Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Original Cryptolocker Ransomware Support and Help Topic


  • Please log in to reply
3452 replies to this topic

#3151 kbuon

kbuon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 15 August 2014 - 07:54 PM

Thank you to everyone who took part in decrypting the Cryptolocker program.  We had over 5,000 files that were infected back in September and I have been following this board ever since hoping that we might eventually be able to decrypt them.  Finally today, we were able to!  Thank you again!!



BC AdBot (Login to Remove)

 


#3152 jono_white

jono_white

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 21 August 2014 - 09:11 PM

Decrypterfixer, very good tool! Working well. 

I only have 1  client where we saved the old encrypted files. Good thing too- this is a long process. 

slightly off-topic Cryptolocker registry question- i have been studying how to edit the registry using Powershell. I see that cryptolocker and cryptowall use dwords for the files- registry value names for the files, some random number for the value. Why not just use registry strings with the file name in the string

 

It can be done relatively easy, found a PC with over 1000 entries in the cryptolocker/files key, once the file was ready it unlocked in around 5 minutes

 

Export the keys into a batch file , (Heres a vbs script to do that)

 

 

'Cryptowall Build encrypted file list for decryption
 
Dim ObjFso, ObjFile, oReg
 
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile("Decrypt.bat", True) 
 
Const HKCU=&H80000001
Const REG_DWORD = 1
Const strKeyPath = "Software\CryptoLocker\Files"
 
Set oReg = GetObject("winmgmts:\\.\root\default:StdRegProv")
oReg.EnumValues HKCU, strKeyPath, arrEntryNames, arrValueTypes
 
For i = 0 To UBound(arrEntryNames)
objFile.WriteLine arrEntryNames(i)
Next
 

 

Once you have the batch file you can use the following format to unlock the files  (I used the fireeye decryptolocker tool)

 

Decrypt.bat

 

The fist thing you will need to do is fix the formatting. Use the replace tool in notepad to change ? to \ , then add quotes to the start and end of all file names  ( I used replace for this too, be carefull with filetypes such as doc,docx and xls,xlsx, replace the shorter extension first, then go back and fix the longer extensions

 

set RSA=Paste your RSA key here , at the end of each line put a space and a caret ^  otherwise it will not use the whole key

Do not add a caret to the last line of the key

 

Use the replace tool to replace the drive letter with the following line, i'll use drive c for an example

 

Replace    "c:\     echo Yes|Decryptolocker.exe --key "%RSA%" "c:\    

 

It'll add that to all files located on C , 

 

Example : echo Yes|Decryptolocker.exe --key "%RSA%" "C:\Users\Staff\Documents\Staff Meeting March 2013.docx"

 

Launch the script when finished through cmd and it will only show the files it's decrypting instead of the eula. I'm sure someone can refine the method better , but it's quicker than scanning the entire drive. Providing you have the list of infected files



#3153 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:44 PM

Posted 21 August 2014 - 10:25 PM

CryptoUnlocker has been updated to utilize the CryptoLocker Database in the registry. See Below...



 

CryptoUnlocker GUI V1.0.5.0
===============
 
 

UPDATE 08/21/2014 V1.0.6.0
==================================
 
With massive request, i added the ability to Auto Detect the CryptoLocker Database, and only decrypt that list of files. This increase decryption time significantly,
and it much easier to preform. The link Below was updated.
 
 
cuguimsg.png

 
 
 
 This is for anyone having issues with the command line version of the Cryptolocker decrypter. Its nothing special, just commands assigned to buttons with a few things i added that i thought may help (ability to not have encrypted .BAK files everywhere is one). For now its binary in binary, and if i see a performance reason to convert the python script into .net, i will.
 
Hope this helps victims who don't know their way around a command prompt window.
 

Tool Link:  CryptoUnlocker GUI 
 
VirusTotal Link: CryptoUnlocker GUI VT

 
 
Sample Image:
 
WJ8V9qL.png

 


Have you performed a routine backup today?

#3154 jono_white

jono_white

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 21 August 2014 - 11:13 PM

 

CryptoUnlocker has been updated to utilize the CryptoLocker Database in the registry. See Below...


 

CryptoUnlocker GUI V1.0.5.0
===============
 
 

UPDATE 08/21/2014 V1.0.6.0
==================================
 
With massive request, i added the ability to Auto Detect the CryptoLocker Database, and only decrypt that list of files. This increase decryption time significantly,
and it much easier to preform. The link Below was updated.
 
 
cuguimsg.png

 
 
 
 This is for anyone having issues with the command line version of the Cryptolocker decrypter. Its nothing special, just commands assigned to buttons with a few things i added that i thought may help (ability to not have encrypted .BAK files everywhere is one). For now its binary in binary, and if i see a performance reason to convert the python script into .net, i will.
 
Hope this helps victims who don't know their way around a command prompt window.
 

Tool Link:  CryptoUnlocker GUI 
 
VirusTotal Link: CryptoUnlocker GUI VT

 
 
Sample Image:
 
WJ8V9qL.png

 

 

Didn't see that update, Looks awesome , i'll give it a go next time 



#3155 Rodjon

Rodjon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 22 August 2014 - 04:52 AM

Need some help please!!

 

I am a home user and have had all my files encrypted and they all now have ".encrypted" file extensions. CryptoLocker was running in the task manager when I checked but has subsequently been removed by my AV program. I wasn't taken to a payment screen as I would pay becuase I desperately need my business files.

 

How do I get to the payment screen if possible or unencrypt my files. I ran an encrypted file through DecryptoLocker and is said that the file does not seem ingected by CryptoLocker.

