Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Original Cryptolocker Ransomware Support and Help Topic


  • Please log in to reply
3452 replies to this topic

#361 dgusto7

dgusto7

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 20 September 2013 - 11:32 AM

There seems to be some confusion on new readers of this message board.  These are the facts - having done the research and personally being through this process (files encrypted - paying ransom - getting them decrypted)

 

Facts:

 

There will never, ever be a "tool" or "utility" to decrypt your files.  It is impossible to decrypt a 2048 bit key.  Do a simple web search and it will show that a computer running 24/7/365 trying to decrypt them would take trillions of years to decrypt your file.  

 

http://www.digicert.com/TimeTravel/

 

 

This only option would be viable if someone were to get a hold of the host's server and publicly release the keys.  This will almost certainly never happen but it is the only viable option short of paying the ransom.

 

Paying the ransom is a choice each individual must weigh but it is the only choice.



BC AdBot (Login to Remove)

 


#362 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 20 September 2013 - 11:49 AM

"Paying the ransom is a choice each individual must weigh but it is the only choice."

 

Unless:

 

  1. You have backups
  2. You can get your files back using "Restore Previous Versions" in Win7/Vista Business and above or use Shadow Explorer in all versions of either. That won't work for XP, though.


#363 Arlothia

Arlothia

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:07 PM

Posted 20 September 2013 - 12:03 PM

Because I'm just too busy to look it up myself, does anyone have the contact info to report this to the FBI?

Proapp, I've contacted the FBI about this and here's how you can get in contact with them as well (the more we shout the better chance there is to be heard, right?):

http://www.ic3.gov/default.aspx

This is a page straight off of their home page (fbi.gov) and it's under the drop-down box for the 'contact us' tab > 'Report Internet Crime'. Just follow the instructions and fill out everything truthfully to the best of your ability. The more information you can give them the better. I would also recommend printing off all this information so you have it in your own files. You may also want to copy+paste your answers in an e-mail to yourself just so you know for sure that you have a copy somewhere. That's what I did.

 

I also just found this link:

http://www.ic3.gov/media/default.aspx

It's on a tab at the top of the previous link I put on this post called 'press room'. It doesn't have the cryptolocker stuff on there yet but it does give information about other viruses, ransomware, and scams.



#364 dgusto7

dgusto7

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 20 September 2013 - 12:05 PM

I made the "assumption" that if your files were encrypted and you are actively searching for help or a solution on this board you do not have a backup.  Maybe I shouldn't assume. 



#365 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 20 September 2013 - 12:17 PM

Depends on how much you would lose going to backup vs. having a shot at decrypting.



#366 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:07 AM

Posted 20 September 2013 - 12:54 PM

Folks don't seem to be going through 20 + pages to come up with a course of action. Does the board allows for a "sticky" automatically posted at the top of each page that can be updated, like a header post?


I will try and put post together outlining everything that we know so far and will put a link to that in the first post of this topic.

#367 n3mo

n3mo

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 20 September 2013 - 01:12 PM

There seems to be some confusion on new readers of this message board.  These are the facts - having done the research and personally being through this process (files encrypted - paying ransom - getting them decrypted)

 

Facts:

 

There will never, ever be a "tool" or "utility" to decrypt your files.  It is impossible to decrypt a 2048 bit key.  Do a simple web search and it will show that a computer running 24/7/365 trying to decrypt them would take trillions of years to decrypt your file.  

 

http://www.digicert.com/TimeTravel/

 

 

This only option would be viable if someone were to get a hold of the host's server and publicly release the keys.  This will almost certainly never happen but it is the only viable option short of paying the ransom.

 

Paying the ransom is a choice each individual must weigh but it is the only choice.

 

dgusto7 why are you so negative and have to ruin my weekend?  Here I am waiting 2 damn weeks now waiting for the official fix to be released.  I don't have a damn choice.  No recent shadow copies and all my files are on an unupdated Unix server.  So don't tell me there is no fix.  There's always a fix as long as you have a source of the problem.  I'm sure NSA or Microsoft can figure it out.  We have people who can hack into banks and NASA but you mean to tell me we can't hack into a stupid lil malware??  Never give up.  Someone needs to hurry the hell up cuz I've been stalled at work forever now.  And no don't tell me 'you should have made more back ups' this and that crap.  That's after the fact and is not the issue.  My office files are still decrypted and I need them fixed NOW.  Enough is enough.  And No I can't even pay the ransom cause the app doesn't even pop up anymore.  Time has obviously run out anyways.


