Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Original Cryptolocker Ransomware Support and Help Topic


  • Please log in to reply
3449 replies to this topic

#556 toolman98

toolman98

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 08 October 2013 - 05:22 PM

this time it took less than an hour to process payment and decrypt the files.

 

I've also applied a group policy to all of our clients preventing executables from running from %APPDATA%. Just be aware that you may have unintended consequences by doing this. programs like dropbox and chrome (if installed per user) will not run.

 

 

 

last week It took about 4 hours for payment to activate and over 3 days to decrypt all the files.

currently waiting for activation on another client.

 

 


Has anyone else submitted a payment recently? Did it work? How long did it take?

 



BC AdBot (Login to Remove)

 


#557 theknic

theknic

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:00 AM

Posted 08 October 2013 - 05:55 PM

 

this time it took less than an hour to process payment and decrypt the files.

 

I've also applied a group policy to all of our clients preventing executables from running from %APPDATA%. Just be aware that you may have unintended consequences by doing this. programs like dropbox and chrome (if installed per user) will not run.

 

 

 

last week It took about 4 hours for payment to activate and over 3 days to decrypt all the files.

currently waiting for activation on another client.

 

 


Has anyone else submitted a payment recently? Did it work? How long did it take?

 

 

Is it possible to find the private key if i have a clean copy of an ecrypted file?



#558 Crazy Cat

Crazy Cat

  • Members
  • 745 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:00 PM

Posted 08 October 2013 - 06:56 PM

Is it possible to find the private key if i have a clean copy of an encrypted file?

Short answer is no. A private and public key is generated.


Putting vulnerabilities in at the level of the crypto implementation itself is a backdoor.

A backdoor to generate the private key from the public key, or the difference between a working random number generator and a badly broken one can be a single line of code, or even a couple of instructions. https://www.schneier.com/blog/archives/2008/05/random_number_b.html

Edited by Crazy Cat, 08 October 2013 - 07:13 PM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#559 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:09:00 PM

Posted 08 October 2013 - 07:31 PM

Hello,

 

I have been seeing this where I work as well.

Anyone who comes across this especially if on a network, please note that the newest versions are set up to run in safe mode as well.

So far it is not loading under the HKLM keys - still profile specific so loading under HKCU

However latest variants are different. 

You see the cryptolocker run value in the HKCU\...\Run key & also HKCU\...\Runonce (which repopulates each boot)

Value is looking similar to:

 

"*CryptoLocker"="\"C:\\Documents and Settings\\user\\Application Data\\Sopbwdfdcrgfjpjl.exe\""

Notice the * in the value? This forces the threat to also run in safe mode (all OS)

Still seeing HKCU\Software\Cryptolocker and HKCU\Software\Microsoft\garbage (may be 2 keys with similar garbage)

So - in short, take the machine off the network so it can't keep trashing files on the shares or disable their AD account until machine is cleaned up or rebuilt or use safe mode without networking.

 

It is also often bundled with variants of zbot & cutwail as well so make sure anyone who encounters this has their users affected change ALL their passwords. (domain, email, sites they use, etc)
If cutwail has been there for a while before discovered, you might end up blacklisted so that too will need to be cleared so email flows normal again.

I mostly see this coming in via infected zipped email attachments users are opening thinking they are invoices & various other normally legit sources. Some look also like voice mail notifications with links for users to click. (normally voice mails are delivered as wav files not zipped)
May want to consider blocking zipped attachments & releasing those to users only once it has been verified by an Admin to be legit.

If you are having trouble finding the infected machine - display the owner column in the affected share after setting up explorer in detailed view.
It should be fair clear who the infected user is as they will be listed as owner. (Time stamps are not usually altered though on files - only directories affected)

 

Try to stay safe out there. :)


I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#560 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,008 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:00 PM

Posted 08 October 2013 - 07:38 PM

It is also often bundled with variants of zbot & cutwail as well so make sure anyone who encounters this has their users affected change ALL their passwords. (domain, email, sites they use, etc)


Yes, I have been seeing the Zbot variants from the samples submitted to me, but they never kick in the Cryptolocker portion (i watch with wireshark and its apparent when cryptolocker is looking for a C&C). Blender, you can find them in my channel. I am pretty sure the Zbot variants have the HKCU\Software\Microsoft\<random> keys.

#561 5h1n

5h1n

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 08 October 2013 - 09:02 PM

User machine infected, discovered today.

 

Removed machine from network. Files on both the local machine as well as mapped drive were encrypted.

 

This thread has been massively helpful as well as frightening. (SERIOUSLY hoping this version didn't come bundled with zbot and or cutwail).

 

Not intending to pay as I believe our backups should be good enough.

 

Since I have the machine "quarantined" I can try to find the virus files and upload them for you guys. I will also do an extensive search of email and see if I can find something that resembles the "pdf" or "zip" that was reported earlier in the thread.

 

Cheers



#562 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:09:00 PM

Posted 08 October 2013 - 11:07 PM

Hi 5h1n,

 

You can usually see the zbot entries with autoruns (from sysinternals) .. Win7 machine it will be \user\appdata\roaming\random\random.exe & cutwail (pushdo) usually drops its crazy random name file in root of user's profile. It is as crazy random name as cryptolocker.

