We have identified the malware as a new family of ransomware
Latest public Endpoint AM defs: 1.157.1542.0 (Expect several hours later for 1.157.1559.0 or higher) http://www.microsoft.com/security/portal/definitions/whatsnew.aspx
Latest Prerelease AM defs: 1.157.1542.0 (Expect several hours later for 1.157.1559.0 or higher) http://www.microsoft.com/security/portal/shared/prereleasesignatures.aspx
The signatures are now updated. You should be able to use Safety Scanner to detect and clean it. It does NOT clean your documents, so you will want to restore from a backup after cleaning the malware from your system.
Upon further analysis of the files that have been submitted to us for investigation, the analysts
have determined that the files are encrypted with a private and public key.
Unless the private key is available, the files will not be able to be recovered.
The private key is more than likely held by the attacker.The premise of ransom ware such as this is
that if a person pays the ransom, a key is provided to unlock the files.
The best course of action is to clean up the malware and then restore files from a backup.
We are currently investigating an ongoing situation where users may encounter an error when trying to open Office documents.
The error can happen opening any Office file type, not just Excel files as shown in the image below. The error says: "Cannot open the file ... because the file format or extension is not valid. Verify, that the file has not been corrupted and that the file extension matches the format of the file."
It's recommended you update the definitions in your antivirus software and run a complete scan of the affected machine(s).
When opening binary Word (.DOC) files that are attributed with this issue, Word does not know how to open, so you receive a dialog for File conversion as shown below.
We've had reports of it affecting Word documents, Excel files, PowerPoint files and Access databases.
Other Support Blog links
Microsoft Security Essentials http://www.microsoft.com/security/pc-security/mse.aspx
I'm having issues with this as of today. Has Crippled the file server.
We have good backups, but the files soon become "corrupt" when restored.
I've ran several scans to no avail.
I have also run into the problem today. Restores seem futile and scans show nothing.
Unfortunately until you can clean up the affected machine, restoring from backup will become corrupt as you have described. We are still working with our security teams and hope to have a signature available soon to detect the malware. We will continue to update this blog as new information becomes available.
Signatures Updated. See Update section in blog...
Ran updated scan. It found nothing.
I used security essentials after the update and was able to remove it. Stuck with a bunch of encrypted/corrupted files at the moment though :\
We're in the same boat with our file server. If anyone works on a decryption, please let me know!
We are in the same position. We have removed the virus but are hoping that someone comes up with a decryption. If someone does, please let me know as well.
We have a client that has no backup, pressures on!
I have a client who started having the issue where they cannot open excel or word document that is store on the server. The network drive is mapped on users' computer. Whenever they try to open lets say spreadsheet, they get the same error as shown above under "More Information". When i restored the file from backup, it got corrupted again. However if i restored the backup by redirecting the location, it restored just fine and I was able to open it up just fine. I have not been able to isolate the location of corruption but this is really a pain. Any updates?
Any news on this? I just had the same problem...
Having the same issue here when opening Microsoft office extensions ending with x (eg. .docx, .xlsx) We are using the business version of 2013. Found a workaround to get these open by removing the x and using the old extension (eg. .doc, .xls) This is another nuisance in Microsoft's products and needs to be fixed. If you want us to be using this new format, you should have a fix for this! Hope this helps the ones the don't have a workaround yet.
As for Microsoft, quit changing everything and just make sure it works, the amount of time and money we have spent troubleshooting these issues, we are going to start charging you for our time!
Do we know how this exactly spreads?