New? Malware On My Infected Drive

Heres what the message says:
1. Decoding cost
The cost of decryption is $5000. We receive payment only in BITCOIN. (Bitcoin is a form of digital currency)

2. Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Do not trust anyone! Only we have keys to your files! Without this keys restore your data is impossible.

3. Free decryption as guarantee
You can send us up to 1 file for free decryption.
Size of file must be less than 1 mb (non archived). We don`t decrypt for test DATABASE, XLS and other important files. Remember this.

4. Decryption process:
To decrypt the files, transfer money to our bitcoin wallet number: "request it from us before payment". As we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.

5. The process of buying bitcoins:
The easiest way to buy bitcoins: https://buy.bitcoin.com/
The easiest way to buy bitcoins: https://localbitcoins.com/
https://www.bitpanda.com/
https://paxful.com/
https://www.abra.com/
FOR CHINA: https://www.huobi.com/
https://www.bitoex.com/

IMPORTANT! Don`t use coinbase! it take more than 2 week to make coinbase verification.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

The emailer/Attacker is : decyourdata@protonmail.com

All my files are locked with this extension, all the same numbers/algorythym?
d-24f1s37gfxow

 

another question, could someone help me find the right decrypt?

 

None of these files are able to be unlocked or access is denied using different unlockers. even trying to find a shadow copy or restore was unsuccessful.

..........at this point i can modify the name through the new OS copy but cant open the file through any defaulted programs.

Once this loaded I ended up locked out of my account.

After wiping and installing a fresh OS partition then realized my second partition with data was infected.

the note is in every bottom sub-directory, the folders remain the same but everything that's a file ended up getting locked.

Currently in touch with the attacker so i sent him a file and it came back unlocked.....

 

Software to decrypt files that have been encrypted with ransomware is available. However, you need to know which ransomware was used. This is usually indicated by the file extension. But the file extension you posted doesn't look familiar.

The only other options you have is to either pay the attacker, which is no guarantee your files will be decrypted, or to wright off the files.

 

@OP
Guess you don't believe in backups...

 

or a mapped network drive or a NAS device.

 

Of all the malware ive seen, this one is the most unordinary and difficult to figure out so far....

 

I did, but they got lost after the OS partition got highjacked........

 

It's no good keeping backups on a connected drive. Read #7 and #8

 

And also if you got any other computers connected to the network aswell they can become infected with the ransomware infection.

 

Luckily this was isolated to just one of my machines, all other machines got scanned and are okay.

 

That's good atleast it hasn't spread.

 

No The functionality of this virus seems to have stopped after i wiped the OS partition and installed a fresh copy, but the files on the separate partition are sill encrypted/infected with this algorithm/key, i cant figure out which program and ransomware virus this is for the above files.

 

I just done a search with the file extension and it looks like the ransomware is unknown or variant of another ransomware strain.

 

Have you tried identifying the ransomware with ID Ransomware?

 

Yes, when entering/uploading a file or entering the information, the page won't load as it doesnt recognize the malware type.

 

This is a problem.
See if you can upload a file (1 MB limit) over here. Include the ransom note and the email address.
https://www.nomoreransom.org/crypto-sheriff.php?lang=en

 

I tried this, to no avail, I think it sends or checks the files, but must be returning nothing, because after uploading the files asked, it just comes back to the upload page again.

 

Then it sounds to me that the ransomware is unknown or it's a variant of an existing ransomware out there already.

 

Thats about where I am with my thoughts on this one. I've tried numerous decrypts that use all the latest extensions within the program, but it still doesnt associate my encrypted files with any previous known malware extension. I plan to hold my data indefinitely in case this virus becomes known and/or someone creates a decrypt for it, so in other words, any posters that see this forum without a solution is welcome to chime in!

 

One more to try.
https://www.emsisoft.com/en/support/submit/

If you can't submit the file, I suggest you contact Emsisoft.

 

So I was able to send some screen captures and send them a lengthy story of the timeline of events with a return address. Hopefully that will help if anything.

 

Did you manage to submit a file?

 

Yes, I was able to send a file, and know it went through because the confirmation page was returned. I sent multiple pics, and a current rundown of my scenario, hopefully they can reply.