Data encrypted by malware - Encrypted file size larger by 20 bytes

Recently I was infected by some ransomware that managed to encrypt all of my .txts, .jpgs, .pdfs, .ppts, and .docs. In trying to unencrypt them, I found a utility called Kaspersky RannohDecrypter, which allows you to find the encryption key by using an encrypted file, and the original version of the encrypted file. Unfortunately, while I was using this, I got an error message that said "Encrypted file is not same size as original file". I checked and I saw that the encrypted file was 20 bytes larger. I checked the rest of my encrypted file to some of my original ones, and the encrypted file were all consistently 20 bytes larger.

I have no idea where those 20 bytes are in the file. I was thinking that it could be a file header or something, but I don't know how I would remove or even view it. I've been trying to find if there was just an extra 20 bytes randomly shoved into the files, but comparing the files using Beyond Compare 3 showed no similarities in data, leading me to believe that it could be some form of metadata.

If you can help me, you will have attained the rank of god in my eyes.

Thanks in advance,
-Combat_Kebab

Try here http://majorgeeks.com/story.php?id=34161

Thanks for the help, but that didn't end up doing anything. I ran it using the "C:\te94decrypt.exe -k 85" option thing they said to do, and it couldn't decrypt anything.

Junk being added to files, reminds me of the dreaded W32.Pinfi virus, which appears to be a RAM resident virus that adds extra bytes to files downloaded and a symptom of that was the installer giving an error message about the file being corrupted, after just downloading the file, including driver for SoundBlaster sound card. It will corrupt .exe files.

Nah, my .exes are fine. It's just my important files that are all encrypted. I still can't seem to find out how to decrypt it :C.

Does anyone else know of any ways to fix this? I feel so alone ;_;

Have you tried emailing Kaspersky about the issue? They like a challenge , and they may be familiar with that variant.

Combat_Kebab said:

Does anyone else know of any ways to fix this? I feel so alone ;_;

Click to expand...

You're probably not alone, but fwiw I remove numerous viruses professionally each week and haven't seen anything like yours in a very long time. That tells me it's uncommon. The idea of contacting Kasperky is a good option. Otherwise there's online communities for malware removal, and some good techs that can walk you through using various utilities. This is mostly a hardware forum so the help on removals is limited. It's not our specialty.

Major Geeks forums and staff are very good at solving malware problems , as well , but since Kaspersky correctly reverse engineered Stuxnet and Flame I would try them first. They would likely help you just to be on the forefront of stopping this one.

Alaric said:

Have you tried emailing Kaspersky about the issue? They like a challenge , and they may be familiar with that variant.

Click to expand...

I hadn't even thought about that, actually. I'll have to email them then.

Pinky said:

You're probably not alone, but fwiw I remove numerous viruses professionally each week and haven't seen anything like yours in a very long time. That tells me it's uncommon. The idea of contacting Kasperky is a good option. Otherwise there's online communities for malware removal, and some good techs that can walk you through using various utilities. This is mostly a hardware forum so the help on removals is limited. It's not our specialty.

Click to expand...

That's kind of what I thought, but I also thought that there had to be some sort of encryption experts here.

Thanks for the sudden bust of replies though ^^,. Hopefully I'll be able to get this problem solved soon. If I ever get a solution, I'll be sure and post it here for people with problems like this in the future.

I'll be watching for it. My curiosity is piqued and I really hate to see malware get the upper hand.