March 8, 2019

Ransomware Infected my Notepad++ Files, Corrupted [Null] - Solved

Posted by Bennixville   on
Last week, by accident, when I opened a torrent file, a malware infected my laptop. I was not sure then what kind of malware attacked my system files and registry, but I realized my Antivirus was off that time ( I uninstalled Avast due to printer spooler issues and I trusted Windows Defender Security Center to protect my system but failed!).

So what happened was, after I open the folder the malware automatically inject malicious keys into the registry, hacked my Internet Explorer and Chrome Add-ons (keep popping tabs!), sabotage my startup programs, and too late to notice that B.S also touched my precious unsaved Notepad++ files!


Now, thanks to heaven there's a tool called Ultra Virus Killer and Revo Uninstaller. Ok, just to share how I was able neutralized the threat, here are the things I did.

1. First, I didn't restart my laptop ( I suspect if I do it so, it can't boot anymore because of the criticality of the infection). I quit all the running programs at the desktop.
2. Install UVK
3. Opened the startup menu in the task manager and disable suspicious programs as follows:
RZOVqNXjWK9y0xcScUZiNp2TU2QFJ.vbs
nkfjyavk0q.exe
LBTETP5T6.exe
Polygen.exe
ZjdhYThjYWFlYjQwYjgz.exe
ktpdkwkry.kqpd
1bgwaz13uyl

4. After then, I run UVK Ultra Adware Killler. It scans all the programs in my system, autostart applications, and browser files. After scanning, it gave me a report in the Malware tab. I cleaned all the reported malware and review all the tabs - I disabled and deleted suspected entries.

5. Ok.Thanks to UVK.  I install Revo Uninstaller to start the last part of the cleaning process, the removal of the programs installed by the malware such as Polygen, Logic Camble & Whiteclick . I used Advance scan to remove all malware leftovers.

How I recovered my Corrupted Notepad++ files?


Yesterday, it was all of a sudden that I realized I have some very important files (including social security accounts) to recover from Notepad++. I found out that all my backup files stored at this path C:\Users\Username\AppData\Roaming\Notepad++\backup can't be read when being open (it contain null characters or some Chinese text lols). As you can see in the screenshot below, most of the files got the "CIZEMOLTJ" extension which is not normal for Notepad++ text file (.TXT).

Ok so I searched the web to know about CIZEMOLTJ, but I am surprised nothing came out. I realized, the extension is familiar to me so checked my partitions to find some lead and viola,  a file named " CIZEMOLTJ-DECRYPT" caught my attention on drive C & D. I opened the text file and this what it reads:


---=    GANDCRAB V5.1    =---
***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************
*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .CIZEMOLTJ 
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser:   http://gandcrabmfe6mnef.onion/597858919eaabff8                     
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------                 
 
On our page, you will see instructions on payment and get the opportunity to decrypt 1 file for free.

ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
lAQAAHvyy7LTy7Lx59lUlh6y7Aw+MSADj9RxMseVfsmUseBWzPB+SktTXEsiACj7Y1au7LWhTEfYUtUwan75VR6//SmV/knAGgfz7zyIBmQ0Wz6jiq93PhpF6KtsEQVAgqXU+d7X947q1EbLRxlY2n4f9fcyEU3QdJ9JVrd3vHAKibXVuj09ZNpfgaYowhLKiRfpot8jMJKzF4uVaNWVfDFJlRKcM+Fw6W7+k39bKQBYL3Wo4vxqAa5u0QOVsSH3Z0gWtkKHOHz6+TLy8IMbIgVSgsoq+c6bxNr/gzC8hauNhIOkrV6jeeCYnwYqI7CaFseK4jt1xn5ZziP2jbLeNhFfAwyn+CG5D71Ljip6/jelvKQIWRhUeLlfj3C1VJfz6+wA5IvKaggqZEQNQLGvmviU47qdgFtyJb0DNDQ+SHkIAZ5SAddLWlNYhW4jppFK/Seh+GAfVukIklltSl+2q+tZMBxLHVKRofahsgFbi/HspAljpBeSXOzgHZYeC9tgqs/Eo/he3p43Yb34eiXKSgYur9z/UvBQTD0d/MMppxy9jmT36fRzawPTKiwU5rAKFAmNxwG4QZVfvcQHzv8Adb0DTwwcK6o4Pqz3u4PoMQUeGaBH5LvaKxE8hmTN4a2qZAVcvpR9AXyo/WnA/sUNJ5TfTXKrpcC8NwfPhe/Mgk6sbqJfA2ez1owXVIwaXAvI9/NMxBgeT8cmqLt15y9IipmKaNiKSu/InqorUYLxUS080hI157b2dS3JDXO6sIMOOLuCeSw4jIspW1Kwptt7RG84Vrd6azH6Rq2nT9UOfe5f+gcE3GDeq/hl7/6v7RpXVYX/QiGj9lIpD0qsyp53UGYxg4N1JsoBvnby8V9Jr4A+RgDnsEd+Tv79Yv0KDqLmihWVDUhx1xPHcw44aghoThY3jgPs2PKIk+OVl6UAkWSaSHYOxQ3UtVtf6yz4I+CJhZRQQoFht1xhXQRvhH9/VaNh6Gts87RHMbera3ZyS/Tvpj++THgx7NVHY9Aee8yfblKfS3MrX4spwCwDGXkXVl0dRe0r3ljAz7Lr2FViiUfHwn3jULSiyhakVLseaNEGQ9TdAmuEfaec3UYavJNcP8gXeyINdUFKs4V+1q4RqUlmewQ/vTjANtSOu++STP55xr3uqJnabkm8LV1gO3CXk6Aap12QxdnBNPaIj8QcG8FsfECOVkZRzr26DcZx9ytb+YajyR4u/4NE7b8M5fej2331TRdf5Jp137QzRrTnWBcpvn4/+J0iZ6QDrrAVbSZ2p2UGV9pdEU1dcsw9UBCzP5MZroR5d4AKmfHNY6t7BS/8vJ8xVhOMxXOaLG5uQ3cfEPnKL1rB3VoZhlWLlbQkB8rxwzxqYCAFqS9x9p/FJWdGkGTn4JaXU/oddRK74bA9u89sjnzaI+N5ev8do6xKJI1aXoD2ADmEojHWo50Mf7JgSUvuDmCitvctxQvRtrj8xGVvIF7E1yJHHAJeCwMOeIdBCdSaQriGO5nag085lvt7DBQBLHnpykwqtCdR0GWZexxcPvUs+8czuSzvPco7OlmAuG/y3xwpFTrYWDjcTLtSeKyUIywU+697cxrkpTEuBpPy0aCO/dSEJTdpydeXMp4yxIKmUifsc9r/gXhjw6bbCep6J4I8+l23YX5R2mOFCXwWvy6egwJZ6RoF2CDBq3ezy6PQdptCT+8a4UjR/V/ATKqf2pC7tjzeeyiywLyJRIKVOITrNy/wVVEp1LSItjXY7FJMR1ZKTnc/005ewYM5G11YGPr9mYcX9SLy5yuTlUmJumJAZegm64I4zV0CWgCCVYrs95CsLE1UgXEn+1zvOXndBYntET6/J2MhbFzQqJ2f1q4QVRCMBeloze6p8mIvgJJROTZuy0ShHolGN9L+6DAP+YMYkoBBs0212PkQM6d4TkLHAzup4XJ5+hSAQO9o5YgISVxDA8F32/zlR55/lKTKYJT+JpECjJ+q5tKcV+FtvE450mhX7aq9XsFdJwWezcLAxBhN7v8FblTmq2iSsa798cZwvMRgh8PB3hPfHeLO+XOSQQGGsNJdnG5rooPmDJJlIR8r1flpYTU/QsBVqN6jILjvsi4oGJJh0JbnYcF423PlQrTnzhVEgsC/PwmV2teglXBbXaQiv7q0rIOoNsaWw6M/U9jAvez12qxg3z43g9MRcWRQyx6C98EL50twgO1T/HoS0AeZdKaINggItRBcz5r+qcJLebPxUAj0HEEvZUhYzyc=
---END GANDCRAB KEY---
---BEGIN PC DATA---
7ftDEgLb/ZS0lcmZbHM61K/JvwOCD/AKjg6fbuwgXHYPWLgC/5/EYH5xLmDt9NfJKJDVAvSVyODLRR7INXQyQxmaxrPdzt0STegzao2Xm6bJGO4peUuCIgSgscQMqgnsm0gUXU9iEMFqiXT/9FLDWpZHFCPqMpb77yZ/O543lWa60OERc/opEq7Bz9lBsqWHAvULILV0QoMFAyE0Xq7SDKVF8yPYB5QmYrF7Z+jMVt2GgAD24531Uwt729xAWO4y/oXr52tHLnKtMICBnVD1ehao7lrsnMeZ6l9XSUrOzTB1mOD78oCpGAspAKj8RXUVfvfa0yZSVCCctP6JcNBFBiJqqsYoR6K3YLGSmZeR00fdP7bypfMxLLnjXKPrrw9WveZ5T0jJ1va0Lz907ffeS2Oz0aB8oWXFpp2SPGixtygWudXoR1oA6lSVs+nBqG1vF7xtrtkypi8A1fqlXjmQ7q14B+w+gTqwP0zcb40fuNxVLWyjqbjUwFXi9jPbKP+gh42fWKz+8glgvCSi+4EiEpFEwCNNALXhx9QWIEn1WEGZye2Map0K1go/++QSe20Ex3SaCuPrY9dAPEmVIcosLq4b8wmZcC2V+7DcEbisHbSlnPiaCUJWb+s0iVHLc2rS06JdDEfFmYGsqF1w20bTxJHG6XVRm7TKY/NiEp6dUJj6zgNfQrpF71s29l/TdCl82JKvQC1j1l0Ryu/w01zkuqVBZg5wyRhuOcZ2GBtsVuB8uyvqQqe6aotMsHUaDWgYH8T5LanUln+KaP8eZd3ViFF7Udr8fH494t3TxKhJ8OpChep2HUkHzrMkZcL9e/WYfT1awI/WoDmQJLSn7+eIK0Pv3icFnItS80C+uN12MUuHY9umsLD0pAl1Y6NVoZYINlGRSnal2c4=
---END PC DATA---

Ok after reading the text thoroughly. I didn't panic at all. I realized, GANDCRAB ransomware infected my laptop and decrypt my files and the wicked want to get money in exchange for my file to get recovered. Pathetic!

How I was able to Decrypt and Recover my Files?


Knowing that its GANDCRAB infected my pc, I searched an updated anti-ransom tool that can decrypt and clean GANDCRAB-infected files. Then, I found BitDefender  Gandcrab Decryption tool ( Download Link ) and I download it. After 10 minutes of full system scan, I can freely open my files without any problem however, the infected files are still present so I deleted them.


Finally, I am back on my track, no more corrupt or null Notepadd++ files. Thanks to Defender  Gandcrab Decryption Tool!