Windows 10: Files encrypted by (.ACFJKSO extension) ransomware

Dear Team,


I am facing an issue with my windows 10 PC that some of my documents are renamed with '.ACFJKSO' extension. If I am trying to rename the file nothing is happening.

From these symptoms I realized that it is a Torjan- Ransom like CBT- Locker.

Does any one have a proper solution for this problem?


Inside all folders there is one' .txt' file named as ACFJKSO-DECRYPT.txt. The content inside this test file is as below mentioned.



---= GANDCRAB V5.0.4 =---



***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************



*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****



Attention!



All your files, documents, photos, databases and other important files are encrypted and have the extension: .ACFJKSO



The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.





The server with your key is in a closed network TOR. You can get there by the following ways:



----------------------------------------------------------------------------------------



| 0. Download Tor browser - https://www.torproject.org/



| 1. Install Tor browser

| 2. Open Tor Browser

| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/aa26b055c8d83b98

| 4. Follow the instructions on this page



----------------------------------------------------------------------------------------





On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.





ATTENTION!



IN ORDER TO PREVENT DATA DAMAGE:



* DO NOT MODIFY ENCRYPTED FILES

* DO NOT CHANGE DATA BELOW

:)

 

Filed encrypted by Tor ransomware

More information is needed to determine specifically what infection you are dealing with since there are many variants of crypto malware (file encrypting ransomware).
RSA-4096 / RSA-2048 / RSA-1024 / AES-256 / AES-128 are
encryption algorithms and not an explicit way of identifying a particular ransomware infection.

Are there any obvious file extensions appended to or with your encrypted data files (i.e. several random hexadecimal characters, words or email addresses)? If so, is the extension the same for each encrypted file or is it different?

What is the actual name of your ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the
C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named
.html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data has been encrypted.

The best way to identify the different ransomwares is the ransom note (including it's name), the malware file itself, any obvious extensions appended to the encrypted files, samples of those encrypted files and information related to the email address used
by the cyber-criminals.

You can submit samples of encrypted files and ransom notes to ID Ransomware for
assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further
assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

After gathering that information, please read and follow the instructions below.

• How to Post a Topic Asking for Help With Ransomware

 

Files encrypted by TeslaCrypt (.vvv extension) ransomware

You're computer is infected with a newer variant of
TeslaCrypt/Alpha Crypt.

The following is a copy/paste of another reply of quietman7 MS MVP in another Bleeping Computer thread:

http://www.bleepingcomputer.com/forums/t/598923/cryptolocker-telsadecoder/

QUOTE

You are dealing with a newer variant of
TeslaCrypt/Alpha Crypt. TeslaCrypt includes several known versions with various extensions for encrypted files to include: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc., .vvv...as described

here. Some of the new variants are
disguised as CryptoWall.

Any files that are encrypted with the newer variant of TeslaCrypt will have the
.exx, .xyz, .zzz, .aaa,
.abc, .ccc or .vvv extension appended to the end of the filename. The .aaa/.abc/.ccc/.vvv variants leave .html, .txt, files (ransom notes) with names like RECOVERY_FILE_*****.txt, restore_files_*****.txt, recover_file_*****.txt,
HOWTO_RESTORE_FILES_*****.txt, howto_recover_file_*****.txt, _how_recover_*****.txt, how_recover+***.txt (where * are random characters). More information in these BC news articles:

• New TeslaCrypt version adds .VVV extension to encrypted filenames.
• New TeslaCrypt version with .CCC extension Released

A repository of all current knowledge regarding TeslaCrypt,
Alpha Crypt and newer variants is provided by
Grinler (aka
Lawrence Abrams), in this topic:
TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

Information about and support for decrypting files affected by Alpha Crypt & TeslaCrypt ransomware can be found in this topic:

• TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files
  encrypted by TeslaCrypt

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.

• New TeslaCrypt version that uses the .EXX extension Support & Discussion

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from
our crypto malware experts since they may not see this thread.

UNQUOTE

===================================================================

Also please see the replies of
RickCP

here:
http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/files-encrypted-by-teslacrypt-ransomware/77b05496-fb09-4e01-ab36-db92213dd825?page=2&msgId=c26b605a-420f-40bc-9541-584492bab180

and

here:
http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/ransomhtmltescryptd/163bb48e-4932-4296-bc0c-18e25732e2a8?msgId=db3497db-8c32-4241-9c9c-4e08bf793457

Cheers,

J

Later EDIT: Pls see RickCP's UPDATED INFO (January 2016) here:
http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/files-encrypted-by-teslacrypt-vvv-extension/77b05496-fb09-4e01-ab36-db92213dd825?page=2&msgId=0c010b83-a5a8-441f-8950-a268dd83ea18

 

Files encrypted by Extension (.ghfghfghfgh) ransomware

Globe Ransomware will leave files (ransom notes) named How to restore files.hta but it uses a different extension so you may be dealing with a new variant or something entirely new.

I suggest you read and follow these instructions...How to Post a Topic Asking for Help With
Ransomware

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted
here with a link to the new topic you start asking for assistance. Doing that will be helpful with
analyzing and investigating by our crypto experts.

These are some
common folder variable locations malicious executables and .dlls hide:

%SystemDrive%\ (C:\)

%SystemRoot%\ (C:\Windows, %WinDir%\)

%Temp%\

%AllUserProfile%\

%UserProfile%\

%AppData%\

%LocalAppData%\

%ProgramData%\