View Profile
View Forum Posts
Private Message
Hello and greetings,
I've been recently attacked by the "Ransom virus" that changed the extensions of my huge multimedia archive files into something like .derp and .nakw ..
Of course all attempts (including renaming) to restore files failed, .. but I noticed that one file type (.ts files, I don't know why) has survived the attack and renaming did actually work with those files and I've been capable of restoring them by simply renaming them to their original extension ..
THE ISSUE:
I have so many .mkv videos that are originally .ts files recorded from sat, and the only thing I did when converting them by mkvtoolnix is change the aspect ratio from 16:9 to 4:3, but renaming didn't work with them ..
So I'm just wondering ..
* If .mkv is just a container, why renaming didn't work as in the case of .ts?
* Will breaking .mkv down to its components work?
I tried extracting by MKVExtractGUI, with no luck because it can't even open the files .. any suggestions or information?!
+ Reply to Thread
Results 1 to 10 of 10
-
-
The malware most likely encrypts files based on extension. The contents are irrelevant
You could research the malware to get a better description of its activities -
Thanks, I did search and I know that already .. but as I said the .ts files survived and by renaming they are completely playable.Originally Posted by davexnet
-
Seems as if some files were just renamed while others were renamed and encrypted. Can certainly try opening the filesOriginally Posted by white1
Thanks, I did search and I know that already .. but as I said the .ts files survived and by renaming they are completely playable.Originally Posted by davexnet
in mediainfo, to see if it recognizes it as a valid media file.
You can also use a hex editor (eg. HxD) and look at the header (here you can see a known good file, and mediainfo report in text view)
Have you looked for instructions on how to remove the malware and have you tried any of the decrypt tools available?
Code:General Unique ID : 77655898386848257619037159723377766817 (0x3A6BFB64C154D0BEEE5EC1B22D4E31A1) Complete name : C:\Users\davex\Desktop\Beatles_Rock-Band.mkv Format : Matroska Format version : Version 4 File size : 40.8 MiB Duration : 2 min 47 s Overall bit rate : 2 040 kb/s Encoded date : UTC 2019-11-28 21:37:31 Writing application : mkvmerge v34.0.0 ('Sight and Seen') 64-bit Writing library : libebml v1.3.7 + libmatroska v1.5.0 / Lavf58.10.100 Video ID : 1 Format : AVC Format/Info : Advanced Video Codec Format profile : High@L3.1 Format settings : CABAC / 2 Ref Frames Format settings, CABAC : Yes Format settings, RefFrames : 2 frames Codec ID : V_MPEG4/ISO/AVC Duration : 2 min 47 s Bit rate : 2 006 kb/s Width : 1 280 pixels Height : 720 pixels Display aspect ratio : 16:9 Frame rate mode : Constant Frame rate : 29.970 (30000/1001) FPS Color space : YUV Chroma subsampling : 4:2:0 Bit depth : 8 bits Scan type : Progressive Bits/(Pixel*Frame) : 0.073 Stream size : 40.1 MiB (98%) Writing library : x264 core 155 r2901 Encoding settings : cabac=1 / ref=2 / deblock=1:0:0 / analyse=0x3:0x133 / me=hex / subme=7 / psy=1 / psy_rd=1.00:0.00 / mixed_ref=0 / me_range=16 / chroma_me=1 / trellis=1 / 8x8dct=1 / cqm=0 / deadzone=21,11 / fast_pskip=1 / chroma_qp_offset=-2 / threads=6 / lookahead_threads=1 / sliced_threads=0 / nr=0 / decimate=1 / interlaced=0 / bluray_compat=0 / constrained_intra=0 / bframes=3 / b_pyramid=0 / b_adapt=1 / b_bias=0 / direct=0 / weightb=1 / open_gop=0 / weightp=2 / keyint=299 / keyint_min=29 / scenecut=40 / intra_refresh=0 / rc_lookahead=40 / rc=crf / mbtree=1 / crf=20.0 / qcomp=0.60 / qpmin=10 / qpmax=69 / qpstep=4 / vbv_maxrate=2000 / vbv_bufsize=14000 / crf_max=0.0 / nal_hrd=none / filler=0 / ip_ratio=1.40 / aq=3:1.00 Default : Yes Forced : No Color range : Limited Color primaries : BT.709 Transfer characteristics : BT.709 Matrix coefficients : BT.709 Audio ID : 2 Format : AC-3 Format/Info : Audio Coding 3 Commercial name : Dolby Digital Codec ID : A_AC3 Duration : 2 min 47 s Bit rate mode : Constant Bit rate : 32.0 kb/s Channel(s) : 2 channels Channel layout : L R Sampling rate : 44.1 kHz Frame rate : 28.711 FPS (1536 SPF) Bit depth : 16 bits -
Thank you for your concern ..
As for the virus, I've already removed it and installed a new system .. but after a prolonged search, I couldn't find any effective way to repair the files, and there is no available decrypting tool for .derp and .nakw extensions, at least for now ..
As for the encrypting process, I have an internal drive with 2 partitions and two external drives and the surviving files were on all of them, so I don't think it is a matter of time ..
Unfortunately mediainfo doesn't show much of information about the encrypted files.
[Attachment 50982 - Click to enlarge] -
To be sure, download and use Hxd, open the file, and look for the header right at the beginning, similar to my post above
https://mh-nexus.de/en/hxd/
Your mediainfo report above means that the program was not able to recognize the file as a media file at all -
Here's the HxD report:
[Attachment 50984 - Click to enlarge] -
Based on that, I would say the file is encrypted and unless you can find a decryption tool they are lost.
Let me ask you this - what anti virus did you have installed when you were infected with the ransomware? -
Non, I had non of them .. for many years I stopped using antiviruses because I didn't benefit much from that, all they do is catch patches and cracks and make system slower .. and I didn't even need them since nothing wrong happened all that time and it was just a stupid move from me when seeking an IP-Changing software and I went crazy following adds to download that software ..
But the infection and antivirus are not our concern now, don't you think? I actually lost hope from most of the infected files till I noticed renaming works with .ts files so I thought maybe it would somehow work with those .mkvs which are (I thought) only containers for former .ts files ..
Or have you a plane by asking that question?! -
No plan, just asked out of interest, I often follow things A/V related. If you're running a recent version of Windows,Originally Posted by white1
you should at least turn on Windows Defender.
Have you joined the forum at https://www.bleepingcomputer.com/ ? They have a good malware-assistance forum, you
should check it to see if there are any developments regarding your problem
Based on what you said about .ts files not being damaged, just renamed, I think it's just luck. By the sound of it, the
malware was written to encrypt some, based purely on the existing file extension. Being a .ts inside an MKV now,
does not help you
Quote
Similar Threads
-
mkv issue
By rumblylwc in forum Video ConversionReplies: 7Last Post: 27th Feb 2017, 14:53 -
Help getting mkv files to play on Xbox One media player - Audio Issue
By Ohoopee in forum AudioReplies: 1Last Post: 3rd Oct 2016, 19:39 -
Cutting MKV Files - Subtitle Files Inside of MKV
By devilcoelhodog in forum EditingReplies: 2Last Post: 11th Sep 2016, 21:29 -
Seek issue on my mkv file
By Peaceinner in forum Video ConversionReplies: 1Last Post: 23rd Jun 2016, 00:36 -
codec private data issue - ffmpeg CRF15 and CRF18 in MKV files
By jack616 in forum Newbie / General discussionsReplies: 3Last Post: 1st Sep 2015, 14:32