Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoLocker developers charge 10 bitcoins to use new Decryption Service


  • Please log in to reply
64 replies to this topic

#16 Modulus

Modulus

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Connecticut
  • Local time:02:38 PM

Posted 04 November 2013 - 12:23 PM

This is unbelievable... I can't imagine what kind of file(s) could be so important to warrant a $2100 payment. Perhaps company secrets, proprietary information or personal info that could be used as blackmail. In any case, I hope these guys get caught and get prosecuted to the fullest extent of the law in whatever country their operating out of.


I'm not a vegetarian because I dislike meat, I'm a vegetarian because I hate plants!

BC AdBot (Login to Remove)

 


m

#17 raj1234

raj1234

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 04 November 2013 - 12:29 PM

Hi Admin,

 

     I have tried old cryptolocker version but for problem files, it comes up saying,

 

"Perhaps the file may be damaged or used by another process" Error code: 6007 (0x00001777) The specified file is not encrypted"

 

So, looks like these files are not encrypted. But, they are not opening. There are quite a few files like this. Not sure what happened to them and is there a way to recover.



#18 kenjancef

kenjancef

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, USA
  • Local time:03:38 PM

Posted 04 November 2013 - 12:43 PM

This is unbelievable... I can't imagine what kind of file(s) could be so important to warrant a $2100 payment. Perhaps company secrets, proprietary information or personal info that could be used as blackmail. In any case, I hope these guys get caught and get prosecuted to the fullest extent of the law in whatever country their operating out of.

 

I would think maybe financial info, QuickBooks/Quicken data, stuff like that. I had an Environmental Engineering firm as a client, and I know for a fact that if they ever got hit, they would be &$*^% because they have a lot of environmental reports on file. Nothing secret, but information vital to their company. Valuable data doesn't have to be blackmail-worthy.

 

And this firm DOES have a backup plan in place, so it wouldn't be that bad.



#19 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:38 PM

Posted 04 November 2013 - 12:59 PM

Btw, the decryption service has changed a bit. They now still give you the 2 bitcoin 3 day payment period. They then increase the amount to 10 bitcoins.

new-decryption-order.jpg

#20 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:38 PM

Posted 04 November 2013 - 12:59 PM

Hi Admin,
 
     I have tried old cryptolocker version but for problem files, it comes up saying,
 
"Perhaps the file may be damaged or used by another process" Error code: 6007 (0x00001777) The specified file is not encrypted"
 
So, looks like these files are not encrypted. But, they are not opening. There are quite a few files like this. Not sure what happened to them and is there a way to recover.


Sorry, but not much more I can do for you unfortunately. If anything comes up I will let you know.

#21 kenjancef

kenjancef

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, USA
  • Local time:03:38 PM

Posted 04 November 2013 - 01:01 PM

Btw, the decryption service has changed a bit. They now still give you the 2 bitcoin 3 day payment period. They then increase the amount to 10 bitcoins.

 

 

Holy crap... this is getting WAY out of control...

 

And here's another problem I'm having: As I tell people about this infection, thinking I'm being pro-active, they write it off as another hoax and don't really seem to care. Unfortunately they will start caring if/when they get hit! *sigh*



#22 itsMeRandy

itsMeRandy

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 04 November 2013 - 01:56 PM

folks should be discrete now and then when possible solutions to tracking down are put forth. They are very near. watching. right? 



#23 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:38 PM

Posted 04 November 2013 - 02:42 PM

folks should be discrete now and then when possible solutions to tracking down are put forth. They are very near. watching. right?


If there was anything that was hamper attribution efforts, I wouldn't allow it to be posted. Unfortunately, nothing has been posted that wasn't out there for over a month now.

#24 kenjancef

kenjancef

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, USA
  • Local time:03:38 PM

Posted 04 November 2013 - 02:58 PM

 

folks should be discrete now and then when possible solutions to tracking down are put forth. They are very near. watching. right?


If there was anything that was hamper attribution efforts, I wouldn't allow it to be posted. Unfortunately, nothing has been posted that wasn't out there for over a month now.

 

 

I'm sure they are having fun watching this board and probably laughing at us...



