.exx ransomware

[ste2425]

Think this is the right section.

Went to upgrade my parents computer, windows Vista. Upon copying over their documents I noticed some files had the .exx extension, so `myTextFile.txt.exx`. Apparently this is a virus that encrypts your files and holds you to ransom to decrypt them.

I've been reading a few blog posts about programs to can attempt to recover the data but I don't trust them. Have you guys got any experience with recovering these files?

Thanks all for any advice.

 

[ShiBDiB]

Do they need the files?

Just do a fresh wipe and reinstall of windows.

 

[ste2425]

Do they need the files?

Just do a fresh wipe and reinstall of windows.

That's what I'm doing for the OS.

Luckily it didn't spread through their photo's so could cut losses. But my dad has a huge music collection and probably half is encrypted. The half with all he Iron Maiden too

 

[Tatty_Two]

I have no experience with this particular nasty, all I can suggest is to learn more with prevention in mind, take a look here, I have used this site in the past, there is also a removal guide but it appears there is no effective way to get your files back without paying................

http://malwaretips.com/blogs/remove-exx-virus/

 

[jboydgolfer]

whats "Iron Maiden" ... from what Ive heard of this type of shit, is that Your Boned, Cut Your losses and save what You can, If incryption IS indeed somewhere , Your S.O.L ,maybe you'll find something that helps, good luck

 

[FordGT90Concept]

And for the love of god don't pay.

Where did he get all of that music from? He should just be able to re-download or re-rip it.

 

[ste2425]

Yea i have no intention of paying those morons.

I try my best to keep them clued up on prevention of such things and they are quite computer savvy but you know how easy it can be. Ive found my self in a few situations where adds mask them selves really well as a legit part of the site. For someone not so clued up i can see how easy it could be to get infected.

They don't bother with downloading music, they like a physical artifact. So i don't envy the task he has of ripping probably about 200 albums

And thanks for the link, i find it difficult to find resources that are trustworthy on such a subject. I always think the product they say to download to fix the issue is just as bad as the issue itself.

We'll thanks for your time and all that, good to be back. Been away for a while

 

[ste2425]

Just an update

Found a tool called 'TeslaDecoder '.

Its been brilliant. Apparently these viruses leave the key in some registry or data file somewhere. Tesla Decoder finds this key and will decode your files.

Just decrypted all my dads files with it. Very pleased.

 

[Solaris17]

if its a crypto locker variant like 2.0 or cryptowall you are boned.

 

[ste2425]

This is why a proper backup strategy is so important. Something that backs up your files of your machine. For some-reason they have this instant fear of cloud solutions.

 

[jboydgolfer]

They don't bother with downloading music, they like a physical artifact. So i don't envy the task he has of ripping probably about 200 albums

that sucks...this actually reminded me, and I went and found my old Vinyl records, I THINK i have ALL of Iron maiden, as well as pretty much EVERY metal band, and others from my earlier days. I didnt even know you could rip Vinyl, but I wouldnt personally, ugh.

 

[ste2425]

that sucks...this actually reminded me, and I went and found my old Vinyl records, I THINK i have ALL of Iron maiden, as well as pretty much EVERY metal band, and others from my earlier days. I didnt even know you could rip Vinyl, but I wouldnt personally, ugh.

Wow thats quite cool, the maiden collection. My dads the same he has a ton of Maiden, Metalica Wasp etc vynl upstairs. It comes out on special occasions.

One of the side effects of this is in every folder that had a file encrypted it also put a text file saying pay money here and you will get your files back. These ransom files all have the same prefix in the name with a timestamp. I could write a bash or node script to recursively delete files with that in the name but my However i don't know any Power Shell. Could i be cheeky and trouble you guys to whip up a script that would do this? That is assuming it isn't a difficult task for someone versed in Power Shell. Don't want to install Node or Bash just for this.

EDIT:

Well I managed to come up with something:
get-childitem <path> -Recurse -force | Where-Object {$_.Name -contains "HELP_RESTORE_FILES_dkfkl.TXT" } | Remove-Item -Force –Recurse

Couldn't get the contains to work. Would only find the text file if I gave it the exact name but luckily the filename didn't change. I was mistaken on that bit.

 

[taz420nj]

You're extremely lucky that the variant he caught was based off an older Cryptolocker.. The newer ones that have come out within the past year or so there are no decrypters for. I've had to tell several of my customers that they have lost everything because they don't have backups.. And then more often than not, when I try to sell them a cloud backup solution, THEY REFUSE!! So honestly if you don't want to pay for the ounce of prevention, that pound of cure is gonna swat you right in the ass.

 

[TheMailMan78]

if its a crypto locker variant like 2.0 or cryptowall you are boned.

I haven't used this but, from what I understand its a pretty strong solution to crypto.

http://labs.bitdefender.com/projects/cryptowall-vaccine-2/bitdefender-offers-cryptowall-vaccine/

 

[taz420nj]

That's exactly what it says it is - a vaccine.. It uses heuristics to detect and block the encryption mechanism. And just like a real vaccine it is useless if you are already infected or catch an unknown/zero day strain. But not a bad thing to add to that "ounce of prevention"...

 

[ste2425]

I haven't used this but, from what I understand its a pretty strong solution to crypto.

http://labs.bitdefender.com/projects/cryptowall-vaccine-2/bitdefender-offers-cryptowall-vaccine/

So that watches files and detects and blocks things that are trying to be encrypted? Ill have to look into that.