Ransomware has encoded my RAW Files

Started May 9, 2017 | Discussions
rpps Senior Member • Posts: 1,921
Ransomware has encoded my RAW Files

Somehow I have been infected with some sort of virus that has encoded files on my computer mainly my RAW photo files and has encrypted them, so now I can't use them. In each folder containing photos there's a link to where you can go and buy a Deycrypter for so many Bitcoins to unlock your files. I have got rid of the Virus from my computer's C Drive  but I can't unlock all my RAW files on my D Drive which are on a separate Hard Disc on my PC.

Has anyone have any clues how to un-encrypt these files. Luckily I have copies saved as Jpegs on other external Hard drive that are not infected.

 rpps's gear list:rpps's gear list
Panasonic Lumix DMC-GX7 Nikon D750 Nikon D7200 Nikon D3400 Tamron SP 70-300mm F4-5.6 Di VC USD +7 more
Athegn Senior Member • Posts: 1,317
Re: Ransomware has encoded my RAW Files

Suggest you try this website:-

www.bleepingcomputer.com/forums

 Athegn's gear list:Athegn's gear list
Sony RX100 III
OP rpps Senior Member • Posts: 1,921
Re: Ransomware has encoded my RAW Files

Athegn wrote:

Suggest you try this website:-

www.bleepingcomputer.com/forums

Thanks,  a lot of info there but I might as well wipe the files and start from scratch as I wouldn't have a clue how to find the particular virus.

 rpps's gear list:rpps's gear list
Panasonic Lumix DMC-GX7 Nikon D750 Nikon D7200 Nikon D3400 Tamron SP 70-300mm F4-5.6 Di VC USD +7 more
katastrofa Senior Member • Posts: 1,015
Re: Ransomware has encoded my RAW Files
1

Sorry to be the bearer of bad news, but more probably then not, your only choice is between paying the ransom or losing your files. If they used any half-decent encryption algorithm and did not leave the key around somewhere, you simply won't be able to recover the files.

https://malwaretips.com/blogs/remove-your-personal-files-are-encrypted-virus/#recovery

The link above says you shouldn't pay, but actually FBI sometimes recommends paying, if you really need the data: http://uk.businessinsider.com/fbi-recommends-paying-ransom-for-infected-computer-2015-10

If you decide to pay the ransom, try their "free decryption" offer to verify that they (the criminals) are actually able to decrypt your files (the malware which encrypted the files could e.g. fail to send back the key to them).

 katastrofa's gear list:katastrofa's gear list
PowerShot SX700 Olympus E-M1 II Olympus M.Zuiko Digital 45mm F1.8 Olympus M.Zuiko ED 75-300mm 1:4.8-6.7 II Olympus M.Zuiko Digital 25mm F1.8 +6 more
Austinian
MOD Austinian Veteran Member • Posts: 9,657
Re: Ransomware has encoded my RAW Files
1

That is very bad news. Much depends on which malware program hit you.

If you're lucky, it might be one that's defective and can be decrypted for free; I see Kaspersky has a page of decryptor info:

https://noransom.kaspersky.com/

Otherwise, it's pay up or lose the files, and if you're really unlucky even paying might not save them. 

 Austinian's gear list:Austinian's gear list
Sony a7R III Panasonic S1 Samyang 14mm F2.8 ED AS IF UMC Sony FE 50mm F2.8 Macro Sony FE 24-105mm F4 +1 more
OP rpps Senior Member • Posts: 1,921
Re: Ransomware has encoded my RAW Files
4

I ended up deleting all my RAW files off my "D" Drive at least I have copies edited in JPEG. I just don't know how I got this virus. The funny thing it only affected my files on "C" and "D" drives, my "E" and "F" drives are connected to the CP using USB but they weren't touched. From now on I will make sure I back up my RAW files to a Portable Hard drive in the future and not a second hard drive connected internally  like I have now.

 rpps's gear list:rpps's gear list
Panasonic Lumix DMC-GX7 Nikon D750 Nikon D7200 Nikon D3400 Tamron SP 70-300mm F4-5.6 Di VC USD +7 more
katastrofa Senior Member • Posts: 1,015
Re: Ransomware has encoded my RAW Files
3

Be aware that the malware can be resident in your PCs memory and detect that you're hooking up the portable HDD to make a backup, and encrypt the files on the HDD too.

