Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All files have added extension .uogltic


  • This topic is locked This topic is locked
10 replies to this topic

#1 marcopolo123

marcopolo123

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 10 December 2014 - 03:38 PM

Hello all.  Hope you can help.  I am trying to diagnose a problem with a friends computer.  All of her data files have been renamed to include the extension .uogltic, for example, dscn0269.jpg.uogltic.  It is very similar to ransomware, but there is no ransom note that we can find.  I have searched high and low for that file extension and come up empty.  I have run malware bytes and it fails to find anything.  Norton AV is also coming up empty.  One other symptom is that the file sizes are all VERY small - i.e. the jpgs are in the 100 to 200 KB range.

 

Thanks.  Any ideas are greatly appreciated.

 

Marco



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:49 PM

Posted 10 December 2014 - 06:53 PM

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here: http://www.bleepingcomputer.com/submit-malware.php?channel=3

You can also submit any of the malware files that you suspect were involved in causing the infection. Doing that will be helpful with investigating.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:49 PM

Posted 10 December 2014 - 07:12 PM

Please look in your documents folder for an image the malware normally uses to the background....it may be labeled "decryptallfiles" or something similar.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 marcopolo123

marcopolo123
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 11 December 2014 - 10:46 AM

Quietman - no that is the odd thing.  there is no "ransom note" anywhere on the computer.  I will upload a sample file when I am back home tonight.  Thanks.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:49 PM

Posted 11 December 2014 - 11:45 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 marcopolo123

marcopolo123
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 11 December 2014 - 12:11 PM

FYI, I have submitted two example files.  I am unable to submit any info from Malwarebytes or Norton AV as both of those contend that the system is clean...



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:49 PM

Posted 11 December 2014 - 01:40 PM

Ok.

We believe this is related to a newer variant of CTB Locker which is using a 6-7 length extension with random characters such as the one you described.

A repository of all current knowledge regarding CTB Locker and Critroni Ransomware is provided by Grinler (aka Lawrence Abrams), in this tutorial: CTB Locker and Critroni Ransomware Information Guide and FAQ
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 rnroller

rnroller

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 18 December 2014 - 07:23 AM

I have the same problem. The file extensions are different. Are you planning to release decrypt tool, any news about that ?



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:49 PM

Posted 18 December 2014 - 07:50 AM

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom on the CTB Locker Site. Brute forcing the decryption key is not realistic due to the length of time required to break this type of cryptography. Also any decryption tools that have been released by various companies for other malware will not work with this infection. The only methods you have of restoring your files is from a backup, file recovery tools, or if your lucky from Shadow Volume Copies.

CTB Locker and Critroni Ransomware Information Guide and FAQ
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 zalepak

zalepak

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 21 January 2015 - 07:48 AM

:welcome: I am also infected.  :(

I have some idea. So if the virus give the opportunity to decode some files for free, so maybe there is a way to disassemle the code of virus and find a way to decode the rest of the files. I know that it is a job for good hacker, but maybe it is the light in the tunnel?

What do you think about this? Do you know someone who is such a good programmer?



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:49 PM

Posted 21 January 2015 - 09:42 AM

There is also an ongoing discussion in this topic: CTB Locker or DecryptAllFiles.txt Encrypting Ransomware Support & Discussion. Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users