Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypto Locker Malware Removed - Files Still Encrypted!


  • This topic is locked This topic is locked
5 replies to this topic

#1 FuZZuk

FuZZuk

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 09 September 2013 - 10:20 AM

Please see this topic for more information about CryptoLocker: http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/


A friends machine has been attacked by the Cypto Locker ransomware.
 
The infection - and all traces - have been removed so there's no further danger of damage or infection.
 
But his docs are still encrypted....
 
This has affected all .doc and .xls files in both the local user Docs and remote shared folders - essentially everything he's been working on for the last 10 years!
 
 
 
I've checked other posts regarding decryption ( http://www.bleepingcomputer.com/forums/t/494759/decrypt-protect-ransomware/
 
) and tried the tools made by Fabian, but no luck.
 
I have the following available for upload:

  • The Crypto Locker registry entries (including the list of encrypted files)
  • The main Crypto Locker executable - called {DAEB88E5-FA8E-E0D1-8FCD-AFD9DAE5ED25}.exe originally.
  • Examples of the encrypted files that can be played with.
Is there any way to decrypt the files or has he lost everything?
 
He's using Windows XP Pro, and hopes someone can help.

Edited by Grinler, 11 September 2013 - 12:54 PM.
Added link to main information topic.


BC AdBot (Login to Remove)

 


#2 FuZZuk

FuZZuk
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 09 September 2013 - 12:46 PM

This is actually worse than I originally thought.... Crypto Locker has scanned the ENTIRE system, included remote shared folders, and 'encrypted' every file with standard Office extensions - including images!

 

Almost 3000 files in total.

 

All cannot be opened.

 

The malware actually had a countdown - which has now expired. We didn't want to pay the ransom anyway - for obvious reasons - but we are really in trouble.

 

Malware I can remove with 100% success, but this deliberate corruption of files is a real problem I'm helpless to deal with.



#3 FuZZuk

FuZZuk
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 09 September 2013 - 03:25 PM

I've had a closer look at some of the damaged files and they don't seem to be encrypted using EFS; the cipher command shows the files as unencrypted.

 

So CryptoLocker must be using some custom algorithm.

 

Essentially... we need a genius to sort this - this is well outside of my skillset.

 

I can supply the malware executable, the malware registry entries, and example corrupted files if anyone fancies a challenge.

 

:)



#4 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Instructor
  • 7,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:10:07 AM

Posted 10 September 2013 - 09:02 AM

Hi FuZZuk,

 

Unfortunately, there is currently no way to decrypt those files. For more information please read this post: http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/?p=3153406

Casey


If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#5 FuZZuk

FuZZuk
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 10 September 2013 - 05:18 PM

Looks like offline backup is the only protection.

 

Just like it always has been....

 

:)



#6 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Instructor
  • 7,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:10:07 AM

Posted 11 September 2013 - 02:33 AM

That's your safety net.

This infection seems to be spread through an email attachment, so scanning incoming emails and training yourself/staff not to open unknown attatchments is the protection.

I'll close this topic now - if you have any questions, it's best to post them in the thread I linked to.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users