.ehiz ransomware

[ssneagle]

Hello,

So I managed to get my pc infected with some ransomware, all the files are encrypted. Got rid of the ransomware but when I tried the decryption tool it says that it's an Online Key and decryption impossible.

All the files are encrypted with .ehiz and I struggle to find any information on this, hence, because I keep hoping I will get my files back without paying the ransom, I think it is a new one. As soon as I noticed what's happening I disconnected from the internet (1min max until disconnected). Is it possible it could be an offline key but the decryption tool recognizes it as online because there are no keys available for this kind of encryption ? Pls let me know if I can provide any info or files for this.

Also, I understand that the files are encrypted on my device, but does this also mean that the criminals got a hold of my files ?



Thank you.

 

[struppigel]

Hello ssneagle,

I am Karsten and will help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.

• Read my instructions thoroughly, carry out each step in the given order.
• Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
• If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
• Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
• Back up important files before we start.
• Note: On weekends I might be slow to reply

-------------------------------------------------------------------

As soon as I noticed what's happening I disconnected from the internet (1min max until disconnected). Is it possible it could be an offline key but the decryption tool recognizes it as online because there are no keys available for this kind of encryption ?

Removing the internet connection after the ransomware has started encrypting does not help to get an offline key. The ransomware asks for the key before it starts encrypting.

Also, I understand that the files are encrypted on my device, but does this also mean that the criminals got a hold of my files ?

This ransomware does not steal or upload your files.
It is possible though, that your system additionally has another malware.

Your options without a backup:

1) Recovery: In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software.
2) Repair: Certain file types, mainly video and audio files, can possibly be repaired with tools like MediaRepair. But these files will loose some data.
3) Wait: Backup encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this. Emsisoft will update their decrypter if that happens.
4) Pay: There is the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.

Please let me know if you need help for any of the steps 1) or 2) and if you want assistance in malware removal.

 

[struppigel]

Are you still with me? I will close this topic after 3 days.