Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TorrentLocker Support and Discussion Thread (CryptoLocker copycat)


  • Please log in to reply
419 replies to this topic

#406 joodyanne

joodyanne

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bendigo, Victoria, Aaustralia
  • Local time:05:55 PM

Posted 16 July 2016 - 05:40 PM

Thanks, earlier this year someone was trying to help me, and they suggested I keep in touch with you.  Just thought I'd ask.

 

Thanks again for your response.



BC AdBot (Login to Remove)

 


m

#407 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 16 July 2016 - 06:12 PM

Not a problem.

When or if a free solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#408 GuidoZ

GuidoZ

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 19 July 2016 - 07:38 PM

I just submitted some files (key in DECRYPT txt is Nz5zSGopV58J6RwztmDBgVLQ5RxnSSKSv) for analysis to see if its' possible to figure out which ransomware it is. It's a ".crypted" extension, though I've tried both "decrypt_xorist.exe" and "decrypt_nemucod.exe" but only get the error "No key found - The decrypter could not determine a valid key for your system. Please drag and drop both an encrypted file as well as its unencrypted counterpart onto the decrypter to determine the correct key. Files need to be at least 510 bytes long." Yes, I am dragging both the encrypted and unencrypted version onto both files with the same error. I have submitted a request to Dr Web as well. Appreciate any help!



#409 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 19 July 2016 - 08:16 PM

I just submitted some files (key in DECRYPT txt is Nz5zSGopV58J6RwztmDBgVLQ5RxnSSKSv) for analysis to see if its' possible to figure out which ransomware it is. It's a ".crypted" extension...

Any files that are encrypted with Nemucod Ransomware will have the .crypted extension appended to the end of the encrypted data filename and leave files (ransom notes) named DECRYPT.TXT.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#410 joodyanne

joodyanne

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bendigo, Victoria, Aaustralia
  • Local time:05:55 PM

Posted 20 July 2016 - 04:09 PM

Mine had been renamed *.doc.encrypted     (no idea which particular ransomware it is.



#411 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 20 July 2016 - 04:13 PM

Mine had been renamed *.doc.encrypted     (no idea which particular ransomware it is.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#412 joodyanne

joodyanne

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bendigo, Victoria, Aaustralia
  • Local time:05:55 PM

Posted 20 July 2016 - 04:29 PM

Thanks



#413 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 20 July 2016 - 04:56 PM

You're welcome and good luck.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#414 WSpu

WSpu

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 08 October 2016 - 02:51 PM

Crypt0l0cker encrypted unmapped network shares?

 

This week we received an alert that the crypt0locker ransomware (according the ransome note) encrypted files (.enc extension) on a computer. The proces responsible for the encryption was a file with the extension tmp. Soon after we received alerts from other computers but this time the proces was system:remote. After analyzing the alert from the first computer we noticed that the proces encrypted files on network shares which were not mapped to a netwerk drive. Besides encrypted files in folders on the c:, d: and M: (mapped nework drive) there were files encrypted on the path \\computer\share\folder.

 

According to the page http://www.bleepingcomputer.com/virus-removal/torrentlocker-crypt0l0cker-ransomware-information#shares the torrentlocker-crypt0l0cker ransomware only encrypts files on mapped network shares. Is there a new variant active?

 

P.S. We reinstalled the infected computer and removed all the ransomware files and restored most files from a backup.



#415 jjvalstar

jjvalstar

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 10 October 2016 - 12:59 AM

All,

Is there already a decrypt software for this ransom software? I was able to delete the ransom/trojan but my files are still encrypted and need to decrypt.



#416 tinschi

tinschi

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Austria
  • Local time:09:55 AM

Posted 10 October 2016 - 01:39 AM

All,

Is there already a decrypt software for this ransom software? I was able to delete the ransom/trojan but my files are still encrypted and need to decrypt.

 

I bought the decrypt tool from Dr. Web to decrypt all files. This was the only solution I found. As far as I know a free decryption tool isn't out yet.



#417 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 10 October 2016 - 06:24 AM

...Is there already a decrypt software for this ransom software?...

Many victims have reported that Dr.Web was able to assist them with decrypting files...see here.
Updated policy from Dr.Web (11/25/15): Free file decryption assistance only for PCs protected by Dr.Web at the moment of infection
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#418 WSpu

WSpu

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 14 October 2016 - 02:09 PM

Crypt0l0cker encrypted unmapped network shares?

 

This week we received an alert that the crypt0locker ransomware (according the ransome note) encrypted files (.enc extension) on a computer. The proces responsible for the encryption was a file with the extension tmp. Soon after we received alerts from other computers but this time the proces was system:remote. After analyzing the alert from the first computer we noticed that the proces encrypted files on network shares which were not mapped to a netwerk drive. Besides encrypted files in folders on the c:, d: and M: (mapped nework drive) there were files encrypted on the path \\computer\share\folder.

 

According to the page http://www.bleepingcomputer.com/virus-removal/torrentlocker-crypt0l0cker-ransomware-information#shares the torrentlocker-crypt0l0cker ransomware only encrypts files on mapped network shares. Is there a new variant active?

 

P.S. We reinstalled the infected computer and removed all the ransomware files and restored most files from a backup.

 

Again we had one computer with the crypt0l0cker ransomware which encrypted files on other computers with a shared folder. Before reinstalling this computer we saved the ransomware, the note files and two encrypted files. The ransomware was uploaded to virus total (https://www.virustotal.com/en/file/18398ed5c38dbacd97ce2d4fc9a4fc28c22ae68d37a263e5c3cdd77d7bbf597f/analysis/) but the file was already known. According to the comments the file was also analyzed by Deepviz analysis and hybrid analysis. On these websites you can download a sample for your own analysis.



#419 acoustico11

acoustico11

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 20 March 2017 - 03:46 PM

Hello... what kind of ransomware is this kind of filename?  Attendance.pdf.id-3438022203_[x3m-pro@protonmail.com]_[x3m@usa.com].x3m

 

Thanks......



#420 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 20 March 2017 - 06:16 PM

Hello... what kind of ransomware is this kind of filename?  Attendance.pdf.id-3438022203_[x3m-pro@protonmail.com]_[x3m@usa.com].x3m

You have already been answered in the CryptON Ransomware Support & Help Topic

Please do not keep posting the same information in different support topics.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users