DirtyDecrypt.exe file locking ransomware virus

[Jad 1]

Greetings,

 

I'm new here, reporting something which i think it's a serious problem.

 

Dirty Decrypt, possibly a new breed of virus, most articles about it start with the 28th of April 2013

 

Even tho I have no knowledge on how its infecting systems,this virus takes over a host computer, blocks its access and can be removed through a series of methods, all found through Google in articles related to it.

 

The big problem is the damage left behind. In the background the virus modifies XLS, DOC, PDF, JPG, PNG and possibly more files. 

 

The modified files can not be opened. Instead, a strange message claiming you need to run the virus to decrypt your files, comes up. This falls under ransom-ware, and the poor victim can loose family pictures, important documents and sadly, so far to my knowledge no one created a tool to restore the affected files. 

 

I don't believe the files are encrypted as per say, but modified, more like hijacked the exif file header is modified and some junk data is written at the end of the file, I managed to restore jpg files, but doing this manually takes ages, especially for images bigger than 3 MB. The core of the file is there, its original header data is missing.

 

Just do an ANSI file content compare from a virused file and itself, unaffected, you'll see what i mean.

 

I'm opening this topic in the hope that a security company will develop a tool for mass restoration of affected data. There are many people hit by this problem but not all are so tech inclined to know how to approach a solution.

 

 

[Marcos 5,074]

Ransoware encrypting files on a disk is not something new. The recent variant you've mentioned is currently being analyzed so at the moment we're not able to tell if it'd be technically feasible to decrypt them.

[Jad 1]

Thank you for the reply.  Its my first rendezvous with such an attack.

 

I'm trying to help one of the victims, a photographer who lost a lot of albums of events. There are a lot of sad people.

 

Any update on this is welcomed.

[Guest Arvind0007]

You might be interested to follow the blog below where we are showing more concern to fix this issue

 

hxxp://www.bleepingcomputer.com/forums/t/501540/ransomcrypt-dirtydecryptexe-uses-efs/page-5#entry3122467

[Jad 1]

I'm JStormrage, the guy looking into finding a solution, on that blog 

 

Thanks anyway.

[Arakasi 549]

Jad

This topic intrigues me and I would like to investigate in my spare time as I'm somewhat snazzy on cleanup myself.

Would you be kind enough to PM me some links/posts/etc about this that you have found as I start my own digging.

My first thought is why doesn't imaging help with this ?

System restore? Or was that option for photographer unavailable. Thanks Jad

[Guest Bol]

Thank you Jad for your efforts.

 

I am a victim of this ugly virus too. It encrypted most of my important doc pdf and jpg files and made me miserable!

 

But a few files are still healthy. I dont know why the virus could not encrypt them?

 

Can you guide me where I can find a pic header data?

 

Thanks in advance

[Marcos 5,074]

I'd suggest sending a couple of encrypted files to ESET as per the instructions here so that we can investigate if they can be decrypted.

[Guest Bol]

Now good news yet?

[Guest jake]

have the sameprob here, but seems some files are not affected, but have lost family pics going back almost 50 years that were scanned, also loads of pics of my old pet dog and so forth, any help is welcome!!

[Arakasi 549]

have the sameprob here, but seems some files are not affected, but have lost family pics going back almost 50 years that were scanned, also loads of pics of my old pet dog and so forth, any help is welcome!!

Pictures are lost how ? Encrypted and cant open ? or Deleted ?

[Guest atom]

Any update?

[Guest Wouter]

The sad thing is that I had a backup of all my documents on a second hard disk that partly is effected to. I luckyly had another backup of all my pictures but still need a solution to decript some of my doc and xls files. Any update or solution how to do this?

[Arakasi 549]

We need some movement here.

Time to send out some emails & get some feedback from staff.

I am curious as well.

[Guest atom]

already posted in this thread, but i will relink the website as ongoing discussion may help provide a fix sooner.

 

 

hxxp://www.bleepingcomputer.com/forums/t/501540/ransomcrypt-dirtydecryptexe-uses-efs/page-6

 

 

[Arakasi 549]

Through the grapevine, the staff has a lot of meetings today and discussions about "things" and issues similar to this one; and we should hear something on Thursday i hope.

I would be interested in seeing some of these encrypted files. Maybe someone could pm me a link.

Will check back later

Edited August 14, 2013 by Arakasi

[Guest lampemi]

Hello,

 

I'm having the same issue, virus is removed but files stay encrypted. Any solution how these can be decrypted is very welcome.

 

Regards!

Lampemi

[Guest Jonathan Monks]

Hi, I have just been hit by the same virus and so would be very intersted in a fix. Appears to have hit my back up hard drive so I can't retire by back up although an old back has survived

[Guest atom]

bump

 

[Guest Aris Papakostas]

Hi there

 

It appears that this virus is attached to the already known FBI virus and decrypts all doc, pdf, image files, excell etc...we have managed to remove the virus and its registry entries but unfortunately the files that have been affected remain encrypted....any help would be highly appreciated..

 

In order to remove the virus see the info below....any improvements please reply..

Before performing the manual removal of Dirty Decrypt.exe, reboot your computer and before Windows interface loads, press F8 key constantly. Choose "Safe Mode with Networking” option, and then press Enter key. System will load files and then get to the desktop in needed option.

1. Launch the Task Manager by pressing keys Ctrl+Alt+Del or Ctrl+Shift+Esc at the same time, search for Dirty Decrypt.exe processes and right-click to end them.