You absolutely need to use an anti-virus program.

 katastrofa's gear list:katastrofa's gear list
PowerShot SX700 Olympus E-M1 II Olympus M.Zuiko Digital 45mm F1.8 Olympus M.Zuiko ED 75-300mm 1:4.8-6.7 II Olympus M.Zuiko Digital 25mm F1.8 +6 more
Glen Barrington
Glen Barrington Forum Pro • Posts: 21,075
What level of OS are you on?
1

Also, what malware products do you use?  I might want to avoid them!

 Glen Barrington's gear list:Glen Barrington's gear list
Olympus OM-D E-M10 II Olympus E-M5 III Olympus Zuiko Digital ED 9-18mm 1:4.0-5.6 Panasonic Lumix G Vario 7-14mm F4 ASPH Olympus Zuiko Digital ED 40-150mm 1:4.0-5.6 +11 more
Hosebag
Hosebag Senior Member • Posts: 2,473
Re: Ransomware has encoded my RAW Files

Try here, slight chance maybe........

https://www.nomoreransom.org/crypto-sheriff.php

Austinian
MOD Austinian Veteran Member • Posts: 9,657
Re: Ransomware has encoded my RAW Files
2

rpps wrote:

I ended up deleting all my RAW files off my "D" Drive at least I have copies edited in JPEG. I just don't know how I got this virus. The funny thing it only affected my files on "C" and "D" drives, my "E" and "F" drives are connected to the CP using USB but they weren't touched. From now on I will make sure I back up my RAW files to a Portable Hard drive in the future and not a second hard drive connected internally like I have now.

It's a good idea to always have multiple image backups of your entire PC system; that way, if something like this happens again, you can restore everything on your PC to the state it was in at the time of backup, the operating system as well as the data.

Saves a lot of time and effort, as well as valuable data.

Some malware can be very persistent; if you see any signs that your PC is still infected, it would be wise to consider a complete clean reinstall of your operating system. And, as others have said, be sure to have antimalware software installed.

 Austinian's gear list:Austinian's gear list
Sony a7R III Panasonic S1 Samyang 14mm F2.8 ED AS IF UMC Sony FE 50mm F2.8 Macro Sony FE 24-105mm F4 +1 more
Sean Nelson
Sean Nelson Forum Pro • Posts: 13,741
Re: Ransomware has encoded my RAW Files
10

Austinian wrote:

It's a good idea to always have multiple image backups of your entire PC system; that way, if something like this happens again, you can restore everything on your PC to the state it was in at the time of backup, the operating system as well as the data.

And, more importantly, those backups should be stored offline - powered off and completely disconnected from the computer.  External hard drives are ideal for this purpose.

I always worry when people talk about their LAN-based backup schemes, because anything that's online to your computer is vulnerable to this kind of attack.

If I were ever hit with this kind of virus I'd reinstall the OS and all my programs from scratch and restore all my data from my offline backups.

Mitrajoon Senior Member • Posts: 2,068
Re: Ransomware has encoded my RAW Files

I've been thinking of doing this for awhile. I'll start for sure today.

Austinian
MOD Austinian Veteran Member • Posts: 9,657
Re: Ransomware has encoded my RAW Files
1

Sean Nelson wrote:

Austinian wrote:

It's a good idea to always have multiple image backups of your entire PC system; that way, if something like this happens again, you can restore everything on your PC to the state it was in at the time of backup, the operating system as well as the data.

And, more importantly, those backups should be stored offline - powered off and completely disconnected from the computer. External hard drives are ideal for this purpose.

Oh, yes! Thanks for mentioning that; I should have. Very important.

My regular backup drives are stored offline in a locked box, and every few months I swap out the 'house fire' backup drives stored in a bank safe deposit box.

