I've been infected by the same virus as the OP in this thread:http://www.bleepingcomputer.com/forums/t/556721/fbi-ransomware-new-variation-canadian/
I'm unable to reply in that thread so am starting a new one:
I just got hit by this exact virus. Lost all my family photos for the past 10 years and all my music and other documents. There doesn't seem to be much info about this variant on the web.
After getting the ransom page, I was able to remove the virus from my system and din't realize that all my documents were encrypted and renamed with an exe extension until 2 days later because it reconfigures windows explorer to hide the file extension. So what I did then is I installed a virtual machine to try to run one of the exes. The interesting thing is that it seems that if you run one of the exes on an uninfected machine, it decrypts the file and restores the original while at the same time reinstalls the virus again.
I tried writing a shell script to iterate over the exes, open them and immediately kill the 3 resulting virus processes but eventually the virus installs itself on the system after which point the exes don't get decrypted when opened. Since initially, the VM was free from the virus, it seems that whatever key information is required to decrypt the exe, it is embedded in the exe itself. So hopefully, it should be possible to decrypt the files without having to pay the ransom to get the key but so far I haven't found a way to do it without executing the exe and am not sure how to proceed further.
Back to top
