Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Coin Locker - A ransomware that tips its hat to Julius Caesar


  • Please log in to reply
18 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:53 AM

Posted 03 February 2015 - 03:22 PM

What does the Coin Locker Ransomware have in common with Julius Caesar? The answer is an easily decrypted encryption method called the Ceasar Cipher which was used by Julius Caesar to encrypt confidential messages. This encryption method uses letter substitution where each character is replaced with another letter a certain amount of places before or after it in the same alphabet. For example, if the cipher was shifting to the right by 4, A would become E and B would become F. An example of cipher shifting by four characters to the right is shown in the figure below. As this type of cipher simply uses letter substitution it becomes trivial to decrypt.

rot-4-cipher.jpg

Coin Locker was first reported towards the end of January and encrypts every file on your computer. Nathan Scott, who analyzed this infection stated "Coin Locker encrypts every file, including executables, that does not contain the word Windows, Mozilla, Google, or Notepad in the file path.". Any file that Coin Locker encrypts would also have the .encrypted extension appended to it. Scott further stated "When Coin Locker encrypts a file it uses a character substitution cipher where it shifts the original character four characters to the left.". This is shown in the source code below that was generated by Scott when he decompiled the Coin Locker executable.
 

encryption-func.jpg
Decompiled encryption function from CoinLocker


In every folder that a file is encrypted, Coin Locker will also create a Coin.Locker.txt file that is the ransom note for this infection. This ransom note gives instructions on how to connect to the malware's TOR site, which is now down, and submit payment. It is unknown if anyone has ever made payment for this malware or if developer would even deliver the decryption key.
 
You have been infected with the Coin Locker malware.

All files on this system have been encrypted.

To regain access to your files you will need the Coin Locker decryption software.

To obtain our software you will need to access the deep web with TOR, download TOR here:

https://www.torproject.org/download/download-easy.html.en

Launch TOR and navigate to our website:

http://unjbvgrxu2mpobuj.onion

Follow the steps on the site to use the decryption software and your files will be unlocked.
Due to the simplicity of the encryption algorithm used, Nathan Scott was able to create a decrypter for those affected by this ransomware. To use the decrypter, simply download the following program and save it to your computer:

http://download.bleepingcomputer.com/Nathan/Coin_Locker_Decrypter.exe


Once the program is downloaded, double-click on it to start it. When the program starts, select the drive you wish to decrypt and then click on the Decrypt button as shown in the image below.
 

coinlocker-decrypter.jpg


The decrypter will scan the files on your computer and decrypt any files that contain the .encrypted extension. It should be noted that this tool will not remove the encrypted files, but will instead leave them intact in the event that there are issues. If the decrypter was able to decrypt your files, when it has completed you can use the same tool to delete the encrypted versions of your files.

As always if you have any questions, please do not hesitate to ask.


BC AdBot (Login to Remove)

 


m

#2 Comdark.Bubnix

Comdark.Bubnix

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:10:53 PM

Posted 03 February 2015 - 04:01 PM

what a great news !!! it can be decrypted,yeah. as usual,bleeping team are super awesome. super big thanks,especially Grinler and Nathan too, for always helping us.


Edited by Comdark.Bubnix, 03 February 2015 - 04:09 PM.


#3 Cody Johnston

Cody Johnston

    Bleepin' Adware Hunter


  • Security Colleague
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 AM

Posted 03 February 2015 - 05:28 PM

Great work guys!


Edited by Cody Johnston, 03 February 2015 - 05:46 PM.


#4 joedee80

joedee80

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:10:53 PM

Posted 03 February 2015 - 11:09 PM

Thank's to the team bleeping (Grinler, Nathan and others), I was able to fix the encrypted files. :thumbup2:



#5 shafeequepty

shafeequepty

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 04 February 2015 - 03:07 AM

My encrypted files are not decrypted by this decrypter also. The extension of file is .ayhmife (for eg: 12.ayhmife). So, can anybody help me to decrypt my files. Any help would be highly appreciated.



#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:53 AM

Posted 04 February 2015 - 02:19 PM

My encrypted files are not decrypted by this decrypter also. The extension of file is .ayhmife (for eg: 12.ayhmife). So, can anybody help me to decrypt my files. Any help would be highly appreciated.


You most likely have this infection:

http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information

#7 shafeequepty

shafeequepty

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 05 February 2015 - 03:41 AM

Thank you for your nice info. 