I always worry when people talk about their LAN-based backup schemes, because anything that's online to your computer is vulnerable to this kind of attack.

I use ordinary 3.5" SATA hard drives, disconnected immediately after backup.

If I were ever hit with this kind of virus I'd reinstall the OS and all my programs from scratch and restore all my data from my offline backups.

I'd restore my most recent full backup that showed no sign of malware after several off-line scans. I'd prefer to avoid having to repeat all the software installs and extensive customization I do.

Fortunately, that hasn't been necessary in a long time; but a late-80's restore failure from floppy disks made me permanently paranoid about having multiple verified backups.

 Austinian's gear list:Austinian's gear list
Sony a7R III Panasonic S1 Samyang 14mm F2.8 ED AS IF UMC Sony FE 50mm F2.8 Macro Sony FE 24-105mm F4 +1 more
bobkoure
bobkoure Senior Member • Posts: 1,642
Re: Ransomware has encoded my RAW Files

Sean Nelson wrote: I always worry when people talk about their LAN-based backup schemes, because anything that's online to your computer is vulnerable to this kind of attack.

It's not so much what's "online to your computer" as "what's online to your computer with you logged into it - Ransomware runs as whatever user's logged into the computer when it strikes. Check out Veeam Endpoint Backup. It's free. It can backup to a network share, and as importantly, can backup to that share with a separate username/password. Make sure you have read-only access when logged in as yourself. Now a ransomware nasty doesn't have rights to overwrite. If you're backing up locally, it can disconnect/eject external drives after a backup is finished

I've been running it at home and at the place where I work. So far, no raansomware but I have recovered from a couple of failed hard drives (took maybe an hour to get up and going again.

 bobkoure's gear list:bobkoure's gear list
Nikon D600 Nikon D750 Nikon AF Nikkor 14mm f/2.8D ED Nikon AF Nikkor 20mm f/2.8D Nikon AF Nikkor 24mm f/2.8D +14 more
Bobby49 Senior Member • Posts: 2,533
Re: Ransomware has encoded my RAW Files

Sean Nelson wrote:

And, more importantly, those backups should be stored offline - powered off and completely disconnected from the computer. External hard drives are ideal for this purpose.

Exactly.

I've been shooting RAW files for 15 years now, and all of those are backed up on CD-R disks... many many spindles of them. Then, any of them that were good in TIF got written onto one external HDD. Then that HDD is backed up onto another HDD. About the only files that exist on my primary HDD are JPEGs.

OP rpps Senior Member • Posts: 1,921
Re: Ransomware has encoded my RAW Files

Sean Nelson wrote:

Austinian wrote:

It's a good idea to always have multiple image backups of your entire PC system; that way, if something like this happens again, you can restore everything on your PC to the state it was in at the time of backup, the operating system as well as the data.

And, more importantly, those backups should be stored offline - powered off and completely disconnected from the computer. External hard drives are ideal for this purpose.

I always worry when people talk about their LAN-based backup schemes, because anything that's online to your computer is vulnerable to this kind of attack.

If I were ever hit with this kind of virus I'd reinstall the OS and all my programs from scratch and restore all my data from my offline backups.

Luckily I have Acronis True Image and have backed up my "C" Drive to a portable Hard drive so I didn't have have to re-install Windows and all my software again. The big mistake was leaving my two portable hard drives connected to my PC, one was infected but luckily the other hadn't been. I was able to save all my Jpegs but lost a few movies and unimportant files.

When I first found the infection had hit my RAW files I scanned the computer and it found the virus and quarantined it, that was using MalewareBytes but it didn't find the virus until I scanned for it. I have just about finished doing copies of my photos and putting them onto another Hard drive so now I will have 2 copies that are kept and offline.

Lesson learnt and from now on as soon as I see an e-mail I won't open it unless I'm sure of where it is coming from.

 rpps's gear list:rpps's gear list
Panasonic Lumix DMC-GX7 Nikon D750 Nikon D7200 Nikon D3400 Tamron SP 70-300mm F4-5.6 Di VC USD +7 more
Russell Evans Forum Pro • Posts: 12,617
Re: Ransomware has encoded my RAW Files

Sean Nelson wrote:

Austinian wrote:

It's a good idea to always have multiple image backups of your entire PC system; that way, if something like this happens again, you can restore everything on your PC to the state it was in at the time of backup, the operating system as well as the data.

