Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Original Cryptolocker Ransomware Support and Help Topic


  • Please log in to reply
3452 replies to this topic

#346 dangoo

dangoo

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 19 September 2013 - 07:31 AM

mattysyr, on 19 Sept 2013 - 2:58 PM, said:

dangoo, on 19 Sept 2013 - 2:23 PM, said:


We paid the ransom 12-14 hours ago and left the application run over the night. In the morning we found that the private key was downloaded and the decryption started.


But is NOT decrypting. The message is:


"Failed to decrypt a previously encrypted file "Z\...\aaa.xls Perhaps the file maybe damaged or used by another process."


And this happens for ALL FILES.


The files are located on a mapped share. I restarted the file server, I checked if there are process accessing the files and there is not.


PLEASE HELP!


Screen Capture:



screen_capture.jpg

Did you move the data? Unmap network drives? Change permissions?
Make sure you can browse to the data from the PC, if you cant, the decrypter cant either...


No, I did not moved the data. I didn't touched the maps or permissions. And yes the data can be browsed.

The disks on the file server are in a mirror raid. I done a sector by sector clone of a disk and than reintroduced the original disk back in the server. I realized from the beginning that is not well to change something in the configuration, data, etc. I done everything on another computer, with file server turned off. After restart everything was normal, no raid replication ore other things.

(I done the clone to check if un-delete helps, but it's not.)

Now the application is running. If I hit "Cancel" it skips to the next file, but with the same error.

I don't know if is good to try to restart the PC. If something from this PC blocks the files? The question is, will the decryption restart?

Edited by dangoo, 19 September 2013 - 07:49 AM.


BC AdBot (Login to Remove)

 


#347 kentiler

kentiler

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 19 September 2013 - 07:56 AM

I'd like to take a look specifically at the Crypto Locker virus.  I know this is a weird request, but can someone email me a zipped copy of the virus, forward me the original email they received with the virus, or send me a link where they know it's still on a website?

 

Thank you!

 

--Kent



#348 dangoo

dangoo

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 19 September 2013 - 08:06 AM

I'd like to take a look specifically at the Crypto Locker virus.  I know this is a weird request, but can someone email me a zipped copy of the virus, forward me the original email they received with the virus, or send me a link where they know it's still on a website?

 

Thank you!

 

--Kent

 

 

 

 

 

I can send you the email which I suspect to come with CrypotLocker.

Also I can send you the exe file located in AppData/Roaming and Registry entry from the infected PC with public and (now) private keys. Any idea how to send them?


Edited by dangoo, 19 September 2013 - 08:16 AM.


#349 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:01 PM

Posted 19 September 2013 - 09:12 AM

You can find the file at KernelMode (registration required for download).


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#350 computerdoc

computerdoc

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 19 September 2013 - 10:01 AM

Client called me 9/8/13, had this ransom ware, removed the registry entries per YouTube video but files still encrypted. I was out of town till 9/17/13, had been following this thread, and successfully used Shadow Explorer to recover files from 9/6/13. Thanks to all who contribute!

#351 doyle_45

doyle_45

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 19 September 2013 - 11:51 AM

 

I'd like to take a look specifically at the Crypto Locker virus.  I know this is a weird request, but can someone email me a zipped copy of the virus, forward me the original email they received with the virus, or send me a link where they know it's still on a website?

 

Thank you!

 

--Kent

 

 

 

 

 

I can send you the email which I suspect to come with CrypotLocker.

Also I can send you the exe file located in AppData/Roaming and Registry entry from the infected PC with public and (now) private keys. Any idea how to send them?

 

 

Hi Kent

 

Can you send me a copy of your public and private keys for comparison to my own.  I'm trying to get a handle on this to assist one of my clients and it will be interesting to compare.

 

Regards

 

Brian



#352 JessePinkman

JessePinkman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 19 September 2013 - 12:42 PM

I hope not just technical information but all information regarding this nasty threat is welcome here.

 

Here in The Netherlands I had a relatively calm beginning of the week, but I can sadly report that after finding an isolated case in a sister company, a few phone calls informed me the Cryptolocker has hit the fan. HARD.

 

Only counting the cases reported to me in my small network of sysadmins, we are easily talking about $10,000 that's been paid up since Tuesday.  And this ransomware seems to be gaining momentum.

