.seto file extension recovery service
.seto virus file recovery service
Have you been hit by the "seto virus"? (your files all have .seto file extensions)
In September 2019 our company computers were infected with the .seto virus / ransomware. Although easy to detect, and fairly easy to remove, recovering the encrypted files was not trivial, but we cracked it.
This "wonderful", tiny, fast pain in the @%$@ ransomware didn't just encrypt files on the infected computer, but all mounted / shared drives that it could access without a password being input.
As a result over 6Tb of data and 350,000,000 files got encrypted.
GoogleDrive, OneDrive, DropBox, NAS, SFTP shares were all affected.
We had a backup of most data, but not the files modified in the last week or photos/videos on mobile devices.
All our recent client data was lost (encrypted)
A number of leading blue chip companies use our services without knowing it, we couldn't now say "hey, sorry, your experts have been hit with a virus"!
We put our top guy on getting a fix ASAP and fed him with all the Sambuca, Cashew nuts and Lychee juice he could drink.
Always up for a challenge he was reserved but confident a solution would be found.
Upon close inspection of the encrypted files it became clear that only the first 80kb and last 21 bytes were affected; which explained how it was able to encrypt so many files in such a short time; it just corrupted (encrypted) the very important start of each file and tagged a "seto woz here" to the end. It looked like AES-256 with a 2048 bit key was being used.
Upon even closer inspection "hats off" was due the @$^@$ who wrote and deployed it, from a technical perspective it was very neat!
Now knowing that only the first 80kb of data was encrypted, and having backups (large and small) to go with the encrypted files, a brute force attack was feasible on the 2048 bit key.
Inside each folder the .seto ransomware had created a file called _readme.txt where we were told to pay $980 to a Bitcoin address.
Should we pay the ransom note to restore the files?
Encrypting peoples files is rather illegal and one sure way to @$@@ them off. No such virus writer would want to personally get involved with one-on-one communication, and they won't want your computer sending anything to them as part of the encryption process because it makes them easy to track. If (BIG IF) they do give the ability to decrypt your files after you pay, then all the information to do so must be stored on your computer somewhere; they cannot ask you "look here and tell me what it says" or "please send me xxx file" or "thanks for paying, attached is a decryption program"; any such process would get them caught.
Our advise is to not pay the ransom figure:
1) It encourages others to follow. Crime should not pay!.
2) Any @@%$@ doing this to you is unlikely to care about you or your files and is likely to just laugh and keep your money.
Right this Bitcoin address.... Now to most people that is basically an anonymous bank account - but not to us - our expert has been doing blockchain type technology since 1986 and was quite quickly able to find the "real" @$@£% bank account the money was being transferred to along with some details of some online purchases, his LinkedIn profile, property rental company.... a few email addresses and phone number. The LinkedIn profile and one of @@%@ websites suggested that they may have the skillset to do this, so a call was in order.
After a number of attempts over a few days to reach @@%$@ by telephone eventually someone answered regarding renting their holiday home and the phone was then passed to @@%$@. After a short conversation, and suggestion that we meet, he disclosed that he needed the contents of:
a file:
1) C:SystemIDPersonalID.txt
2) a few days
3) my email address
After looking at PersonalID.txt and seeing that the code was present at the end of each .seto we knew it was @@%$@.
Brute force attack
Our guru was armed with 20 pairs of encrypted/unencrypted files of various sizes and file formats, and had a brute force attack solution running to figure out the encryption algorithm used.
After a few hours of time and many kWh of burning electricity he had a solution that worked on the 20 test files.
Financial loss
This .seto virus cost us literally thousands of pounds, but everyone was pleased to be able to get back their files.
.seto recovery service
If you are a business who has had their important data encrypted and your backups are non-existent (or also got encrypted) by this clever tiny virus, then we are happy to try to help recover your files.
First make contact with us; talk to Andrew Davies, +44 7703 184 699
We will ask you for five .seto files and the PersonalID.txt. If you have an unencrypted copy (typically found in a Sent email folder) of a file, that greatly helps.
Once (if) we can decode your test files we will ask for another ten .seto files. We will decode these and send them back to you as proof we have a solution to help you.
This is not core business for us, but clearly there is a lack of people offering help online; we will charge our standard rates if contracted to decrypt all your files.