“Cryptolocker” ransomware, and that all files had been encrypted with a strong AES algorithm and were unusable. The strange characters added to the file names were a special ID which helps the cybercrooks identify which key should be (probably) sent to you after the ransom has been paid so you can get your files back.
The data recovery options were limited. Publicly available tools to brute-force the decryption did not work for this variant. “But, in the hope that a decryption tool would be someday available, I copied the files to a backup drive,” explained Andrei.
The only thing left to do was to start over: take the hard drive and reformat it, and once again install Windows. But this time, Avira AV was installed to prevent this event from reoccurring.
The FBI recommends paying the ransom. Avira does not. Here is why:
“Just for fun, I decided to contact the cybercrooks and play their game, finding out how much they are asking for a ransom and go through the whole process,” he explained. “And since I am representing my father – who is really not an IT geek – I tried to ask very basic questions about how to best transfer the bitcoins.”
“There was no reply back. I’m wondering whether this would’ve happened regardless of whether I had bought the bitcoins or not,” he said. “Still, shouldn’t they ask how I’d pay and guide me through the payment correctly, if I said I had done this and they didn’t receive the money?”
Ransoming files, at least for this variant of the ransomware, may not be a real option. “My belief is that they don’t help victims recover the files, regardless whether they pay or not,” stated Andrei. “I also think that the entire process – infection, mail communication – is automated. Maybe they’re enjoying a cocktail in Thailand.”
Four points to remember: