ransomware attack [saveyourfiles@qq.com]

posted in Viruses
Tuesday, January 28 2020, 02:23 PM
Has anyone met these ransomware [saveyourfiles@qq.com]?
They encrypted my servers. I wrote them the mail [saveyourfiles@qq.com] that was listed on my server. They demanded $ 6,000 from me. This is a very large amount but I paid it. They promised me to return my files of the servers and unlock my servers. After payment they unlocked only two files and demanded another $ 4,000 to unlock the remaining files.
In another forum I saw a similar story. After payment these guys will demand more money but they will not unlock it. Who came across these extortionists? How to get my servers back? How to return files?
Responses (1)
  • Accepted Answer

    Wednesday, January 29 2020, 06:54 AM - #permalink
    Hello RichF,

    It is unfortunate to hear that your server has been attacked by a ransomware infection. It is even more frustrating that you've lost such a huge amount of money. The problem with ransomware developers is that they not only ask for thousands of dollars, but they're also very likely to scam victims once the money is paid. It is very common for these persons to either ignore victims or to ask for even more once the initial payment is submitted. I strongly advise you not to pay these persons, because there's no guarantee that they won't ask you for a third payment and whether they will be willing to help you restore data or not.

    Now, regarding the decryption. Is there any additional information that you could provide? Have you noticed any ransom notes that have been dropped in to the system (e.g., text files, images, .hta applications, etc.)? These notes are typically titled something like "info", "decrypt_files", "decryption_instructions", "read_me", and so on so forth. I assume that the aforementioned "[saveyourfiles@qq.com]" email address has been added to the name of each encrypted file. Is there any file extension that has also been added? If you do not see any, perhaps the system option that displays actual file extensions has been disabled and you can only see the file names? Ransomware infections rarely use email addresses as the final file extension. They tend to append email addresses to filenames, however, they also tend to add a final extension, such as ".encrypted", ".crypt" or something like that. For instance, a file named "1.jpg" could be renamed to something like "1.jpg.[email_address].encrypted", etc. There are hundreds of different variations and, unfortunately, email alone is not enough to identify the infection. It is crucial to know which ransomware has encrypted your data, because only then I will be able to tell you whether you can restore it without developers' interference. File extension and ransom note would be really helpful.

    By the way, do you have any idea which executable was responsible for the infection and when did it happen? Having the malicious file would be very useful as well.
    The reply is currently minimized Show
Your Reply