How to remove malware threats, adware, or Potentially Unwanted Applications

Do you have any information on this Ransomware. Re-writes files with a .encryptedAES extension. I have not been able to find any info on a Ransomware that uses this extension. Unfortunantly i don't have the virus attachment to submit as this computer was networked and i am unsure where it originated or how i can identify it. I had left my personal back up drive attached to the computer so i am looking at 4 years of research data being corrupted. Any information on Identifying this would be greatly appreciated.

Do you have any information on this Ransomware. Re-writes files with a .encryptedAES extension. I have not been able to find any info on a Ransomware that uses this extension. Unfortunantly i don't have the virus attachment to submit as this computer was networked and i am unsure where it originated or how i can identify it. I had left my personal back up drive attached to the computer so i am looking at 4 years of research data being corrupted. Any information on Identifying this would be greatly appreciated.

Hi Jesse,

I haven't seen that extension used before but that isn't unusual. From those pictures my guess would be Cryptowall or TeslaCrypt. However without more information it is just a best guess and to be honest unless you get really lucky, knowing which one it is wont help you recover the files.

Here is what I suggest you do:

Firstly go to one of the folders with the encrypted files, switch to the 'Details' view, right click on one of the column headers and select 'More' then scroll down to the 'Owner' column and add it. This will give you the username that encrypted the files. Providing it isn't SYSTEM or Administrator that will help narrow down where this attack started.

The two most likely ways this attack could have started are via email or a compromised website. For email, if you know the user that will help. Look for emails with either word/excel documents attached that have macro's, or Javascript files (.js) normally these are inside a Zip. If it was a compromised website that is harder. If you know when the files started to get encrypted and you know the user you could look at your firewall logs or browsing history and see if there are any websites that stand out as being unusual. If you find any files, emails or URL's that you are worried about please email support@sophos.com and we can look into them for you.

The unfortunate truth is that the attack has happened and the data is now encrypted the only way to get it back would be restore from a backup or pay. If you want to know what Sophos says about paying please read this: Ransomware – should you pay?. Please remember though if you did pay but don't change any of your security settings this could potentially happen again. You should concentrate on reviewing your AV product and make sure you are using best practice, we have a great guide on it here: How to stay protected against ransomware.

If you want us to take a look at your settings please contact support@sophos.com if you let me know the case number I will take a look as well.

Thanks Peter, I was thinking a variant of CryptoWall as well. I removed my backup from the infected computer to see if i can restore any of the files. The amount of computers infected leads me to believe it was an IT User Profile who had permissions (Thousands of computers were infected) I had previously warned about a lack of security and systems separations. I know there are tools for restoring files for some of the previous versions but i have not stayed up to date in last year or more, are there any you recommend? Also, before i connect my drive am i correct that the trojan is only installed on the drive of the initially infected computer and then runs through encrypting all files the user profile has access to on the network and connected drives?

In regards to decrypting the files there is very little chance you will be able to do that. Ransomware has improved over the years and now uses very good encryption. The possible options you might have are talked about in this article: Got ransomware? What are your options?

As for the question about the ransomware being on the single computer and encrypting files across the network that is completely correct. Ransomware doesn't spread like a virus/worm (if it did we would have to think up a new name for it) It runs on the machine it was started on and then uses shared folders, mapped drives, removable media to gain access to the files it will encrypt. However encrypting files isn't an instant thing to do, it could take hours if a lot of files are found. You mentioned "Thousands of computers were infected" I suspect potentially multiple users received the same ransomware and ran it. if the 'Owner' details I mentioned earlier does provide a username then it would be worth checking files on different machines to see if multiple users are involved. If their are multiple users then that normally implies it was an email that started this. Speak to the users, ask them if they remember opening anything.