New CryptoLocker copycat ransomware in the wild

A new file-encrypting ransomware has been released that is going by the infamous CryptoLocker name. Though this infection is using the same name as the CryptoLocker ransomware that was released in 2013, it should be noted that is not the same infection nor is it from the same developer. When installed, this new CryptoLocker ransomware will encrypt all of your data files and rename them with a .encrypted extension. It will then display a ransom note on how you can purchase a decrypter for your files. This infection is requiring a ransom of 1.8 BTC in order to download and retrieve the decrypter. With this particular infection they are posting the exchange rate in AUD rather than USD, which may mean it is targeting Australian residents.
 

Click above to see the full image.

When you click on the links in the ransom note you will be brought to the CryptoLocker Decryption Software site where you can learn how to purchase the decrypter. Like other infections, this site will require you to send the specified amount of bitcoins to a particular address and then input the transaction ID to verify payment. Once payment has been established, you will be offered a decryption program that you can download to decrypt your files. The decryption site also offers a customer support form, frequently asked questions section, and the ability to decrypt one file for free.
 

Click above to see the full image.

At this time, the ransom is 1.8 BTC, which is equivalent to 1,000 AUD. Strangely this infection uses a static bitcoin address of 13qm2ezhWSHWzMsGcxtKDhKNnchfP5Sp3X to receive payments. The address currently shows 5.39 BTC having been sent to this address.
 

Click above to see the full image.

Thankfully, this variant does not delete Shadow Volume Copies, which can be used to recover some of your files. Information on how to restore files from Shadow Volume Copies using Shadow Explorer can be found in the original CryptoLocker guide.

To remove this infection, you will need to remove the following files and registry keys:
 

C:\ProgramData\<random>.exe
C:\ProgramData\<random>.html
C:\Users\All Users\<random>.exe
C:\Users\All Users\<random>.html
C:\Users\User\AppData\Local\Temp\etilqs_qZAdaD7Y2gtuzMi

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<random>	C:\ProgramData\<random>.exe

Update: 9/9/14 - This ransomware is being titled TorrentLocker via various organization.

Thanks for the heads up!

Awesome, thanks for the info once again!  If those paths are consistent then CryptoPrevent will block this already without need of an update

The infection I have here on a friends computer was received via email, claiming to be a delivery missed notice from Australia Post. (They leave a card in the letter box, and don't send emails).

Thanks for the news on this.  I installed CryptoPrevent on my home PC and a few family's PC's so hopefully that will keep them safe, almost like a default action on a new PC!

 

Maybe it's time I paid to get the auto updates as well!

 

Thanks

i've been hit by this one and due to backup issues I really need to recover some of the encrypted files - what are the chances of being able to reverse the encryption? I get the feeling that paying the ransom will get me nowhere

My friend's Windows XP machine (no recent backup I know...  ) got infected with this on 3rd Sep 2014.
 
He's in the UK and the email pretended to come from Royal Mail detailing a missed delivery...
 
The ransom on screen said it was for £350, but when you went into the details it said 1.225 bitcoins which ended up about £380 or something like that.
Anyway, he was kind of desperate as this was a business machine with important recent data not included in any backup (and of course being such an old Windows XP machine doesn't have any shadow copies).
The ransom was paid to the Bitcoin wallet mentioned above starting 13 and ending 3X.
He paid the ransom and the browser clicked through to an executable called "Decryption_Software.exe". I ran the file and it sits there but doesn't look like it's actually doing anything as it's been sitting there for about 3 hours at only about 2MB of RAM utilisation and 0 CPU. The RAM utilisation has now just dropped to 360K and still 0 CPU. Writing 30 mins later now and it has climbed up to 800K and now up to 1208K.
I wonder if this is just taking some inventory of the files that need to be decrypted?
This virus runs as another explorer.exe instance that appears like a webpage and has clickable links to pay the ransom etc which is what we did. The exe that runs upon startup is C:\Windows\asefukoq.exe.
 
[EDIT - not sure how to or if it's possible to add attachments in this forum] Attached is a screenshot the "Decryption_Software.exe" file that looks like it has never really launched properly based on the white space in the top left corner.
 
Has anyone any experience of paying this ransom and did they get an EXE at the end of it like we did, and did it ever actually do anything?
 
Would the private key that was used to encrypt these files in the first instance be inside this "Decryption_Software.exe" file be extracted and used in conjunction with the EXE that can be downloaded from the decryptcryptolocker.com website?
 
Thanks,
 
Conor.

Edited by cmckeown, 06 September 2014 - 01:38 AM.

Updated the guide to remove the bit about cookies. This is wrong and the ID for your infection is appended to the urls in the ransom note.

Paying the ransom gets you a download to an exe called Decrypt_Software.exe (mentioned in a previous post above).

 

This file was quarantined by AV (Symantec) as containing another virus (not cryptolocker, but foolishly didn't make a note).

 

But if you turn off the AV and run the decrypt_software.exe then it does decrypt the files. We restored these decrypted files back via another PC with up to date malware and AV and it came up clean.

 

One thing to note is that it does not seem to be a perfect decryption - there is some corruption left on the end of files, like the last few characters were scrambled.. but they are usable in most cases.

 

This was unavoidable for us as we needed urgent access to files which had not been backed up (worth more than the ransom) - but it sticks in my throat that we had to pay (our own fault..).

Thanks for the info.

Thank you 'eadmin2014'!

 

Under pressure I had forgotten that AV software might have done something with th downloaded EXE...

 

I hadn't noticed that Security Essentials had detected the "Decryption_Software.exe" when first downloaded and somehow 'cleaned it'. Nothing in its logs etc and nothing popped up on screen which is useful, not - but now it's exactly what I expect from this product. (Note to self: Do what others have recommended for years and ditch this software!)

 

I disabled Security Essentials and was able to download the EXE again, but not from the original URL that I had copied when I first downloaded it. I had to string together the URL from copies of the URLs that I took when going through the payment confirmation page and subsequent download page.

 

--

--

 

Everything seems to have decrypted successfully and I test opening some Word & Excel files which opened successfully. Some pictures (jpg) appear to be not openable (not sure if they were somehow corrupt before). I haven't yet done the post decrypt reboot that it has prompted for so things might change afterwards.

 

At this stage I'm in the process of backing up all files and once that's done I'll enable the AV software again and reboot the machine and monitor what happens afterwards, and if those JPG files that were not able to be opened are now able to be opened.

 

Thank you to this forum - Top of the class

 

Very grateful,

 

Conor.

If you are considering paying this Ransomware, please shoot me at email at DecryptorBit@outlook.com first if you do not mind trying a few different options and tests. As always, there may be another way. Thanks.

Edited by decrypterfixer, 09 September 2014 - 02:59 PM.

We are also looking for a copy of the decrypter, so if you payed the ransom and the decrypter is available we would appreciate if you could upload it here:

http://www.bleepingcomputer.com/submit-malware.php?channel=168

File uploaded Lawrence.

 

Hopefully you'll be able to decipher it a little and help others too.

 

Thanks,

 

Conor.

Hi guys,

 

has there been any updates on this? my father's business laptop has just been infected by this and we are in dire need of getting it removed. 

 

thanks in advance, 

 

Mike.