Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New CryptoLocker copycat ransomware in the wild


  • Please log in to reply
29 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:51 PM

Posted 01 September 2014 - 11:55 AM

A new file-encrypting ransomware has been released that is going by the infamous CryptoLocker name. Though this infection is using the same name as the CryptoLocker ransomware that was released in 2013, it should be noted that is not the same infection nor is it from the same developer. When installed, this new CryptoLocker ransomware will encrypt all of your data files and rename them with a .encrypted extension. It will then display a ransom note on how you can purchase a decrypter for your files. This infection is requiring a ransom of 1.8 BTC in order to download and retrieve the decrypter. With this particular infection they are posting the exchange rate in AUD rather than USD, which may mean it is targeting Australian residents.
 

decrypt_instructions-thmb.jpg
Click above to see the full image.


When you click on the links in the ransom note you will be brought to the CryptoLocker Decryption Software site where you can learn how to purchase the decrypter. Like other infections, this site will require you to send the specified amount of bitcoins to a particular address and then input the transaction ID to verify payment. Once payment has been established, you will be offered a decryption program that you can download to decrypt your files. The decryption site also offers a customer support form, frequently asked questions section, and the ability to decrypt one file for free.
 

cryptolocker-decryption-software-thmb.jp
Click above to see the full image.


At this time, the ransom is 1.8 BTC, which is equivalent to 1,000 AUD. Strangely this infection uses a static bitcoin address of 13qm2ezhWSHWzMsGcxtKDhKNnchfP5Sp3X to receive payments. The address currently shows 5.39 BTC having been sent to this address.
 

blockchain-thmb.jpg
Click above to see the full image.


Thankfully, this variant does not delete Shadow Volume Copies, which can be used to recover some of your files. Information on how to restore files from Shadow Volume Copies using Shadow Explorer can be found in the original CryptoLocker guide.

To remove this infection, you will need to remove the following files and registry keys:
 
C:\ProgramData\<random>.exe
C:\ProgramData\<random>.html
C:\Users\All Users\<random>.exe
C:\Users\All Users\<random>.html
C:\Users\User\AppData\Local\Temp\etilqs_qZAdaD7Y2gtuzMi

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<random>	C:\ProgramData\<random>.exe
Update: 9/9/14 - This ransomware is being titled TorrentLocker via various organization.


BC AdBot (Login to Remove)

 


m

#2 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:21 AM

Posted 01 September 2014 - 12:07 PM

Thanks for the heads up!


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#3 Foolish Tech

Foolish Tech

    Authorized Foolish IT Representative


  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 01 September 2014 - 12:49 PM

Awesome, thanks for the info once again!  If those paths are consistent then CryptoPrevent will block this already without need of an update :)



#4 activateit

activateit

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 PM

Posted 01 September 2014 - 05:18 PM

The infection I have here on a friends computer was received via email, claiming to be a delivery missed notice from Australia Post. (They leave a card in the letter box, and don't send emails).



#5 fusedcube

fusedcube

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stockport, UK
  • Local time:03:51 AM

Posted 03 September 2014 - 04:23 AM

Thanks for the news on this.  I installed CryptoPrevent on my home PC and a few family's PC's so hopefully that will keep them safe, almost like a default action on a new PC!

 

Maybe it's time I paid to get the auto updates as well! :wink:

 

Thanks



#6 eadmin2014

eadmin2014

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 04 September 2014 - 06:09 PM

i've been hit by this one and due to backup issues I really need to recover some of the encrypted files - what are the chances of being able to reverse the encryption? I get the feeling that paying the ransom will get me nowhere :(



#7 cmckeown

cmckeown

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 05 September 2014 - 03:49 PM

My friend's Windows XP machine (no recent backup I know... :( ) got infected with this on 3rd Sep 2014.
 
He's in the UK and the email pretended to come from Royal Mail detailing a missed delivery...
 
The ransom on screen said it was for £350, but when you went into the details it said 1.225 bitcoins which ended up about £380 or something like that.
Anyway, he was kind of desperate as this was a business machine with important recent data not included in any backup (and of course being such an old Windows XP machine doesn't have any shadow copies).
The ransom was paid to the Bitcoin wallet mentioned above starting 13 and ending 3X.
He paid the ransom and the browser clicked through to an executable called "Decryption_Software.exe". I ran the file and it sits there but doesn't look like it's actually doing anything as it's been sitting there for about 3 hours at only about 2MB of RAM utilisation and 0 CPU. The RAM utilisation has now just dropped to 360K and still 0 CPU. Writing 30 mins later now and it has climbed up to 800K and now up to 1208K.
I wonder if this is just taking some inventory of the files that need to be decrypted?
This virus runs as another explorer.exe instance that appears like a webpage and has clickable links to pay the ransom etc which is what we did. The exe that runs upon startup is C:\Windows\asefukoq.exe.
 
