"locked" files after removal

Hi everyone,

I have a big problem, I removed some trojan horsers succesfully with Malwarebytes anti-malware, but after the removal, I cannot read my .doc and .xls files anymore. The names have also been changed, in "locked-filename.doc.zlae" ? The last extension is in all files are different, and never the same.

Is there a way to recover my files?

Thanks in advance,

Jan from Holland

 

Hello Jan and welcome to Major Geeks

This type of ransomware is called Rannoh

I have written a blog post on how I removed the ransom portion and what utility was used to decrypt and restore my files here: Rannoh - Canada (Ransom Trojan) - 05.04.2012 - Analysis and Removal

Let me know if you need additional assistance.

 

Hey Thisisu,

Thanks for your quick reply and your blogspot. But I need assistance, I downloaded the file and started it, but when I start the scan, the app. asks a original copy of at least one of the encrypted files larger than 4096 bytes. I need to specify the path....., well what have i to do next, I take a file in my documents that is infected (I cannot choose a folder), then I have to specify the path to encrypted file..., to be honest I don't know what to do next, when I press the same file, then it says it is equal, when I choose another file, then it says it is not equal to the orginal...

So can you give me a hand?

Thanks, Jan

 

Hello,

The utility can decrypt files using a single pair – one encrypted file and one decrypted.

The first file you choose needs to be one that is unaffected by encryption (can't have locked- in it).
Think of a file that you perhaps can download again or transfer from another computer.

For example:

• Let's say Jan's resume.docx was encrypted (now looks like locked-Jan's resume.docx-asdf) on the infected computer
• Jan however has a clean/decrypted copy of her resume on her sister's computer and/or she has it stored online so that she could download it again. You would use this file for the first file requested by RonnahDecryptor

___

The second file the tool requests is the encrypted version of the same file. In this example: locked-Jan's resume.docx-asdf

Hope this helps

 

Thanks Thisisu,

I read it carefully , I have to take a "clean" .docx file, but you say I have to take a clean copy, but I don't have clean copies of the infected files...., (then I would simply replace these files....?).

Or need I just a clean file with the same extension?

I thought I knew something about computers

Thanks in advance, Jan

 

It does not have to be a .docx file, that was just an example.

It could be anything. As long as you have a original AND encrypted copy of each.

It would help me help you if you provided some of the names of the encrypted files you have.

 

Hey Thisisu,

I think I get the picture, the problem is, that I don't have an original of the file that is encrypted. Strange that an original is needed, because, if I have an original that is not infected, why should I recover the encrypted. But maybe I don't understand it quit well.

I have an example file name....., "locked-opzegging consumentenbond.doc.mtdx" An other filenam: "locked-kfw2.pdf.ghbn"

Okay, it's late here, gonna sleep now, thanks in advance Thisisu,

Jan

 

Hi,

The idea behind the tool is to use 1 original (decrypted) and 1 encrypted pair in order to decrypt the remaining encrypted files on your system (perhaps in the thousands).

Using the examples you provided me, do you have an original copy of:
opzegging consumentenbond.doc or kfw2.pdf on another computer / storage device? Or are you able to download an original copy of opzegging consumentenbond.doc or kfw2.pdf again? Then pair it up with the locked- version of it using the Kaspersky utility. Once again, it does not have to be a word or PDF file, just anything that you have both a encrypted and original (decrypted) copy of.

 

Hey Thisisu,

I found on another computer some original files and guess what, it worked, all the files are decrypted, and can be backuped now. So, that is really great. Thanks for your help.

 

I'm glad to hear that
You're welcome. Surf safely!