Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TorrentLocker Ransomware Cracked and Decrypter has been made


  • Please log in to reply
359 replies to this topic

#31 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:47 PM

Posted 27 September 2014 - 01:43 PM

If you have been infected with TorrentLocker in the last 24-48 hours, Please PM me ASAP. 

 

Thank you.


Have you performed a routine backup today?

BC AdBot (Login to Remove)

 


m

#32 Pradman

Pradman

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 30 September 2014 - 08:50 AM

Hi Nathan,

 

One of our file servers has been infected since 25th Sep. I tried your earlier tool but failed. Please help.

 

 

Thanks

Prad



#33 Pradman

Pradman

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 30 September 2014 - 11:55 PM

If you have been infected with TorrentLocker in the last 24-48 hours, Please PM me ASAP. 

 

Thank you.

Hi Nathan,

 

One of our file servers has been infected since 25th Sep. I tried your earlier tool but failed. Please help.

 

 

Thanks

Prad



#34 JaneDoe111

JaneDoe111

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 02 October 2014 - 06:39 AM

Hi there
 
I got an infection of what I think is torrentlocker on 1st October. I used the torrentlocker tool you made, and successfully decrypted a 4mb .psd file and edited it. I am having trouble with smaller files, is there anything that can be done to decrypt the smaller files? I don't have backups. I tried a desktop wallpaper jpg folder, and these are all corrupted still.
 
Thanks

Edited by JaneDoe111, 02 October 2014 - 06:43 AM.


#35 karlfk

karlfk

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 02 October 2014 - 10:39 PM

Hi all

 

I've been reading this all day and night

 

We got the virus 2 days ago, I was able to remove the virus files using malwares and spybot OK, but the files are still encrypted, my brother says he has few years worth of data that has been hit, we are a small IT shop here in a local town and this virus is just starting to make its rounds.

 

this is the one we have

 

 

WARNING

We have encrypted your files with CryptoLocker virus

 

 

wk0ino.jpg

 

Any help would be great, I did try the one on this link http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/

 

it finds the key OK but when I view file to see if it worked it tells me it cant open.

 

cheers Karl


Edited by karlfk, 02 October 2014 - 10:48 PM.


#36 Helios1337

Helios1337

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 03 October 2014 - 07:08 PM

I'm trying to decrypt files as well and it looks like the same situation as the post above. The program gets the key and I decrypt a file but it does not open. The ransom page looks the same as above as well.



#37 karlfk

karlfk

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 03 October 2014 - 08:06 PM

I have all the malware logs and so on if any one needs to them to figure out whats going on, we have tried about 6 different programs including a pyton script which didn't work, i would like to be able to fix this for my brother since I'm working for him as the leading IT in the shop, it would have to be one of the worse ones I have seen yet to date

 

cheers Karl

 

 

Malwarebytes Anti-Malware 1.65.1.1000


 v2014.10.02.02

Windows XP Service Pack 3 x86 NTFS
 8.0.6001.18702
tanya :: ACCOUNTS

2/10/2014 10:10:35 AM
mbam-log-2014-10-02 (10-10-35).txt

  (C:\|)
 
 
 743407
 4 , 57 ,

 0


 0


 0


 5
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|215797616 (Trojan.Ransom.ED) ->  C:\DOCUME~1\ALLUSE~1\msffz.exe ->
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|yfygojur (Trojan.Agent.ED) ->  C:\WINDOWS\afewalfj.exe ->
HKCU\Control Panel\Desktop|SCRNSAVE.EXE (Trojan.Agent.EV) ->  "C:\Documents and Settings\tanya.KNIGHTLINE.000\Application Data\Microsoft\Windows\IEUpdate\asr_fmt.exe" ->
HKCU\Software\Microsoft\Command Processor|AutoRun (Hijack.Autorun) ->  "C:\Documents and Settings\tanya.KNIGHTLINE.000\Application Data\Microsoft\Windows\IEUpdate\asr_fmt.exe" ->
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|Run (Trojan.Agent) ->  "C:\Documents and Settings\tanya.KNIGHTLINE.000\Application Data\Microsoft\Windows\IEUpdate\asr_fmt.exe" ->

