Family photos encrypted by ransomware - Help needed ASAP! 22 December 2022 at 3:07PM in Techie Stuff 9 replies 595 views

Leezy_Weezy

Hi there,

Is anyone able to help me please? I have just looked at my external Terramaster drive for photos of my Mom but all files on there have a new extension (.LOCK3D) and every folder also contains a 'readme.txt' file which states that all my files have been locked and I am to follow their instructions to send money. I am really distraught because I wanted some photos of my Mom to put into her coffin as she sadly passed away from cancer 2 weeks ago, and her funeral is next week! I cannot believe the year I've had... my best friend passed away from Covid in January and after winning a court case to get back £5500 from an airline company who refused my refund, they never paid me and it cannot be enforced because they have stopped operating in the UK and now I get this!! The ransom instructions demand I buy Bitcoins to the value of £2000 and send it to another Bitcoin address. If I don't do this in 4 days the payment increases to £4000!! I really cannot afford to send anything as although I work full-time, I have two very young children to provide for. I have tried to find information online about this but google comes up with nothing other than to try well known antivirus companies that also deal with 'ransomware.' I have had no luck with them either. Can anyone out there PLEASE help me? I am a total wreck atm.

Thank you in advance.

Neil_Jones

Might not be a lot you can do unless you have another backup that wasn't connected to the computer at the time.

This is how ransomware works, your key files are encrypted in some extremely secure fashion that in some cases dependent on the variant you have picked up is almost unbreakable.

https://id-ransomware.malwarehunterteam.com/ might be of interest.  It won't help you with your files on its own but it'll hopefully tell you what it is you've picked up and whether there is an easy way out.  No guarantees.

Don't pay anybody anything especially in Bitcoins - it doesn't guarantee anything.

facade

Avast have free tools that can work with some ransomware, once you know what it is.

https://www.avast.com/en-gb/ransomware-decryption-tools#pc

I guess you don't leave the original photos on the camera, I just buy a new card when one fills up.

If they were taken with a 'phone, some phones automatically back up all photos to "The Cloud"

Olinda99

Just to say - if you do have a backup somewhere don't even consider plugging it into that computer

Keep_pedalling

It may be possible to recover some of the files but the first thing you need to do is clear you PC of the virus.

https://malwaretips.com/blogs/remove-locked-ransomware-virus/

tallmansix

Have you got snapshots enabled? If so you may have previous copies of the unencrypted files available? But before you restore from snapshot - be very carefully because they will be instantly encrypted again if you don't remove the malware first.

I think some of the answers above are thinking you have ransonware on your PC, but it is almost certainly running on the Terramaster NAS under the TOS system (would be useful if you mentioned the device model) and therefore most of the above methods aren't of much use.

I'm guessing you don't have any of this data backed up elsewhere as the simplest thing to do is factory reset the Terramaster, and upgrade to latest TOS version.

The malware is still on your device so it is important to disconnect it from the internet as soon as possible to prevent it spreading any further. Probably best to power it off for now and await a possible solution in the future if you don't want to wipe it.

There is currently no fix for this, there is a lot of chatter on the Terramaster forums but so far nobody has come up with a decryption method.

https://forum.terra-master.com/en/viewtopic.php?f=6&t=3940

https://forum.terra-master.com/en/viewtopic.php?f=6&t=2877

GDB2222

So sorry that mum died. 

Please do not send any money to these villains. Just leave the NAS powered off, in the hope you can get it decrypted one day. 

halfamo

There is a youtube user named DiskTuna who works with corrupt files. I had some which a friend of hubs had sent me to play with and he tried to help with decrypting one for me. It was too far gone unfortunately as it was a disk error not a ransomware thing.
However he is quite knowledgeable about the software  that is out there and could possibly suggest ways to get them back.
He does reply to questions.
He has his own software too which he shows himself using but he doesn't hard sell .

J_B

Not sure if these folks could help?

https://www.cheadledatarecovery.co.uk/

Olinda99

I think it is true to say that the disk itself isn't faulty, it is just that everything on it is encrypted.

Without the decryption key it will remain encrypted.