So, is there any decrypter tool for this? 



#8 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:09:23 PM

Posted 05 February 2015 - 03:41 AM

I think these low grade cryptos are made by some script kiddies who is hearing those great cryptomalware infection news and want to try out theirs.
Anyway, life is getting miserable due to these unwanted and extra people.
Anyone knows how is the infection catching its prey - drivebys, ads or something else?
.
BTW, good work Nathan, Grinler and other people who make the anti-tools. That tells world has not lost the good people. :)
Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#9 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:53 AM

Posted 05 February 2015 - 09:20 AM

Thank you for your nice info. 
So, is there any decrypter tool for this?


No there is no decrypter for ctblocker unfortunately.

#10 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:53 AM

Posted 05 February 2015 - 09:21 AM

Anyone knows how is the infection catching its prey - drivebys, ads or something else?


Unfortunately, we do not know how this one is spreading.

#11 wadwadi

wadwadi

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 15 February 2015 - 07:47 PM

hi everybody, I have the same problem, more than a year of work is taken hostage by these scammers, I always had a backup on USB key but it was connected and everything was encrypted too, I do not know what I can d, l hope that a solution will be found quickly, only hope I have left.
If anyone has a solution, I'm interested and thank you in advance. (the decryptor cited above, is not working unfortunately)

Edited by wadwadi, 15 February 2015 - 07:52 PM.


#12 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:09:23 PM

Posted 15 February 2015 - 09:41 PM

Hi,
What does the file extension show?

"Any file that Coin Locker encrypts would also have the .encrypted extension appended to it.
The decrypter will scan the files on your computer and decrypt any files that contain the .encrypted extension. It should be noted that this tool will not remove the encrypted files, but will instead leave them intact in the event that there are issues."


Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#13 wadwadi

wadwadi

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 16 February 2015 - 01:47 AM

Hi,

Now all my files end with : ZBDWXIE



#14 LiquidTension

LiquidTension

  • Malware Response Instructor
  • 1,218 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:53 PM

Posted 16 February 2015 - 02:22 AM

Hello, 
 

Hi,
Now all my files end with : ZBDWXIE

Your files have been encrypted by CTB Locker, not Coin Locker. 
 
See here: 
http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information


Posted Image

#15 msalvini

msalvini

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 03 February 2016 - 11:45 AM

My files are the nomefile.encrypted type and Coinlocker also removing the extension .encrypted not me makes them open if anyone can help .
thank you.

 

 

 
ransom demand:
===============================================================================
        !!! ABBIAMO CRIPTATO VOSTRI FILE CON IL VIRUS Crypt0L0cker !!!
===============================================================================
 
 
I vostri file importanti (compresi quelli sui dischi di rete, USB, ecc): foto,
video, documenti, ecc sono stati criptati con il nostro virus Crypt0L0cker.
L'unico modo per ripristinare i file è quello di pagare noi. In caso contrario,
i file verranno persi.
 
Utilizzare questo link per pagare per i file di recupero:
 
 
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
 
[=]  Che cosa è successo ai miei file?
 
  I vostri file importanti: foto, video, documenti, ecc sono stati
  crittografati con il nostro virus Crypt0L0cker. Questo virus utilizza molto
  forte algoritmo di crittografia - RSA-2048. Rottura di algoritmo di
  crittografia RSA-2048 è impossibile senza la speciale chiave di
  decrittazione.
 
 
[=] Come faccio a ripristinare i miei file?
 
  I file sono ora inutilizzabili e illeggibile, è possibile verificare che
  cercando di aprirli. L'unico modo per ripristinare la loro è quello di
  utilizzare il nostro software di decodifica. è possibile acquistare questo
  software di decodifica sul nostro
 
 
[=] Cosa devo fare dopo?
 
  Si consiglia di visitare il
  e acquistare decrittografia per il tuo PC.
 
 
[=] Non riesco ad accedere al tuo sito web, cosa devo fare?
 
  Il nostro sito web dovrebbe essere accessibile da uno di questi link::
 
 
  Se per qualsiasi motivo questi indirizzi non sono disponibili, si prega di
  seguire le istruzioni:
    1. Scaricare e installare TOR browser:
    2. Al termine dell'installazione, eseguire il browser e attendere
       l'inizializzazione.
    3. Digitare nella barra degli indirizzi:
    4. L'accesso al nostro sito.
 
  Inoltre è possibile contattarci via e-mail: decrypthelp@mail333.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users