Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypto Locker


  • This topic is locked This topic is locked
2 replies to this topic

#1 PeteSLMorgan

PeteSLMorgan

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 09 September 2013 - 03:02 PM

Please see this topic for more information about CryptoLocker: http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/


I have a client with the Crypto Locker infection (appears to have been infected on 9/5).  We have the infection removed but the files, as reported elsewhere by others, are still encrypted.  We have the exe file as well as the registry entries.
 
The exe is {F204796C-EB9D-E0C9-83C2-EAD1D6F29CC2}.exe which is a different UUID from what was reported elsewhere.
 
The registry entries contain a DWORD entry for each encrypted file along with the public key used to encrypt and a version string.
 
We can also upload sample encrypted files if necessary.
 
The files infected are any Office or WordPerfect document on the local drive and mapped drives.
 
Looking for help on decryption of the files.  Fabian's tools did not find/decrypt the files.

BC AdBot (Login to Remove)

 


#2 PeteSLMorgan

PeteSLMorgan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 10 September 2013 - 06:13 AM

The "VersionID" in the registry may be the private key.  It appears to be about the right length and is binary.  I was able to restore all server-side files using shadow copy restores.  However, we still need to decrypt the user's local files.



#3 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Instructor
  • 7,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:03 PM

Posted 10 September 2013 - 09:18 AM

Hi PeteSLMorgan,
 
Unfortunately, there is currently no way for us to decrypt those files. For information about Cryptolocker, please have a look at this post:

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/?p=3153406

Casey

Edited by Casey_boy, 10 September 2013 - 09:19 AM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users