time making a decision. We don't keep decryption keys forever.

Waiting for your reply.

[ShadowPuterDude]

Hello @vostoski,

Let's make sure of what we're dealing with. Please copy/paste all lines of the results of this test into a reply to this email if you need further help.

Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note simultaneously for proper identification, and send me the information it provides:

https://www.emsisoft.com/ransomware-decryption-tools/

Please be sure to read the information link on the results page, as whether we have a decrypter or not. Sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.

While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation, and will communicate in your behalf with the criminals that created the ransomware.

Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies who specialize in ransomware negotiation.

If the identification process shows a ransomware that is not decryptable, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice.

[Amigo-A]

Place a ransom note and 2-3 encrypted files in the zip archive and attach them to the message. Or give us the download link.

Do not change anything in the files or their names.

[vostoski]

Here are the files

problem ransom files.zip

[Amigo-A]

Hello vostoski!

 

I looked in my database and found no match.

For this case, a new description has been compiled in the Digest "Crypto-Ransomware". 

Problem Ransomware

---

You need to do an in-depth search for the malware file.

First, look at the Downloads folder and the location where you downloaded the files.

If you usually use a browser, you can start your search from the "Downloads" section. If you find suspicious files, do not run them to view. Place each such file in a separate archive with the password "infected" and pass it on to us.

Next, you should check the temporary directories "Temp". Hope you haven't cleaned anything before. 

%WINDIR%\Temp\ 
%TEMP%\<random>.tmp\ 
%TEMP%\<random>.tmp\<random>\ 
%TEMP%\<random>\ 
Disk C:\Users\%USERNAME%\AppData\Local\Temp\

Folder "AppData" applies to hidden directories. You will need to first enable a view of hidden and system files.

If there are a lot of files, then focus on the date when the files were encrypted. It is better to collect everything in one big zip archive here. 

Also, put a password (preferably a non-standard one) and share the link to the place where you upload it.

[ShadowPuterDude]

Thread Closed