Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Original Cryptolocker Ransomware Support and Help Topic


  • Please log in to reply
3452 replies to this topic

#1246 nadeshikoyamato

nadeshikoyamato

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 27 October 2013 - 08:37 PM

 

This may be useful to people like me that have their MS Office related files (word, excel, pdf, etc) encrypted by this. When I open the file in notepad, nearly all of it shows up as Asian languages (I'm recognizing Korean, Japanese, and Chinese, with some random messed up words)


These are not real asian languages. Just how the programs are interpreting the encrypted data.

 

Yeah, I just googled it and learned that just now, do you think it'll still be worth a shot to save the data in notepad and try to either decode it (what I read says that's a very long shot at best) or after saving convert to the original format like .doc, .ppt, etc? Again, most likely a no go but the more all of us can figure out ways to combat/reverse the damage, the less powerful crilock becomes and the fewer people who will feel the need to pay the ransom.

 

And yeah, mine could have been the result of an exploit kit, kinda kicking myself for not reading the signs and possibly being able to nip it in the bud sooner, but hindsight is 20/20 and at least now I know the signs.



BC AdBot (Login to Remove)

 


#1247 CompWorksPro

CompWorksPro

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Webster, NY
  • Local time:09:40 AM

Posted 27 October 2013 - 08:44 PM

I don't think trying to convert that will help. I tried allowing word to install all kinds of translators and it never was able to open the documents successfully.

The only hope is to get the private key.

Yes the encryption can eventually be broken but not likely by a simple pc in our lifetime.

#1248 kurt_la

kurt_la

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 27 October 2013 - 08:54 PM

 

if you are taking about tape as in LTO you cannot format it, you can erase it with a command from a program like BUE but tape and removable disk is just fine.  if this is not your question as again because I use tape all over the place


I will be honest, I am not sure what I am asking :) Saw something interesting in the CL binary. So your tapes were not erased? You were able to restore from them?

 

 

ha-ha, I feel you lol.  well I was just touching on how tapes generally work, not what I did per say.  for many of my clients I stream to nas via storagecraft and then backup the image to tape using bue for cold storage.  I can back up the encrypted files all day long to tape and they will be there and if I did get infected my restore would be golden - either with bue or storeagecraft. 



#1249 dren028

dren028

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 27 October 2013 - 10:15 PM

 

Thank you guys i really appreciate it... It worked send the payment now waiting !

Which URL worked for you? I am trying to determine how long a given CryptoLocker URL remains in a "Live" state...

 

The URL you posted on this forum I used that one, it has been 24 hrs and that screen disappeared but still cannot access my files? 



#1250 JohnDrake2000

JohnDrake2000

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 27 October 2013 - 10:19 PM

I also edited the registry to classify .zip file attachments as "Level 2" files. When Outlook users click on a .zip file attachment they now get the message:

 
"Attachment Security Warning. This file may contain a virus that can be harmful to your computer. You must save this file to disk before it can be opened. It is important to be very certain that this file is safe before you open it."
 

 

I've been asked what procedure I followed to classify .zip file attachments as "Level 2" files. This is what worked for me using Windows 7 and Outlook 2010. The Microsoft Knowledge Base article lists the correct procedure for other versions of Office.
 
Prevent users from opening .zip files in Outlook 2010:
---------------------------------------------------------------------
/Start /Run /regedit.exe
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security
/Edit /New /String Value
type: Level1Remove
press Enter
/Edit /Modify.
type: .zip;.rar
click OK
 
source:
--------


#1251 nadeshikoyamato

nadeshikoyamato

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 27 October 2013 - 10:41 PM

I don't think trying to convert that will help. I tried allowing word to install all kinds of translators and it never was able to open the documents successfully.

The only hope is to get the private key.

Yes the encryption can eventually be broken but not likely by a simple pc in our lifetime.

Yeah, I'm just trying to keep being hopeful right now. If I don't have anything to do, it certainly doesn't hurt to learn about this stuff and try to figure it out if possible.

And yeah, most pcs won't be able to crack it in a timely manner, or ever in some cases. Our best bet looks to be that the authors get caught somehow and then somehow to keys become public or somehow become null and void (either through changing it to another key or by somehow voiding the encryption so everyone's stuff can be restored). Again, wishful thinking.