[EDIT - not sure how to or if it's possible to add attachments in this forum] Attached is a screenshot the "Decryption_Software.exe" file that looks like it has never really launched properly based on the white space in the top left corner.
 
Has anyone any experience of paying this ransom and did they get an EXE at the end of it like we did, and did it ever actually do anything?
 
Would the private key that was used to encrypt these files in the first instance be inside this "Decryption_Software.exe" file be extracted and used in conjunction with the EXE that can be downloaded from the decryptcryptolocker.com website?
 
Thanks,
 
Conor.


Edited by cmckeown, 06 September 2014 - 01:38 AM.


#8 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:51 PM

Posted 09 September 2014 - 10:57 AM

Updated the guide to remove the bit about cookies. This is wrong and the ID for your infection is appended to the urls in the ransom note.

#9 eadmin2014

eadmin2014

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 09 September 2014 - 11:24 AM

Paying the ransom gets you a download to an exe called Decrypt_Software.exe (mentioned in a previous post above).

 

This file was quarantined by AV (Symantec) as containing another virus (not cryptolocker, but foolishly didn't make a note).

 

But if you turn off the AV and run the decrypt_software.exe then it does decrypt the files. We restored these decrypted files back via another PC with up to date malware and AV and it came up clean.

 

One thing to note is that it does not seem to be a perfect decryption - there is some corruption left on the end of files, like the last few characters were scrambled.. but they are usable in most cases.

 

This was unavoidable for us as we needed urgent access to files which had not been backed up (worth more than the ransom) - but it sticks in my throat that we had to pay (our own fault..).



#10 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:51 PM

Posted 09 September 2014 - 11:31 AM

Thanks for the info.

#11 cmckeown

cmckeown

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 09 September 2014 - 02:38 PM

Thank you 'eadmin2014'!

 

Under pressure I had forgotten that AV software might have done something with th downloaded EXE...

 

I hadn't noticed that Security Essentials had detected the "Decryption_Software.exe" when first downloaded and somehow 'cleaned it'. Nothing in its logs etc and nothing popped up on screen which is useful, not - but now it's exactly what I expect from this product. (Note to self: Do what others have recommended for years and ditch this software!)

 

I disabled Security Essentials and was able to download the EXE again, but not from the original URL that I had copied when I first downloaded it. I had to string together the URL from copies of the URLs that I took when going through the payment confirmation page and subsequent download page.

 

--

 
Add this suffix below from the original download link which no longer worked
 
=0&action=dwn_dec_app
 
 
 

--

 

Everything seems to have decrypted successfully and I test opening some Word & Excel files which opened successfully. Some pictures (jpg) appear to be not openable (not sure if they were somehow corrupt before). I haven't yet done the post decrypt reboot that it has prompted for so things might change afterwards.

 

At this stage I'm in the process of backing up all files and once that's done I'll enable the AV software again and reboot the machine and monitor what happens afterwards, and if those JPG files that were not able to be opened are now able to be opened.

 

Thank you to this forum - Top of the class :)

 

Very grateful,

 

Conor.



#12 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:51 PM

Posted 09 September 2014 - 02:57 PM

If you are considering paying this Ransomware, please shoot me at email at DecryptorBit@outlook.com first if you do not mind trying a few different options and tests. As always, there may be another way. Thanks.


Edited by decrypterfixer, 09 September 2014 - 02:59 PM.

Have you performed a routine backup today?

#13 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:51 PM

Posted 09 September 2014 - 05:14 PM

We are also looking for a copy of the decrypter, so if you payed the ransom and the decrypter is available we would appreciate if you could upload it here:

http://www.bleepingcomputer.com/submit-malware.php?channel=168

#14 cmckeown

cmckeown

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 09 September 2014 - 06:08 PM

File uploaded Lawrence.

 

Hopefully you'll be able to decipher it a little and help others too.

 

Thanks,

 

Conor.



#15 Mike_Robo

Mike_Robo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 22 September 2014 - 03:13 PM

Hi guys,

 

has there been any updates on this? my father's business laptop has just been infected by this and we are in dire need of getting it removed. 

 

thanks in advance, 

 

Mike. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users