All instances were of the $300,- variety.

 

The success-rate for decryption after payment *seems* to be significantly lower than I expected after reading the 24 pages of this thread.  This could have something to do with payment difficulties, language barriers or simply impatient victims.  I haven't been able to get a clear picture.  I suspect many will have had a form of security installed, which may very well have left them with a "clean"(ish) machine, but full of encrypted files.

 

Even more important perhaps than a proper back-up strategy, I think, is to educate users.  If people don't open these dodgy e-mails, we wouldn't have to use those backups, after all...

 

All this does leave me with a question: why do so few of the current A/V solutions detect this thing when it first shows up in the fake e-mails?  



#353 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 19 September 2013 - 12:50 PM

They test them against current A/V's to ensure their filth can get through and infect the system. They continue to do so after the first barrage, negating any attempts to remedy the infection.



#354 rich.sidella

rich.sidella

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 19 September 2013 - 07:33 PM

I hate the thought of paying ransom......but less than I hate my client losing data.

 

I cleaned this virus up pretty easy (VIpre / Eset online scanner).  But now of course the files remain encrypted.

 

Do I have options at this point, including paying the $$$ some how.



#355 kentiler

kentiler

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 19 September 2013 - 08:36 PM

Check out a few of the decryption utilities listed earlier in this post.  It's more doubtful now, but there's always a chance.

 

--Kent



#356 jackharvest

jackharvest

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 19 September 2013 - 11:13 PM

3 days in, and no real way to decrypt the files. This is quite a fascinating virus! I'm starting to get worried there wont ever be a solution, due to how everything was encrypted. 

 

Another case of virus-removed, but files are helpless. :-\



#357 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:08:01 AM

Posted 19 September 2013 - 11:44 PM

Those of you interested in Cryptovirology. Viruses/Trojans like this?


nibbler.gif

Homepage: http://www.cryptovirology.com/
Resources: http://www.cryptovirology.com/cryptovfiles/newbook.html


PDF articles on Cryptovirology.

Extortion-based security threats and countermeasures by Adam Young, Moti Yung, 1996. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.121.3120&rep=rep1&type=pdf
Malicious Cryptography: Exposing Cryptovirology.pdf, that was published in 2004. http://cdn.preterhuman.net/texts/cryptography/Exposing%20Cryptovirology.pdf
Cryptoviral extortion using Microsoft's Crypto API.pdf http://www.cryptovirology.com/cryptovfiles/newbook/Chapter2.pdf
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#358 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 20 September 2013 - 08:24 AM

Folks don't seem to be going through 20 + pages to come up with a course of action. Does the board allows for a "sticky" automatically posted at the top of each page that can be updated, like a header post?

 

Here's what seems to be working, as far as I can see:

 

  1. There is currently no way to decrypt your files without paying the ransom. If your files got encrypted, DON'T remove the virus unless you have backups or #4 below will help.
  2. Realize you're working against the clock. The countdown seems to be real if you're stuck with paying the ransom.
  3. Restore from backups. If you only have data backups, then it might be a good time to nuke and pave.
  4. Check to see if Restore Previous Versions in Win7/Vista Business and above will get your data back, or use Shadow Explorer in any Win7/Vista edition.
  5. Some have had luck with restoring the virus and associated files and paying the ransom, but not if the original countdown has timed out. Check the more recent posts about this.

Please check me on the above. MAYBE get ahold of the FBI if you're stuck with paying the ransom and let them know the number on your moneypak card, it might put a fire under their them to see if they can grab one of the servers and find a way to generate the key needed to decrypt people's files. If you're short on time and no other option will work, pay the ransom. It could take some time before you get the decryption key from the hackers.

 

Might be a good time to call the local newspapers.

 

This is one good reason why folks say RAID is not a backup. 


Edited by Fremont PC, 20 September 2013 - 10:04 AM.


#359 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:01 PM

Posted 20 September 2013 - 08:48 AM

I'm definitely interested in cryptovirology, but programming was not my strong point in school. I do love puzzles ;)



#360 proapp

proapp

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 20 September 2013 - 10:15 AM

Because I'm just too busy to look it up myself, does anyone have the contact info to report this to the FBI?




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users