We have identified the malware as a new family of ransomware
Latest public Endpoint AM defs: 1.157.1542.0 (Expect several hours later for 1.157.1559.0 or higher) http://www.microsoft.com/security/portal/definitions/whatsnew.aspx
Latest Prerelease AM defs: 1.157.1542.0 (Expect several hours later for 1.157.1559.0 or higher) http://www.microsoft.com/security/portal/shared/prereleasesignatures.aspx
The signatures are now updated. You should be able to use Safety Scanner to detect and clean it. It does NOT clean your documents, so you will want to restore from a backup after cleaning the malware from your system.
Upon further analysis of the files that have been submitted to us for investigation, the analysts
have determined that the files are encrypted with a private and public key.
Unless the private key is available, the files will not be able to be recovered.
The private key is more than likely held by the attacker.The premise of ransom ware such as this is
that if a person pays the ransom, a key is provided to unlock the files.
The best course of action is to clean up the malware and then restore files from a backup.
We are currently investigating an ongoing situation where users may encounter an error when trying to open Office documents.
The error can happen opening any Office file type, not just Excel files as shown in the image below. The error says: "Cannot open the file ... because the file format or extension is not valid. Verify, that the file has not been corrupted and that the file extension matches the format of the file."
With PowerPoint binary files (.PPT) , you will see a dialog similar to the following screenshot. We don't have OOXML samples yet but will post images once we have these.
Other Support Blog links
Microsoft Security Essentials http://www.microsoft.com/security/pc-security/mse.aspx
It also is affecting Powerpoint
Signatures Updated. See Update section in blog...
Will Security Essentials be updated with these definitions?
Yes. Security Essentials should have these definitions. Just make sure your definition version matches the ones listed in the Updated section.
What about the files? once the ransomeware removed, will we be able to reopen them?