And, more importantly, those backups should be stored offline - powered off and completely disconnected from the computer. External hard drives are ideal for this purpose.

I use internal drives with a SATA power switch, so that the drives can be powered down. It's the same as having an external drive powered off.

https://www.amazon.com/Kingwin-Switch-Switches-5-25-Inch-HDD-PS6/dp/B00TZR3E70

I always worry when people talk about their LAN-based backup schemes, because anything that's online to your computer is vulnerable to this kind of attack.

Some backup software use network protocols that require login credentials for connecting. There really isn't any way for something to attack these protocols easily, as you are suggesting.

If I were ever hit with this kind of virus I'd reinstall the OS and all my programs from scratch and restore all my data from my offline backups.

I have to wonder how the ransomware programs are removing the original files? Are they using something that securely deletes the files, or is there a way to recover files using something like photorec that can access the infected drives without having to use the file system?

http://www.cgsecurity.org/wiki/PhotoRec#File_systems

I probably would try some things like photorec before wiping and reinstalling the OS.

Thank you
Russell

Sean Nelson
Sean Nelson Forum Pro • Posts: 13,741
Re: Ransomware has encoded my RAW Files

bobkoure wrote:

Sean Nelson wrote: I always worry when people talk about their LAN-based backup schemes, because anything that's online to your computer is vulnerable to this kind of attack.

It's not so much what's "online to your computer" as "what's online to your computer with you logged into it - Ransomware runs as whatever user's logged into the computer when it strikes.

Two comments:

  • I strongly suspect most desktop computers are normally logged on to the main user's account when they're turned on.
  • It's dangerous to assume that malware can only run under the user's account.  Any vulnerability that allows a virus to gain admin privileges gives it the ability to easily install itself as a service or a driver that runs whenever the system is turned on, even if it's not actually logged on to an account.  And once it's running there's always the possibility that it can exploit a vulnerability in a LAN server that gains it access to those network drives even though it may not have proper credentials to access them.  That's less likely, but it's still far more plausible than a virus that somehow manages to corrupt offline backup drives that are stored in your closet.
Sean Nelson
Sean Nelson Forum Pro • Posts: 13,741
Re: Ransomware has encoded my RAW Files
1

Russell Evans wrote:

Sean Nelson wrote:

Austinian wrote:

It's a good idea to always have multiple image backups of your entire PC system...

And, more importantly, those backups should be stored offline...

I use internal drives with a SATA power switch, so that the drives can be powered down. It's the same as having an external drive powered off.

That protects against viruses, but it doesn't mitigate certain other risks such as the system getting knocked over, a serious power hit, fire/flood/etc., or simple theft of the whole computer.

wklee Veteran Member • Posts: 9,167
File and disk undelete/recovery tools

rpps wrote:

Somehow I have been infected with some sort of virus that has encoded files on my computer mainly my RAW photo files and has encrypted them, so now I can't use them. In each folder containing photos there's a link to where you can go and buy a Deycrypter for so many Bitcoins to unlock your files. I have got rid of the Virus from my computer's C Drive but I can't unlock all my RAW files on my D Drive which are on a separate Hard Disc on my PC.

Has anyone have any clues how to un-encrypt these files. Luckily I have copies saved as Jpegs on other external Hard drive that are not infected.

I am uncertain if this will work but you may want to try a file recovery software like QueTek's File Scavenger and Disk Recoup? They are costly, however. Usually after encryption the files are deleted and should be recoverable, assuming they haven't been overwritten.

-- hide signature --

Never buy version 1.0 of anything.
Don't it always seem to go
That you don't know what you've got
Till it's gone
They paved paradise
And put up a parking lot
Joni Mitchell's Big Yellow Taxi

Keyboard shortcuts:
FForum MMy threads