2. Open Control Panel in Start menu and search for Folder Options. When you’re in Folder Options window, please click on its View tab, check Show hidden files and folders and uncheck Hide protected operating system files (Recommended) and then press OK.

3. Tap Windows+R keys together to pop up the Run box, type in regedit and hit OK to open Registry Editor; then find out the following Dirty Decrypt.exe registry entries and delete:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\random
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run“.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet

4. Get rid of the listed files created by Dirty Decrypt.exe:

%Temp%\[RANDOM CHARACTERS].exe
C:\Documents and Settings\<Current User>
C:\Users\<Current User>\AppData\
C:\Program Files\Dirty\DirtyDecrypt.exe
C:\Program Files (x86)\Dirty\DirtyDecrypt.exe

 

 

[Arakasi 549]

I now have 6 or 7 clients infected.

I have opened both a clean doc and infected doc to view whats behind.

My findings are astonishing.

1 is normal the other is screwed bad enough to know whats ahead in cleanup.

As stated by the analyst from emsisoft.

A file with efs cannot be half encypted. Its either fully encrypted or not at all.

I dont think this has been done by efs as ive seen cipher come up with 0 encrypted files.

Someone mentioned rsa but i tend to doubt that also.

Has Eset come up with any helpful information?

[Arakasi 549]

Its like the entire format changed. No longer .docx lol

Im also watching bleepingcomputer and a few other sites as i listen to people

post about almost fixed and "im working on it".

At least we can defend.

Its the recovery of important docs etc that is paramount.

Even if they were just deleted we could get a raw dump of the physical drive.

[Guest atom]

its seems more than likely that rsa is being used

 

see here for details.

 

hxxp://www.kernelmode.info/forum/viewtopic.php?f=16&t=2861&p=19951

 

 

[Arakasi 549]

Thanks for link

[Arakasi 549]

Crazy Cat over at Bleepingcomputer has created a very nice analysis of this variant of RansomDecrypt.

He tested on a Guest account

 

I am sharing here so that others will not have to jump through the hoops to get a quick report his data.

 

***********************************************************************************************************************

Hash signiture verified - must visit site to obtain

 

Ransomcrypt (DirtyDecrypt.exe) uses EFS.

 

The trojan creates the private keys for the EFS in RootDirectory\Documents and Settings\< username>\Application Data\Microsoft\Crypto\RSA

 

He Executed trojan sample dirtydecrypt_.exe (MD5: 65b7ebe783a40d41a44515cf55145da6)
in the Guest account, with an assortment of files for the trojan to attack.

 

When trojan sample dirtydecrypt_.exe is executed, the main processes are: bLEfoFjY.exe and svchost.exe

 

Guest Account Infection Locations:
Documents and Settings\Guest\Local Settings\Temp\bLEfoFjY.exe
Documents and Settings\Guest\Start Menu\Programs\Startup\FdoHBriM.exe
NklRNLqU = C:\Documents and Settings\Guest\Local Settings\Application Data\Microsoft\OoxwKJGQ.exe
DirtyDecrypt = "\\?\C:\Documents and Settings\Guest\Application Data\Dirty\DirtyDecrypt.exe" /hide
C:\Documents and Settings\Guest\Application Data\Dirty\alertwall.jpg

 

MD5 Hash.                                                       File Path.
________CANNOT_OPEN_FILE________     Documents and Settings\Guest\Local Settings\Application Data\Dirty\DirtyDecrypt.exe
65B7EBE783A40D41A44515CF55145DA6     Documents and Settings\Guest\Local Settings\Application Data\Microsoft\OoxwKJGQ.exe
________CANNOT_OPEN_FILE________     Documents and Settings\Guest\Application Data\Dirty\alertwall.jpg
________CANNOT_OPEN_FILE________     Documents and Settings\Guest\Application Data\Dirty\DirtyDecrypt.exe
65B7EBE783A40D41A44515CF55145DA6     Documents and Settings\Guest\Local Settings\Temp\bLEfoFjY.exe
65B7EBE783A40D41A44515CF55145DA6     Documents and Settings\Guest\Start Menu\Programs\Startup\FdoHBriM.exe

________CANNOT_OPEN_FILE________ C:\{EC384834-5DC3-CE6D-3F07-A0A2E93F6BBD}\jSBOWkDz.exe

 

This is the error message when DirtyDecrypt is executed in Guest account: "cant create crypto container"

 

***********************************************************************************************************************

 

His Conclusion

In a nutshell, DirtyDecrypt NEEDS administrator rights to make changes to the EFS and registry to encrypt the targeted files.

It doesn't use all of the EFS, just manipulates the EFS encryption components to encrypt the targeted files and inserts the warning message (as the header) into the encrypted file.

DirtyDecrypt does not assign the $EFS Attribute.

THE MD5 HASH OF THE FILES BEFORE INFECTION AND AFTER ARE EXACTLY THE SAME.

I can log out of the 'Guest' account and into the Administrator account, without DirtyDecrypt running in the Administrator account, and vice-versa.

When I log into 'Guest' account, the trojan cycles over-and-over again, trying to make registry changed, and an error occurred everytime.

NO FILES WERE ENCRYPTED, OR HAD THE WARNING MESSAGE INSERTED INTO THE FILES.

 

 

 

If you are studying i highly encourage a trip to download his findings for more detailed analysis.

hxxp://www.bleepingcomputer.com/forums/t/501540/ransomcrypt-dirtydecryptexe-uses-efs/page-8#entry3136783

 

Thanks and hope i assisted in providing direction towards resolutions.

 

**Credit goes to Crazy Cat explicitly !

Edited August 22, 2013 by Arakasi