DirtyDecrypt.exe file locking ransomware virus

[Guest jake]

hi all, well I asked my anti-virus provider if they have a tool to sort out the pics and files, as of yet they have not, ( panda )
this was part of the email

This malware is known to encrypt files on your computer with a complex algoritm, unfortunalety this algoritm hasn't been cracked so far, thus right now it's impossible to recover files which has been encrypted with this
they are working on a solution but when it comes I have no idea

 

[Guest atom]

Maybe helpful to someone   Posted by Crazy Cat on bleeping computer

 

" I working on it in my free time?

Here is an update showing all the DLL files used by DirtyDecrypt in \WINDOWS\system32\ and extracted memory strings of code.

File size: 142 KB. Time to live: 7 days. ddupdate0.zip

NOTE: The free host at hxxp://crazycat.99k.org/ has deleted my account, so all info I've posted there is gone."

 

 

 

hxxp://www.bleepingcomputer.com/forums/t/501540/ransomcrypt-dirtydecryptexe-uses-efs/page-9

 

 

[Guest Bob Kinney]

I have this variant as well. I compared a back up file to a supposedly encrypted file. There is no "e" attribute, so I do not believe they are truly encrypted, while others have stated RSA encryption was used. I believe the files are over written with bogus information and that picture file saying to use dirty decrypter to decrypt the file.

 

in comparing I see an adobe show was used to over write it and the maximum size they produce is 800 x 600  ( i have picture files that were 1600 x 1200 HD pics)

 

I also know how its been injected, by clicking on a false web box that statse Adobe player needs to be updated to play such and such video file (not just porn site, there are many legit looking video sites that cause this).

 

this reminds of one years ago, where they used an html file....if you can find that file and delete it, the pictures and files were restored. i am not sure if this is the case as I have not been able to find that picture file yet (the one saying the file is encrypted).

 

hope this helps.....we need to bust this one guys....it's super nasty!!

 

Bob Kinney

 

 

[Arakasi 549]

Thanks for your thoughts Bob

 

See this post again though for more detailed info

https://forum.eset.com/topic/659-dirtydecryptexe-file-locking-ransomware-virus/page-2#entry4094

 

It doesn't use all of the EFS, just manipulates the EFS encryption components to encrypt the targeted files and inserts the warning message (as the header) into the encrypted file.

DirtyDecrypt does not assign the $EFS Attribute.

 

It does use RSA and the private keys are usually here :

RootDirectory\Documents and Settings\< username>\Application Data\Microsoft\Crypto\RSA

Edited August 29, 2013 by Arakasi

[Guest Danny]

hi, i also got the problem with dirty decrypt.exe  and only on jpg photo's;  And the big foto's are okay (HD)  Is there a tool to get rid of this virus? and can i do something about the decrypted photo's?   Can someone help me with this???  thx  D

[Guest Bob Kinney]

I did find a bit more info....The the file that the use to display that your file is locked is a PNG file...i discovered this through some of my Photo managing/editing software.

 

I have tried several "decryption" tools...all want to use their own algorithm and under their own format. Need to try to find a standard RSA decryption tool.

 

So far, there are several encryption experts that are currently working on a tool to scan drives & unlock the files. Nothing posted yet, but I would gladly chip in on a legit fix.

 

Bob K.

 

 

[Arakasi 549]

hxxp://www.bleepingcomputer.com/forums/t/501540/ransomcrypt-dirtydecryptexe-uses-efs/page-11#entry3154366

 

Lawrence Adams from Bleeping computer has confirmed This MrNobody can restore text not formatting on .doc's infected by Dirty

and restore text and formatting on .docx

 

One step in a positive direction for this nasty virus that ruins peoples data.

[Arakasi 549]

hxxp://www.bleepingcomputer.com/forums/t/501540/ransomcrypt-dirtydecryptexe-uses-efs/page-11#entry3154366

 

Lawrence Adams from Bleeping computer has confirmed This MrNobody can restore text not formatting on .doc's infected by Dirty

and restore text and formatting on .docx

 

One step in a positive direction for this nasty virus that ruins peoples data.

 

Grinler is suggesting dont go this route for assistance as the guy seems to want to charge for recovering data. That privileges him a booked seat next to the virus.

 

On a side note, i had another client enter the office today for a forensic session on her drive because she had dirty decrypt and her pictures and docs are compromised.

If only this customer had ESET or some preventative maintenance... These days you have to be proactive not reactive.

I will create a bit by bit dump and try to see whats ruined and whats salvageable. She mentioned on pictures that psp was infected but jpg or jpeg was not .

I think i read that Dirty decrypt wont infect modified images already. But will newly created or non touched images.

We know the docs are ruined lol.

 

Dont forget, if something is already encrypted you cannot encrypt it again over the top. This could save you.

Also dirty decrypt needs admin privileges to run. Standard accounts will be invulnerable >.>

[Jad 1]

Hey guys,

 

I've wasted a lot of my time on this only to find no solutions.

 

Note that my research was done mostly on image files. My conclusions were:

 

- the virus evolved and there are several versions of it.  If given time it would attack / rewrite most common user extensions. Those that spotted it early are lucky.

 

- the file is high-jacked ( header + footer ) not fully encrypted, you can recognize a lot of the old content in the 'encrypted one'.  If you open to edit you'll land inside the "cover" instead of the real content, re-saving the file will land you with a 51.7 kB png. Problem is without the proper header, the data is unreadable my classic software. As proof, you can look into just editing in a text editor the raw data on doc files and you could manage to extract some of the raw text.

 

- It's highly possible there's a RSA connection on how you unlock it, so far I found no tool to operate on the data.

- The guys on bleeping-computers are really cool, you can find a lot of information on their findings.

- The virus could be tracked down to its origin but I lack the financial resources and time to do so.

 

- I have a theory that the programmers who originally designed JPG, PNG files, might be able to see through this and create a easy restore solution.

 

 

I am not sure when I'll be able to research more towards a solution as I'm pretty booked right now.

 

I wish you all the best, I hope a solution is found soon.

[Arakasi 549]

Thanks Jad !

I'm sorry you ran into this virus yourself or one of your clients, as stated in the op.

 

Really appreciate your input and research !

I have passed along all my research as well as yours and crazykat's to my data recovery specialist.

The guy is a genius who takes Hard drives of all models and types apart all day, as well as data recovery from NAND Flash, he desolders and attaches IC's to this jig he created himself for raw data dumps.

I may have a little more experience with encryption, but he has more years under his belt period with data and recovery.

 

We will see what he comes up with, and of course, ill post updates here after the fact. We just have too many customers with lost data and our clones of hard drives are piling up in efforts to hold on to all their data till solution is found.

 

Thanks again and good luck !