 

From my limited understanding of these things, it would appear that I have been infected with Trojan.Cryptolocker.H as reported by Symantec https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-082015-3501-99 as I could see it was trying to send information to this [http://]decryptionguru.com/gate[REMOVED] remote location however I think the AV was not letting it connect.

 

Desperate for any help please!!

 

#3156 Rodjon

Rodjon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 22 August 2014 - 11:14 PM

 Ok a bit of an update on my cryptolocker problem above.

 

I managed to find the cryptolocker executable that had been quarantined and I restored it in the hope that I could connect with the payment server. When I clicked on the .exe file it tries to connect but then the AV (which I have unistalled) blocks the web page from loading because it is a "Dangerous Page.

 

I can see the program called cryptolocker running in the task manager but don't know what else to do. I have tried uploading an encrypted file to the Decryptolocker site but it retured the message "The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file."

 

I assume this is becuase the infection process did not complete as it was originally by the AV by communicating back to the ransomware server.

 

Can anyone help please.



#3157 jono_white

jono_white

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 22 August 2014 - 11:46 PM

 Ok a bit of an update on my cryptolocker problem above.

 

I managed to find the cryptolocker executable that had been quarantined and I restored it in the hope that I could connect with the payment server. When I clicked on the .exe file it tries to connect but then the AV (which I have unistalled) blocks the web page from loading because it is a "Dangerous Page.

 

I can see the program called cryptolocker running in the task manager but don't know what else to do. I have tried uploading an encrypted file to the Decryptolocker site but it retured the message "The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file."

 

I assume this is becuase the infection process did not complete as it was originally by the AV by communicating back to the ransomware server.

 

Can anyone help please.

It sounds like a different variant of cryptolocker , doubt decryptolocker would have the private keys for it.. 

If you've remove the antivirus and it's still blocked the site might require a browser called tor... i don't recommend paying the ransom though, there is a chance the servers are offline already and they may not even provide the fix



#3158 Rodjon

Rodjon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 23 August 2014 - 12:03 AM

I am out of my depth here but it seems to me that the encryption process may have been interupted by the AV as I never received the screen requesting payment. I was thinking that if I could

run the executable without it being stopped by the AV so that it made contact with the ransomware server then maybe the Decryptolocker process might work. Its the only thing that I can think of as I really need the files.



#3159 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:44 PM

Posted 23 August 2014 - 01:51 AM

this sounds like either a different encryption infection than cryptolocker or more likely a fake version of cryptolocker.

 

please zip up a few encrypted files, the virus exe ur trying to run, any Av logs, and any other files you think and related to the infection and send them to decryptorbit@outlook.com or PM them too me.

 

thanks.


Have you performed a routine backup today?

#3160 jo project

jo project

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 25 August 2014 - 08:24 AM

Hello everybody,

 

I've read a few things about this topic, because I'm also hit by the cryptowall virus. Is there a similar solution for this virus? I'm not really into the computer thing, so I don't have any backup files at all. All the pictures of my kids were on my pc as well as some stuff from work, they are all encrypted now. Is there some kind of manual available with steps to follow to decrypt all the locked files...?

 

thanks for the help



#3161 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:44 PM

Posted 25 August 2014 - 10:41 AM

Edited:

 

Received email.  Looking through files now.


Edited by decrypterfixer, 25 August 2014 - 10:44 AM.

Have you performed a routine backup today?

#3162 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:44 PM

Posted 25 August 2014 - 10:47 AM

Ugh, Rodjon, Please submit the zip file here:

 

http://www.bleepingcomputer.com/submit-malware.php

 

My email account is all of a sudden marking files as infection.

 

Simply upload ur zip to the url above.


Have you performed a routine backup today?

#3163 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:44 PM

Posted 25 August 2014 - 11:19 AM

Well i can already tell this is not the original CryptoWall, nor CryptoLocker. It is also 100% reliant on the site HXXP://DecryptionGuruDotCom/Gate   Which is currently down, so i can not get it to infect me. So this analysis make take a little longer.


Have you performed a routine backup today?

#3164 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:44 PM

Posted 25 August 2014 - 02:35 PM

Completed a small analysis. What you have is being called TorrentLocker , which uses a AES encryption scheme to encrypt files, and wipes restore points. So far there is not much i can do, as every sample i have found is broken because how heavily the infection relays on its C&C when they get taken down.

 

When i find an active sample it will be much easier to see if the encryption scheme used is secure or not.

 

This infection claims to be CryptoWall / CryptoLocker, but it is neither. The main EXE injects code into Explorer.exe, and then reaches out to either DecryptionGuru,Com or knowledgedbase,info to get what i would believe is the Seed for encryption. If it cannot reach these sites, the infection will do absolutely nothing, Which makes analysis harder. To dig deeper i will need a working dropper.

 

For a complete SandBox analysis for the techy's on here, click below:

http://www.file-analyzer.net/analysis/4783/14343/1/html


Have you performed a routine backup today?

#3165 robertch

robertch

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 31 August 2014 - 03:04 PM

Hi,

 

I tried uploading a sample cryptolocked file to www.decryptcryptolocker.com and the screen hangs, gives me a pop up telling me not to turn off the page, but the file never uploads - i've tried with both a doc and a jpeg, both very small in size.

 

I've tried the cryptounlocker gui on a folder full of locked files using the key provided in the thread link, but it isn't recognising the files as locked.

 

r

 


Hi,

 

I tried uploading a sample cryptolocked file to www.decryptcryptolocker.com and the screen hangs, gives me a pop up telling me not to turn off the page, but the file never uploads - i've tried with both a doc and a jpeg, both very small in size.

 

I've tried the cryptounlocker gui on a folder full of locked files using the key provided in the thread link, but it isn't recognising the files as locked.

 

r

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users