Customer was infected from firstname.lastname@example.org ransomware. Too bad Eset Internet Security was not able to find it (now it is) so it encrypted all Word, Excel, PDF and stuff like this on the harddrive.
I found out, it used "rar" to pack it with a unknown password. The files where encrypted and then renamed with "<originalName>.email@example.com". The original files where deleted and the shadow copy where also deleted.
I was able to follow the way from the Email (ISO File with download Script) to the Batch File and also the VBA Script which was used to encrypt everything.
I also own the pgp file used to encrypt and key file from the infected PC. BUT .. i'm a total VBA noob. I understand the basics .. more or less .. but not total sure what the VBA script did in every way and how to change it to decrypt it again.
I would link the files here with some samples from the encrypted pc - but no idea if i'm alowed to, because basicly its the ransomware itself and someone could change it to use it again.
Would be nice if someone could help me or maybe even Eset is interessted in programming a removal tool.
Greetings from Germany