PieruN

Distinguished
Aug 17, 2009
5
0
18,510
Hi,
all my jpg mp3 pdf doc etc. files have an .RAD extension (file_name.pdf.RAD). I formated my pc but nothing changed. I forgot to try out the system recovery. How can i decrypt the files?
 
Solution


You have show extensions turned off, should turn them back on. It does seem like what a virus...

thejackal85

Estimable
Jan 18, 2016
145
0
4,710
If you reformatted your PC, that would have killed cryptolocker because it would have forced you to erase everything and reinstall the OS. So I don't think your first attempt was a complete format.

Cryptolocker is a nasty virus and there's really only one way around it (that I know) and that is to have backups. Especially if you're in a corporate environment. If you want the files decrypted, hopefully someone has a better answer than I do, cause if not, you'll have to pay their bitcoin thing.
 


If those files were on a secondary drive, then the files that were encrypted would remain encrypted even after a format.

Issue here is that when you format the main drive, you also likely damage the encryption key which may make restoring the files impossible even if you pay their ransom. Aside from a restore from backup, if the files were encrypted with that virus, they are gone. There is currently no way to decrypt files form that virus outside of paying the ransom and having them do it.
 


You said you formatted the PC, any info from that would have been lost in the format and re-installation of Windows. Or when you said you formatted the computer did you mean something else?
 

PieruN

Distinguished
Aug 17, 2009
5
0
18,510
Yeah i formatted the windows partition but i did a backup of all importand personal files that was encrypted. Including the whole desktop folder. Also i noticed that the encryption did not end (in a folder are 60% encrypted jpg files and 40% not) maybe thats why the payment didnt appear?
 


If you look here https://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/ it shows you the screen you should have seen when you got infected.

It seems there was some work on this to decrypt files, but your key would need to have been stored and gotten out for it to work http://www.makeuseof.com/tag/cryptolocker-dead-heres-can-get-files-back/

The other thing is that the file extension for Cryptolocker should not be .rad but something else, a longer string. Why do you think it was an encryption virus that happened here? How do you know the files are encrypted? Did you try deleting the .RAD part and try to open the files?
 

PieruN

Distinguished
Aug 17, 2009
5
0
18,510
Deleting the rad extension has no effect. When i try to open the file it says its damaged. Cryptolocker was just a thought. I didnt find any other info for this extension. Maybe its a new mutation? I also checked my email account and there are no strange emails. So i have no idea what else it could be. How should the key look like? What name/extension? Maybe i could recever it with recuva or an other tool and save it for the future.
 


They key for cryptolocker is not actually saved on your PC, but if you did not see the message about the files being encrypted and you just have that .RAD extension it's not likely Crytolocker. Usually encryption keys are stored locally but not in the case of that virus.

When did you notice the files showing that extension? Did you install/uninstall/run anything right beforehand? Are the size of the files the same as they were (or at least looking to be the right size for the files, so you don't have a good quality photo jpg showing up as a 4k large file for example)?
 

PieruN

Distinguished
Aug 17, 2009
5
0
18,510
2016-02-24 ~9PM (first files was changed) 11PM (pc shutdown)
2016-02-25 dont know what time pc was started. ~ 9PM last file was changed. Second drive is ATA so its slower and on this disc the changes stopped in half of the folder with images.

I also think that this is strange that i didnt recive any "payment" options. But i dont know what else it could be.
The size of the files look the same. I didnt install/uninstall or run any new programs this day. Only plug in a pendrive but this pendrive was also used on other pcs that run fine till now.

Check the ss i took. Sorry for the other language.

RiCp0xo.jpg


 


You have show extensions turned off, should turn them back on. It does seem like what a virus would do, I have read about them renaming files this way to hide what it is. So you can get a file like Picture.jpg but if you turn on the show extensions for known file types you will see that it's called Picture.jpg.exe and is actually a virus file you end up running.

Make sure when you are renaming the files you are actually naming them back to a .jpg and not just deleting that shown .jpg as that will not rename them properly. Install infranviwer and see if that can open those files.

Don't know how to fix this if a virus was messing and renaming with your files, maybe check around some of the anti-virus companies forums.
 
Solution