Encryption prototype
CTB-Locker encrypted hundreds of files on my father's computer. For example, CTB-Locker converted a Byron.wps file to a Byron.wps.xyz file.
The Byron.wps document was created by the word processor module of Microsoft Works, which was discontinued by Microsoft several years ago. Besides Microsoft Works, both Microsoft Word and Notepad can open a .wps file; in the latter case most of the file will be unintelligible but the original .wps content will be present therein and can be extracted if desired.
Now, what about the Byron.wps.xyz file? As it happens, there is a recognized .xyz file format, but it has nothing to do with word processing. An attempt to open Byron.wps.xyz with Microsoft Works throws the following error:
Works cannot open "C:\Documents and Settings\Owner\Desktop\Byron.wps.xyz". The file may be in use by another application, the file format may not be supported by any of the installed converters, or the file may be corrupt.The file can be opened with Microsoft Word or Notepad but the content is complete gobbledygook in both cases. (BTW, subtracting the .xyz extension from the file name does not give a readable file, in case you were wondering.)
C: damage
In the computer's Local Disk (C:) volume, CTB-Locker mainly targeted two folders:
(1) C:\Documents and Settings\Owner\My Documents\
Most of the affected files in the My Documents\ folder were in fact doubly encrypted, as detailed below.
(2) C:\Program Files\
My Documents\
• 170 .wps documents were converted to 153 .wps.jkffbil.xyz files, 10 .wps.bqtuzhl.xyz files, and 7 .wps.xyz files. Also, a .docx document was converted to a .docx.xyz file and 4 .txt documents were converted to 2 .txt.jkffbil.xyz files and 2 .txt.bqtuzhl.xyz files.
.jkffbil? .bqtuzhl? What seems to have happened is the computer was initially hit with two different CTB-Locker infections and then after applying that video procedure to the computer a remnant of one or both infections (or maybe even a third, separate infection) later reared its ugly head and .xyz-ed (1) the .jkffbil-ed and .bqtuzhl-ed files and (2) whatever was missed the first time around - at least these are the conclusions I draw from inspecting the Created:/Modified:/Accessed: fields on the General tab of the Properties pane for a variety of encrypted and unencrypted files.
• 100 .jpg images, including all those in the My Pictures\ subfolder, were converted to 88 .jpg.jkffbil.xyz files, 7 .jpg.bqtuzhl.xyz files, and 5 .jpg.xyz files.
• 25 .pdf files were converted to .pdf.jkffbil.xyz files.
• 4 .zip packages were converted to 2 .zip.jkffbil.xyz files and 2 .zip.bqtuzhl.xyz files.
• In the My Music\ subfolder, 2 .itl iTunes libraries were converted to .itl.xyz files and 2 .itdb iTunes databases were converted to .itdb.xyz files.
• In the My Videos\ subfolder, a .flv video was converted to a .flv.xyz file.
• Lastly and least, there are 338 .png.xyz files and 4 .css.xyz files in RegCure Pro\ and SpeedyPC\ subfolders that really shouldn't be on my father's computer in the first place.
Program Files\
• 384 files were converted to 272 .jkffbil files and 112 .bqtuzhl files; all of these files are singly encrypted. Affected file formats: .cer, .doc, .eps, .jpg, .js, .mdf, .pdf, .ppt, .rtf, .txt, .xls, and .zip.
Etc.
• There are 9 encrypted files in the C:\Documents and Settings\Owner\Desktop\ folder and 20 encrypted files in the hidden C:\Documents and Settings\Owner\Application Data\ and C:\Documents and Settings\Owner\Templates\ folders. Affected file formats: .air, .dbf, .doc, .docx, .jpg, .js, .pdf, .ppt, .rtf, .txt, .wb2, .wps, .xls, .xlsx, and .zip.
• Outside of the C:\Documents and Settings\Owner\ folder, 2 .wma audio clips were converted to .wma.xyz files and 4 .jpg images were converted to 2 .jpg.jkffbil.xyz files and 2 .jpg.bqtuzhl.xyz files in the C:\Documents and Settings\All Users\Shared Documents\ folder.
D: damage
Twice in the past - about five months ago and in 2012 - the Address Book\, Desktop\, Favorites\, and My Documents\ subfolders of the C:\Documents and Settings\Owner\ folder were copied to the computer's Recovery (D:) volume. Without exception, all of the encrypted C:\Documents and Settings\Owner\Desktop\ and C:\Documents and Settings\Owner\My Documents\ files were also encrypted in the D: volume although not necessarily in the same way, e.g., some of the .jkffbil.xyz files appear as .bqtuzhl.xyz files and vice versa.
Undamaged
• The following file types were left alone: .bak backups, .bmp images, .dat data files, .db databases, .dll libraries, .exe executables, .htm and .html and .xml Web documents, .mp3 audio files, .wav audio files, and .xlr Microsoft Works spreadsheets (not a complete list).
• Gratifyingly, the C:\WINDOWS\ folder was left untouched.
In search of a key
I found a "How to remove CTB Locker Virus" article whose Stage 3 : Unlocking files that were encrypted by CTB Locker section suggests that a Panda Ransomware Decrypt program might be able to decrypt CTB-Locker-encrypted files and provides a link thereto. My attempts to decrypt a small group of encrypted files with Panda Ransomware Decrypt are not worth discussing to any extent: suffice it to say that they didn't work.
To my understanding, file decryption tools are target-specific, i.e., a program that unlocks files encrypted by a specific type of ransomware will generally be useless for files encrypted by other types of ransomware. As of this writing and as far as I am aware, no one has written a program that can decrypt files encrypted by CTB-Locker.
Subsequently, I decided to see if I could re-obtain the affected data on my father's computer via a file recovery approach, which did prove somewhat successful, and I'll tell you about it in the following entry.
No comments:
Post a Comment