 0


 1
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013 (Backdoor.IRCBot) ->

 9
C:\Documents and Settings\All Users\msffz.exe (Trojan.Ransom.ED) ->
C:\WINDOWS\afewalfj.exe (Trojan.Agent.ED) ->
C:\Documents and Settings\All Users\Application Data\usyrunywumatusiq\01000000 (Trojan.Agent.ED) ->
C:\Documents and Settings\tanya.KNIGHTLINE.000\Local Settings\Temp\KB1342057296.exe (Trojan.Agent.ED) ->
C:\Documents and Settings\tanya.KNIGHTLINE.000\Local Settings\Temp\KB1346935468.exe (Trojan.Agent.ED) ->
C:\Documents and Settings\tanya.KNIGHTLINE.000\Local Settings\Temp\KB1347482843.exe (Trojan.Agent.ED) ->
C:\Documents and Settings\tanya.KNIGHTLINE.000\Local Settings\Temporary Internet Files\Content.IE5\2XI7QDGA\ubanner[1].png (Trojan.Zemot) ->
C:\Program Files\Samsung\Samsung CLP-300 Series\Install\data\Ssopen.exe (Trojan.FakePDF) ->
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Backdoor.IRCBot) ->

 

 

cheers Karl



#38 karlfk

karlfk

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 03 October 2014 - 08:19 PM

Here a couple of images

 

found_key.jpg

 

 

And the result of the PDF I'm trying to decypt

 

pdf_error.jpg



#39 Timofei

Timofei

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 05 October 2014 - 09:03 AM

Nathan, have you had any luck? I too have tried everything and got nowhere. Was infected on the 25th Sept, And demand has now gone up to 2 bit coins. Would happily pay you for a solution. Best, Tim



#40 Pyruvous

Pyruvous

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 08 October 2014 - 07:07 PM

I appear to have torrentlocker on a clients pc, ran the decrypter you made which seems to work for files over 2mb but I seem to have the error you mentioned with the smaller files.  Is there an automated way to try and recover those corrupted 4-8 bits or it a manual process only? (I ask because there's around 19000 small pdf files and therefore manually doing them all is gonna be a pain)



#41 marinabrusa

marinabrusa

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:47 PM

Posted 10 October 2014 - 05:58 AM

Hi to everybody , this is my first post : I am from Italy  and I thank you all for admission.  Sorry for my English ...

My customer ( I am a programmer)  got the Torrent Locker (Cryptolocker)  on 8th of October  which  destroyed   (.encrypted) all the files  (4 months of work , it's a small company)  and even the backup disk that was accidentally  logged on at that moment ! (XP , no backups) .

I realized  by reading your forums  it' s the release of virus that  crypts 'only'  the first two MB of the file. The program of Mr. Nathan (TorrentUnlocker) seems to find the key (I have one original file)  but the key is not  good to restore any of the files , large or small. Is there a possibility to post en example to your site ?  Thanks in advance    Marina



#42 DownUnder88

DownUnder88

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 11 October 2014 - 09:12 AM

Hi Nathan,

 

My computer was also affected by TorrentLocker on 8 Oct through an 'Undelivered Package' mail. I've experienced the same outcome as the previous posts. I managed to find same original files from my backups that are more than 2MB and tried them on the Torrent Unlocker, all were able to generate the decrypt keys. However, when I did a test on the other affected files, they failed.

 

I've ran out of big original files to try out. Please help.......



#43 quark303

quark303

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 15 October 2014 - 07:22 PM

Am in a similar situation to DownUnder88, yesterday received an email containing the Torrent Locker.
Your DecrypterFixer seem to work but fails the Test on photos, pdfs, and word documents.
 
Please help
Quark303


#44 TeQ99

TeQ99

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 20 October 2014 - 03:00 AM

Yes, The idea is that because of the previous sites that wanted to share the glitch with the whole internet, the virus creator has now patched it. Which means newer infections from this variant will not be able to use my tool.

 

If anyone has the dropper or the EXE, please submit it to:

http://www.bleepingcomputer.com/submit-malware.php

 

And i will see if the fix can be updated.

Uploaded Filecoder.Dm.gen.rar everything i collected from a few infections.



#45 marinabrusa

marinabrusa

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:47 PM

Posted 20 October 2014 - 08:44 AM

Thank you for the opportunity that is vital for us . I tried to post several files but I got an error.  please tell me if you received them .

 

Marina






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users