Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ransomeware infection


  • Please log in to reply
1 reply to this topic

#1 doomeduniverse

doomeduniverse

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 22 September 2014 - 09:26 PM

So I already posted this in "windows 7" but maybe I should have posted in "Am I Infected? What do I do?" instead.

 

I knew deviantart was malicious, always showing video ads and randomly putting up pop-up ads that direct to weird places which if I don't close FAST, will quickly say "are you sure you want to navigate away from this page?" instead of just letting me close it. But there's absolutely nowhere else I could have gotten this garbage. But it is of little consequence where it came from, when it comes to dealing with it. I'm just saying, it was deviantart.
 
So I killed some task that was using up 50% of my cpu and deleted some file in the temp directory, but I thought that was the end of it, but all the text files in not just my main hard drive, but my external hard drive too (this horrible computer actively attacked something outside of it, how dare it be so intrusive!) now have .xzmpjmd after the .txt and they all are encrypted. It had enough time to do that with a few .jpg files in my documents and my pictures but it didn't do all of the jpg files nor did it get into the other pictures or those on my external hard drive. But all the text files. In addition, there is a file called "DecryptAllFiles     2374878396.txt" in my documents which says this (until ------------, after that it's me talking again, not quoting the text file):
 
Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.

If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.

1. Type the address http://torproject.org in your Internet browser.
   It opens the Tor site.

2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle',
   install and run it.\

3. Now you have Tor Browser. In the Tor Browser open the http://23bteufi2kcqza2l.onion
   Note that this server is available via Tor Browser only.
   Retry in 1 hour if site is not reachable.

4. Copy and paste the following public key in the input form on server. Avoid missprints.
75ULUW-H6H4AZ-M5GNGY-WZGHQE-TSP3IM-YQ4SXR-W33VZ5-4RZFQT
COWYIX-WVQCSE-YJN624-HIXAWU-XNLHOJ-76VAYI-2A4TT7-PYP2IC
OITEQ7-L3OYCA-C3FT5G-YFRAEF-5H35E2-HWHY6F-OLC7KR-5XGZXB
5. Follow the instructions on the server.
 
------------------------------
 
So I assume it's probably a RSA key I guess. If the code is 0-9 and A-Z (the only thing missing is the capital latter D and a few of the numbers but it's probably base 36, not 35 or less, it's just those numbers and letters weren't used by chance) and there are 24 sequences of 6 so that's 144*log2(36) or probably 768 bits of encryption. Ugh.
 
I went to the cryptolocker page and tried some of my files and it said it was not done with that. I have gotten very few results looking for others with this thing.I only got one page with 23bteufi2kcqza2l.onion mentioned and so I was wondering if there was something I could do. Other than paying the bastards, that is. Because I'm not going to do that. For one thing I have heard that all they do is ask for more money. Damn, why did I have to leave my stupid external hard drive plugged in all the time. My computer the traitor, it could have just ruined its own contents.
 
I do have some examples of "before" and "after", I could upload, if anyone cares. Text files that came with torrents I downloaded that I could download again, or text files I saved on my computer, and then e-mailed to someone, so they're still in the outbox in gmail. None of it is of monetary value, it's just some things owned by a broken man who's been beaten down by the world, and now you all have got to kick me while I'm down and take the last little trinkets from me, like the stories I have written that no one else cares about or the rants I have typed up and saved. Are you happy, world?

 

Also, I deleted the files from the temp directory before I knew it had done anything lasting, so I can't post them. But there's a file still in my recycle bin, it's called rmbrrsd.html. It's 500 kilobytes. It's from the same time as the attack on my files and as when the "DecryptAllFiles"'s date, which was Saturday 9-20-2014, so it's safe to assume it's related. Should I delete it? Or is it useful somehow? I don't like leaving things in recycle bin for long, I usually delete them by accident.

 

zip files and adobe acrobat pdf files too. So it zapped all the text files and at least some of the zip files, the adobe acrobat files and jpg images.

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:42 AM

Posted 25 September 2014 - 06:03 PM

CTB Locker (Critroni, Onion) will encrypt all data files and rename them as a file with a .CTBL extension.
- Creates a image file called AllFilesAreLocked <user name>.bmp in the My Documents/Documents folder.
- Creates a text file called DecryptAllFiles <user name>.txt in the My Documents/Documents folder that contains ransom instructions.

A repository of all current knowledge regarding CTB Locker and Critroni Ransomware is provided by Grinler (aka Lawrence Abrams), in this tutorial: CTB Locker and Critroni Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CTB Locker (Critroni) does and provide information for how to deal with it. Also see New Critroni variant offers free test decryption and now uses CTB2 extension. Unfortunately, there is still no known method of decrypting your files without paying the ransom.

There is also an ongoing discussion in this topic: CTB Locker or DecryptAllFiles.txt Encrypting Ransomware. Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users