Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Crypto Locker

  • This topic is locked This topic is locked
2 replies to this topic

#1 PeteSLMorgan


  • Members
  • 4 posts
  • Local time:01:39 AM

Posted 09 September 2013 - 03:02 PM

Please see this topic for more information about CryptoLocker: http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/

I have a client with the Crypto Locker infection (appears to have been infected on 9/5).  We have the infection removed but the files, as reported elsewhere by others, are still encrypted.  We have the exe file as well as the registry entries.
The exe is {F204796C-EB9D-E0C9-83C2-EAD1D6F29CC2}.exe which is a different UUID from what was reported elsewhere.
The registry entries contain a DWORD entry for each encrypted file along with the public key used to encrypt and a version string.
We can also upload sample encrypted files if necessary.
The files infected are any Office or WordPerfect document on the local drive and mapped drives.
Looking for help on decryption of the files.  Fabian's tools did not find/decrypt the files.

BC AdBot (Login to Remove)


#2 PeteSLMorgan

  • Topic Starter

  • Members
  • 4 posts
  • Local time:01:39 AM

Posted 10 September 2013 - 06:13 AM

The "VersionID" in the registry may be the private key.  It appears to be about the right length and is binary.  I was able to restore all server-side files using shadow copy restores.  However, we still need to decrypt the user's local files.

#3 Casey_boy


    Bleeping physicist

  • Malware Response Team
  • 7,765 posts
  • Gender:Male
  • Location:UK
  • Local time:06:39 AM

Posted 10 September 2013 - 09:18 AM

Hi PeteSLMorgan,
Unfortunately, there is currently no way for us to decrypt those files. For information about Cryptolocker, please have a look at this post:



Edited by Casey_boy, 10 September 2013 - 09:19 AM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users