Need Help Identifying Ransomware!!! URGENTLY!

Jared

Administrator
Staff member
I have a client hit with a ransomware virus that encrypted all his data and converted it all to the following format:

(filename)[email protected]

I know this is a Russian virus, and I know that the BAA14811 part is the unique infection ID. However I've been unable to find the HTML files it generates upon completion. Perhaps the virus never completed its work. Anyway, the client's entire law firm is stored on this drive, all backups failed, so they are willing to pay.

Anyone know where the website to pay this ransom is? Or have a sample HTML file from one like this?

Many thanks!
 

Jared

Administrator
Staff member
OK, looks like you have to actually email these guys. That explains why I can't find any reference to a website.
 

Jared

Administrator
Staff member
jol":b599fhg5 said:
Jared":b599fhg5 said:
Perhaps the virus never completed its work
Make a clone of the drive or save whats left to save, and let it complete

Unforutnately this was a VM, and a foolish tech accidentally cloned some data the wrong way wiping out the VMFS file table and beginning of the VMDK file. Only by analyzing the NTFS, was I able to build a partial file/folder structure. Besides the the drive I have wasn't even the infected machine, just all the network shares that it took out.
 

Jared

Administrator
Staff member
I tried that and it can't help with encryption. However it does ID it as Troldesh. Oddly it took a few files before it recognized which one it was.
 

jol

Member
Jared":358netbv said:
and a foolish tech accidentally cloned some data the wrong way wiping out the VMFS file table and beginning of the VMDK file.
:( every mistake who can be done was done ?! very unfortunate
 
Top