Edited by n3mo, 20 September 2013 - 01:13 PM.


#368 EagleComputerRepair

EagleComputerRepair

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gaffney, South Carolina
  • Local time:11:07 PM

Posted 20 September 2013 - 02:10 PM

dgusto7 why are you so negative and have to ruin my weekend?  Here I am waiting 2 damn weeks now waiting for the official fix to be released.  I don't have a damn choice.  No recent shadow copies and all my files are on an unupdated Unix server.  So don't tell me there is no fix.  There's always a fix as long as you have a source of the problem.  I'm sure NSA or Microsoft can figure it out.  We have people who can hack into banks and NASA but you mean to tell me we can't hack into a stupid lil malware??  Never give up.  Someone needs to hurry the hell up cuz I've been stalled at work forever now.  And no don't tell me 'you should have made more back ups' this and that crap.  That's after the fact and is not the issue.  My office files are still decrypted and I need them fixed NOW.  Enough is enough.  And No I can't even pay the ransom cause the app doesn't even pop up anymore.  Time has obviously run out anyways.

 

 

Banks, the NSA etc... can be hacked into, because they have multiple areas in which information is stored, IE places where the data is unecrypted so that it can actually be used. Usually the weak points hackers use are in the points where the data is already converted to be read, written to etc...

 

I hate to be a downer and quashing false hope... but that's pretty much what we are at. If someone actually could break this style of encryption, it would mean a shutdown of online banking, secure wireless, and just about all other technologies we rely on every day. (as mentioned, when people "break" these, they aren't actually breaking them, usually they are using loopholes in place before the data is encrypted, or after they are decrypted.

 

Also to the best of my knowledge the NSA itself hasn't been hacked. It's webpage has been hacked... Pretty huge difference, and huge difference in security that it has. That is the difference between breaking into a top secrete government organization, and spraypainting a join the army billboard.


Edited by EagleComputerRepair, 20 September 2013 - 02:12 PM.


#369 dgusto7

dgusto7

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 20 September 2013 - 02:19 PM

 

There seems to be some confusion on new readers of this message board.  These are the facts - having done the research and personally being through this process (files encrypted - paying ransom - getting them decrypted)

 

Facts:

 

There will never, ever be a "tool" or "utility" to decrypt your files.  It is impossible to decrypt a 2048 bit key.  Do a simple web search and it will show that a computer running 24/7/365 trying to decrypt them would take trillions of years to decrypt your file.  

 

http://www.digicert.com/TimeTravel/

 

 

This only option would be viable if someone were to get a hold of the host's server and publicly release the keys.  This will almost certainly never happen but it is the only viable option short of paying the ransom.

 

Paying the ransom is a choice each individual must weigh but it is the only choice.

 

dgusto7 why are you so negative and have to ruin my weekend?  Here I am waiting 2 damn weeks now waiting for the official fix to be released.  I don't have a damn choice.  No recent shadow copies and all my files are on an unupdated Unix server.  So don't tell me there is no fix.  There's always a fix as long as you have a source of the problem.  I'm sure NSA or Microsoft can figure it out.  We have people who can hack into banks and NASA but you mean to tell me we can't hack into a stupid lil malware??  Never give up.  Someone needs to hurry the hell up cuz I've been stalled at work forever now.  And no don't tell me 'you should have made more back ups' this and that crap.  That's after the fact and is not the issue.  My office files are still decrypted and I need them fixed NOW.  Enough is enough.  And No I can't even pay the ransom cause the app doesn't even pop up anymore.  Time has obviously run out anyways

 

 

Restore from Backup or pay - nothing else to discuss.  There is and will never be a fix.   

 

You can rerun the virus -  that is what I did (the timer is for show only) and pay.



#370 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:07 PM

Posted 20 September 2013 - 02:20 PM

Perhaps the best line of thought would be coming up with a program that would prevent encryption of files, sort of an Anti-Bitlocker....



#371 EagleComputerRepair

EagleComputerRepair

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gaffney, South Carolina
  • Local time:11:07 PM

Posted 20 September 2013 - 02:50 PM

Perhaps the best line of thought would be coming up with a program that would prevent encryption of files, sort of an Anti-Bitlocker....

