Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransom Malware / trojan-ransom.win32.crypren.ply


  • Please log in to reply
3 replies to this topic

#1 jimmy5517

jimmy5517

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 20 April 2014 - 02:33 AM

Just a few hours ago I executed an EXE file downloaded from "I don't know where it is from". The system popped a error message but I ignored it. About thirty minutes later I noticed a file named [README TO UNLOCK.txt] and is found in all folders, along with files ending in *.jpg.LOCKED / *.bmp.LOCKED / *.mkv.LOCKED and so on. I then checked google and found it to be a ransome malware, but I have no intention of paying for whatever so I downloaded Kaspersky and ran a full disk scan to remove it. 

----------------------------

Kaspersky Scan:

$R8A5B4M.exe Detected: Trojan-Ransom.Win32.Crypren.ply C:\$Recycle.Bin\S-1-5-21-3685234700-1101215914-4275847351-1012\ 4/19/2014 Saturday 11:44:26 PM
----------------------------
So now I am trying to decrypt all the locked files.
After reading some guides and discussions, I found the malware on my computer to be quite strange.
It did not encrypt all files on my computer, nor did it display a window telling me to pay, or to display a countdown timer, only the text file. The malware also did not encrypt all files, it skipped a few in the process for no apparent reason (I did restart once due to the computer being stupidly slow, possibly because of the ransom malware). And interestingly, I was able to open some files simply by removing the .LOCKED extension.
Also the C drive is not affected at all, despite many of the media files are stored on there. 
I have not been able to find registry keys for this malware, perhaps this is why it stopped encrypting my files after a reboot? It locked about 70% of my media files.
----------------------------
Comparison of affected and original copy of a mp3 file using HxD: 
(How do I put pictures here)
----------------------------
Really what this thing took from me is about 700GB of movie/music/scans. Not so important but they do take a LONG time for me to download. 
So I would like anyone to classify this thing for me, or help me find a solution. 
Much appreciated.

Edited by jimmy5517, 20 April 2014 - 12:23 PM.


BC AdBot (Login to Remove)

 


m

#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:44 AM

Posted 20 April 2014 - 04:43 AM

Please start here => http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/#entry3150230

There is also an onsite link to CryptoLocker Ransomware Information and FAQ and you found the Kaspersky page already.

 

The Cryptolocker topic was started here in September 2013 and continues to run.
This http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-183#entry3347236 is the latest post in the thread so far.

 

Please post to the main topic, as we are not able to help in this area .......

This will keep all related posts in the one area - Good Luck -

 

EDIT - Your added pictures are very clear -


Edited by noknojon, 20 April 2014 - 04:44 AM.


#3 jimmy5517

jimmy5517
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 20 April 2014 - 06:07 AM

Hm I just want a classification for this thing because it doesn't quite look like a cryptolocker.

Anyway do i just copy and paste the whole thing there?



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:44 AM

Posted 21 April 2014 - 06:16 AM

Please post to one of the topics that I have linked above.

 

As there are variations of this Crypto problem world wide, we ask you to start in the CryptoLocker topic so they can help you further.

This will keep all of these problems together, and we will not have to try to sort these out in various topics.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users