#1252 RobinHoodSnr

RobinHoodSnr

  • Members
  • 158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:03:40 PM

Posted 28 October 2013 - 12:34 AM

...just want to mention something...For the members or "guests" that download the virus given in a previous thread...please dont send it to an enemy or something....this is a virus you dont want to mess around with. Rather have a good heart and try HELP the folks here...and let's do it for the GOOD...

...just a thought :thumbup2:


...We all know something...but we will NEVER know everything :grinner:

 

Cryptlocker "Process" remover...will NOT delete Cryptolocker, only the processes...( a "safety precaution" I took for those who still want to "try" paying the ransom to get their files back. DON'T FORGET TO MONITOR YOUR TIME LEFT BEFORE PAYMENT! )

 

("KillCrypt" will automaticly open %appdatadir%...just guide this to Cryptolocker-Virus and double-click on it. Remember...if you "restart" your system, the processes will be back...use this only for emergencies if you want to create a quick document. While this processes is killed, your docs wont get infected, but WILL be encrypted (unusable) when you restart the PC/Laptop OR clicking on the Virus again!!!)


#1253 JohnWHS

JohnWHS

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 28 October 2013 - 12:57 AM

...just want to mention something...For the members or "guests" that download the virus given in a previous thread...please dont send it to an enemy or something....this is a virus you dont want to mess around with. Rather have a good heart and try HELP the folks here...and let's do it for the GOOD...
...just a thought :thumbup2:

I second this excellent request, my having already been helped immeasurably by others posts.

#1254 Genex17

Genex17

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 28 October 2013 - 02:26 AM

Personally I have not been hit and feel bad for the  IT workers caught in the middle of this as well as businesses and lives being placed on hold. I do want to thank all the people here for your help. I've backed up and locked down the AppData folder and found out that I had the stock admin/password still on my router's login in the process.

 

Gene :thumbup2:



#1255 zekif

zekif

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 28 October 2013 - 08:12 AM

Can someone tell us if he tried to reinfect after the time has expired and succeeded with decryption??



#1256 USASAgencyman

USASAgencyman

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NE FL
  • Local time:09:40 AM

Posted 28 October 2013 - 08:18 AM

Criminally Misleading From PC Tuneup???
 
hxxp://pctuneup.org/cryptolocker-virus-removal/

CryptoLocker virus: is a series of ransomeware infections that we have recently classified as extremely dangerous and recommend removing immediately. This page will show you precise instruction on how to remove the CryptoLocker virus.  
The CryptoLocker virus hijacks the computer and limits is functionality in an attempt to hold your PC ransom. It will make claims that your access to your computer is limited and other similar warnings and to unlock the encryption the infected user will need to pay a “fine.” It is important to note that all of the warnings and messages that come from the CryptoLocker Hijack virus are fake and should be disregarded. However, the CryptoLocker Hijack virus will not allow the computer to work normally until it is completely removed. The CryptoLocker Hijack virus will not go away on its own, action must be taken to remove it. Please see below where we show our easy step-by-step removal instructions for the CryptoLocker Hijack virus.

 
Hope they don't snag too many with this...
 
Bruce Hinton

#1257 zekif

zekif

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 28 October 2013 - 08:32 AM

Can someone tell us if he tried to reinfect after the time has expired and succeeded with decryption?? Please help....  :(



#1258 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:08:40 AM

Posted 28 October 2013 - 09:10 AM

Typical BS from those types of virus removal guide blogs. All they are trying to do is sell the product.

Thanks for letting us know.

Kind of ironic but last night CNBC did an episode of American Greed that was about Innovative Marketing and Winfixer scareware (fake AV)- the forerunners of ransomware, IMO.



#1259 dintegrity

dintegrity

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 28 October 2013 - 11:15 AM

Can someone tell us if he tried to reinfect after the time has expired and succeeded with decryption?? Please help....  :(

Yes, we did, and successful. Rolled back the clock on the PC to give us time. Re-infected PC by reversing the quarantine items from running malwarebytes that eliminated virus when we used it to scan and clean.



#1260 zekif

zekif

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 28 October 2013 - 11:28 AM

 

Can someone tell us if he tried to reinfect after the time has expired and succeeded with decryption?? Please help....  :(

Yes, we did, and successful. Rolled back the clock on the PC to give us time. Re-infected PC by reversing the quarantine items from running malwarebytes that eliminated virus when we used it to scan and clean.

 

 

Please, may you explain to a novice with further details what exactly I need to do? Thanks


Edited by zekif, 28 October 2013 - 11:28 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users