 

The key question to that is... well what method to do so? Encryption is pretty much just overwriting the file with another one. Essentially what we are talking here, is a UAC that requires special permissions, whenever any file of importance is modified. which would be a pretty big nightmare in and of itself to keep up with.



#372 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:07 PM

Posted 20 September 2013 - 03:18 PM

So...write protection, in essence.

 

Maybe an internal firewall folder (of sorts) that all personal data can be stored in, and allowing only a user with a private key to access it?

 

Doesn't encryption create a file header? Wouldn't preventing the creation of a public key prevent the encryption process altogether? (Or, give the user/admin the control over it).



#373 EagleComputerRepair

EagleComputerRepair

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gaffney, South Carolina
  • Local time:11:07 PM

Posted 20 September 2013 - 03:51 PM

So...write protection, in essence.

 

Maybe an internal firewall folder (of sorts) that all personal data can be stored in, and allowing only a user with a private key to access it?

 

Doesn't encryption create a file header? Wouldn't preventing the creation of a public key prevent the encryption process altogether? (Or, give the user/admin the control over it).

 

 

Basically at least from my rough understanding of the crypto and it's parents. what it does is the equivelant of copy the file into a zip file and encrypt the copy, then delete and rewrite over the space of the existing file, to protect it from undeleters etc... I'm not an expert on the subject, but I'm pretty sure that creation of the header etc... are pretty much inherant with read/write access to the files in question. A virus author could simply disguise the headers etc... to be less noticable so long as the ability to write files is present.

 

The key is, how to make writing to files without a propor security check manditory, without simultaniously turning basic computer use into an off the charts level of tedium.

 

Of course something that could in theory work might be a suspicious flag of a program changing more than a few files within a window of time.



#374 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:04:07 PM

Posted 20 September 2013 - 06:23 PM

[quote name="n3mo" post="3162823" timestamp="1379700767"]
I'm sure NSA or Microsoft can figure it out. We have people who can hack into banks and NASA but you mean to tell me we can't hack into a stupid lil malware?? Never give up. Someone needs to hurry the hell up cuz I've been stalled at work forever now. And no don't tell me 'you should have made more back ups' this and that crap. [/quote]

Facts: There will never, ever be a "tool" or "utility" to decrypt your files. It is impossible to decrypt a 2048 bit key. Do a simple web search and it will show that a computer running 24/7/365 trying to decrypt them would take trillions of years to decrypt your file.

Complexities are expressed as orders of magnitude. If an algorithm has a processing complexity of 2128, then 2128 operations are required to break the algorithm. (These operations may be complex and time-consuming.) Still, if you assume that you have enough computing speed to perform a million operations every second and you set a million parallel processors against the task, it will still take over 1019 years to recover the key. Thats a billion times the age of the universe.



[quote name="Netghost56" post="3162875" timestamp="1379708328"]

So...write protection, in essence.

Maybe an internal firewall folder (of sorts) that all personal data can be stored in, and allowing only a user with a private key to access it?

Doesn't encryption create a file header? Wouldn't preventing the creation of a public key prevent the encryption process altogether? (Or, give the user/admin the control over it).


Page 9: Access control to cryptographic tools: More specically, we suggest auditing access to cryptographic tools - This is perhaps the major issue that needs to be learned. This will help system administrators identify suspicious cryptographic usage.
Ref: Extortion-based security threats and countermeasures by Adam Young, Moti Yung, 1996. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.121.3120&rep=rep1&type=pdf

Restricting access, or disabling altogether, the Microsoft's Crypto API. Dirty Decrypt uses the Microsoft's Crypto API to encrypt files. I've not looked at Cryptolocker as yet?

This however, will not stop cryptomalware to later deliver their own encryption engine and then wipe it after the encryption is done.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#375 toubis

toubis

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 23 September 2013 - 11:12 AM

Its been a few days since one PC on my network had Cryptolocker. So far the affected files on the network are restored from the backup (and it took the two tapes from the days before we were hit out of rotation). I left the PC that wa infected running disconnected from the network, and the cryptolocker program is gone. I downloaded the shadow explorer, and was able to restore the user files from the last backup before infection. I have been reveiwing the Kaspersky logs on the mail server, and found the message that caused the issue (and the new messages being deleted by kaspersky).






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users