#25 raj1234

raj1234

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 04 November 2013 - 03:14 PM

Hi Admin,

 

    I read below on another site. And in our case, decryption tool is saying that some files are not encrypted (which are not opening), probably because Virus managed to encrypt the file with AES key but then didn't encrypt using public key. I wonder the dword value in registry that correspond each file, is actually a AES key, which can be used.

 

 

"An AES key is generated for each file to be encrypted, the file is then AES-encrypted and the AES key is itself encrypted using the public key. The encrypted AES key is then appended to the encrypted file."



#26 KnightMetro

KnightMetro

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 04 November 2013 - 03:48 PM

My questions is, has this new "service website" been proven to work and get the files back? How many people have dished out the 10 bitcoin and got what they needed back?

 

I'm sitting on 2 network drives that were infected randomly over a 404GB volume. 

 

OK. So the company that I work for was hit with this virus about a month ago. Total fiasco as the client refused to pull a backup and roll 4 days back to when we were infected. Now we are outside of our backup retention and we finally realized the damage done. It only infected older data. Modified this year, but pushed back into historical patient files. Our backup image that was finally put in place was 10 months old.

 

We have 8,293 historical scanned documents, medical, that have been encrypted. Docs that were scanned into older patient files manually over the last 10 months and then shredded afterwards. Not good. They are still on the e-mail server as they were scanned to e-mail, but we are talking thousands in labor costs to get these back into our system. 

 

So, we are willing to put the $2,100 in to get these files back. I'm not pulling the trigger unless I see this as a viable and tested option. 



#27 seedy21

seedy21

  • Malware Response Team
  • 741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:38 PM

Posted 04 November 2013 - 04:08 PM

Its amazing how they are still getting away with this service !

I guess the only prevention for this time of malware would be education and storing your information on a media device that is not alway connected to your machine.

Edited by seedy21, 04 November 2013 - 04:09 PM.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#28 Wolfie123

Wolfie123

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 04 November 2013 - 05:17 PM

I work for a mid-sized data company.  We have @2800 employees.  One user got this from a drive by download on a weight watching site....result is several file shares with terrabytes that have bad files needing restore.

 

I actually heard someone suggest we pay the "_astards"  - this one is ugly - and that old Jesus Saves joke really applies.



#29 Moose_Valley

Moose_Valley

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 04 November 2013 - 09:33 PM

I would advise making all network shares READ only, unless there is very good reason for them to be writeable.  For historical documents, old medical files, etc, there's probably no reason for them to be writable.  If users do need to update some of the files, etc - then place these on a separate share with write access.

 

No-one has mentioned backups to WORM drives yet.  e.g. backups to DVD, BluRay, etc.  These can save your bacon and the media is as cheap as chips these days.

 

 

>I can't imagine what kind of file(s) could be so important to warrant a $2100 payment.

 

Geezuz, I can.   Source code for your software products, company invoices and tax records going back years, general documents created as part of your work, documents prepared for clients, important documents and files needed for a looming deadline, and so on.  If a company network share is encrypted, then even the last week of work could easily be worth $2,000.  The last day of work could be even be worth $2,000, especially if it was critical or the deadline was looming ! 

 

If all of your family photos and videos were encrypted, you'd pay a lousy $2,000 wouldn't you ?  I would.  I'd be mad as hell with myself for doing it, and I'd use this energy to make sure I damn well plugged up all security holes, learned to create proper backups, etc so that I never suffered from ransomware again, but I would pay the money to get my "priceless" family memories back.

 

 

>I'm sure they are having fun watching this board and probably laughing at us...

 

Yes, they most certainly are ... watching and laughing ... all the way to the bank.

 

To them, this is a game of chess, with an endless number of "suckers" ....


Edited by Moose_Valley, 04 November 2013 - 09:46 PM.


#30 DBAPaul

DBAPaul

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 PM

Posted 05 November 2013 - 08:39 AM

A cautionary tale; Many many years ago we faithfully backed up a server using Backup Exec, used many tapes over months, then one day we needed to restore.  Unfortunately no one had ever tested the backups,  Backup Exec had been misconfigured and there was no way to restore, all the tapes were useless.

 

So in addition to implementing a good Backup plan, be sure to test your Backup plan, if you can't restore it's not much of a Backup plan.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users