XP \user\application data\random\random.exe (zbot)

 

If one is inclined to look for the likely cause....
If you look in their %temp% directory, recent created random name directories there too with some exes - likely downloaders.. and possibly some exes right in %temp% ... more downloaders...
I have also found hidden folders like "Temporary_file_for_Invoice_984578455.zip" which is typically where windows dropped the file when users d. click the zips if they save the attachment rather than opening in Outlook.
If they opened right in Outlook ... look in the Content.Outlook directory for zips.
If web based email in IE ... Temporary Internet Files\Content.ie5\some sub directory
Not sure how it is for FF or Chrome. They don't use a cache directory/file structure like IE does. You can likely see it in their download history.

 

If you find it ... you'll see why it is so easy for users to click them. They take on the icon just like a PDF & since users normally do not see file extensions (or are really aware of what .EXE means) they click it ... often multiple times trying to figure out why Reader won't open.

Then they call their chum in the next cubicle & ask if they can open it... Machine#2 down ...next # 3 .. finally someone asks IT what is wrong with it.

 

//rant over// ....

Autoruns is cool because you can right click the file path showing (if it exists) and choose go to image - takes you right to the bad file :) Saves time over drilling through directories & regedit.

Has anyone sent you any of the email attachments Grinler? Let it stew a while on your test box... seems to take a while for cryptolocker to come in. Hours...they sometimes download half the malware planet if not discovered for a few days.

I've seen sirefef/zaccess with it too & at times vobfus.

 

CHanging the passwords is not only important for sensitive logins and such ... but I have seen a week or so after zbot has been cleaned up, cooperate email domain addresses being spoofed & getting blacklisted even though your network is clean & has been for a week. Kinda throws everyone into a panic because it is thought there is another bot on the network & really it is because passwords are not changed.

This day in age of malware - machine gets infected, I tell people to change passwords unless it is something like "MyWebSearch" lol...(I'll enforce it for said user through AD lol)
So many infections being tagged by AV programs as some generic.whatever ... makes it hard to tell exactly what that critter did.


I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#563 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:09:00 PM

Posted 08 October 2013 - 11:19 PM

Also keep in mind ... if one does pay & get their stuff decrypted .. that process will not remove the other infections.
Since it can take a long time to decrypt that many files .. it is likely best to remove the other malware, leave the cryptolocker entries/files alone before going through with it.

This way you are not spreading spam & sending sensitive info to zbot's C & C, providing click-thru revenue & whatever else it is doing...
Cryptolocker's run entries are clearly marked - which helps.
Personally I don't recommend paying them but if that is the only choice...


I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#564 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,008 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:00 PM

Posted 08 October 2013 - 11:20 PM

Has anyone sent you any of the email attachments Grinler? Let it stew a while on your test box... seems to take a while for cryptolocker to come in. Hours...they sometimes download half the malware planet if not discovered for a few days.
I've seen sirefef/zaccess with it too & at times vobfus.


Yes, look in my channel to see them. Buzz me privately if you dont remember what I mean.

CryptoLocker is easily spotted when running. If you have wireshark running, you will see it looking for a live domain using its DGA. Even though I get the cryptolocker to kick in, create the cryptolocker reg key, I cant get the damn thing to show me the locker or change the wallpaper.

#565 pcrx9000

pcrx9000

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 08 October 2013 - 11:21 PM

All the infections I have seen have come through Outlook - same scenario as above - looks like a .pdf. Who decrypted their files successfully? 



#566 johnnycat

johnnycat

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 09 October 2013 - 04:16 AM

Was infected yesterday and had to bite the bullet and pay the ransom. I recived the key and the decryption process began and worked. However i let it run overnight and this morning the application was closed but it only made it about 3/4 of the way through my files. Most are decrypted but not after a certain point. There was a "your private key.bin" file on my desktop. Opening it up with a text editor , it appears to be the private key for decryption. Anyone know how i can possibly manually decrypt the rest of the files (assuming this key is the actual private key) ?



#567 S0meth1ng

S0meth1ng

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 09 October 2013 - 04:31 AM

Hi to all!

 

I have a client that have the same problem with Crypto Locker. I am from Poland  and I don`t know how much to pay to Bitcoin 300USD or 300EUR or simillar amount in another currency. We have PLN in our country. 

 

So I need exchange 300 USD or UER to PLN and transfer it to Bitcoin?



#568 johnnycat

johnnycat

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 09 October 2013 - 04:42 AM

We used $300 USD moneypak, took about 4 hours for payment to be verified then it began decrypting. Recived a few errors on files that were moved. just clicked cancel and it moved on to the next.



#569 williampatey100

williampatey100

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 09 October 2013 - 05:57 AM

We have just paid the ransom and are waiting for the payment to be confirmed. Once we have more info I will feedback on here.



#570 johnnycat

johnnycat

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 09 October 2013 - 06:08 AM

We used $300 USD moneypak, took about 4 hours for payment to be verified then it began decrypting. Recived a few errors on files that were moved. just clicked cancel and it moved on to the next.

To add to this i also found the public and private key in the registry , but it's in HEX. Appericate if anyone can help me decrypt the remaining file manually. Hoping i can since i have this info.






5 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users