Hi,
I have files encrypted by Troj/Ransom-RZ (VirusTotal).
Looking closer at these files I found that they are 8 bytes larger than the original files. 4 bytes are inserted at the start of the file depending on the original data, then 4 zero bytes. An originally empty file now reads 69 DF 22 65 00 00 00 00.
I tried removing the first 8 bytes, editing the filenames (they weren't changed by the trojan), then using the Sophos Ransom Decrypter. It partially worked. The first 4096 bytes were decrypted, but the remaining bytes stayed the same. Is that a bug in the decrypter, or would the first 8 bytes be needed for further decryption?
I have a bunch of files from this whole ordeal including the trojan if someone would have a look.
Thanks.
This thread was automatically locked due to age.