Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypto locker with using tor network and bitcoin


  • This topic is locked This topic is locked
1 reply to this topic

#1 saitx

saitx

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 25 March 2015 - 05:13 AM

Hello guys,

A colleague of mine has been infected with a version of crypto locker. The same version is being spread out everywhere around around Turkey as Turkish " You have a cargo, please update your address, you can find the cargo details in the attachment "

 

After every file has been crypto it makes the copy of the document below in all folders.

 

//Translated by google.translate

  [=] What happened to my files? (What happened to my files)
  Important files: photos, videos, personal documents, our
  encrypted with cryptolock virus. This virus is very strong RSA-2048 encryption
  uses the algorithm. RSA-2048 encryption algorithm for breaking our code
  impossible without solving software.


[=] How do I get my files back?

  Your files have now become unusable and unreadable, working to open
  You can verify this. The only way to make files will work:
  our decryption software is to use.
  Our website (http://iezqmd4s2fflmh7n.tor-explorer.org/ql4a0m27.php?user_code=36a68a9&user_pass=2797)
  You can buy this decryption software.


[=] What do I do next?

  Our web site (http://iezqmd4s2fflmh7n.tor-explorer.org/ql4a0m27.php?user_code=36a68a9&user_pass=2797)
  Buy a visit and computer to your private decryption software. Each
  unique decryption key for decryption software on a single computer
  contains only recovers files from this computer and network disks.


[=] Can not visit your website, what should I do?

  Our site should be accessible from one of these links:
  http://iezqmd4s2fflmh7n.tor-explorer.org/ql4a0m27.php?user_code=36a68a9&user_pass=2797
http://iezqmd4s2fflmh7n.tor4liberty.org/ql4a0m27.php?user_code=36a68a9&user_pass=2797
http://iezqmd4s2fflmh7n.tor2web.blutmagie.de/ql4a0m27.php?user_code=36a68a9&user_pass=2797

  http: //iezqmd4s2fflmh7n.onion/ql4a0m27.php? In user_co = 36a68a9 & user_pass = 2797 (TR using the browser)

  If for any reason this address available, the following steps
  Watch:
    1. Install TR-browser:
       http://www.torproject.org/projects/torbrowser.html. the
    2. After successful installation, run the browser and start
       Wait.
    3. Type in the address bar:
       http: //iezqmd4s2fflmh7n.onion/ql4a0m27.php? user_co in = 36a68a9 & user_pass = 2797
    4. Enter our site.

  You can also contact us by e-mail: I decrypthelp@mail15.co

-------------------------------------------------- -----------------------------
-------------------------------------------------- -----------------------------

Login Information:
  URL: http://iezqmd4s2fflmh7n.tor-explorer.org/ql4a0m27.php
  User-Code: 36a68a9
  User-Pass: 2797

To show that they can decrypt they provide you with a chance to decrypt a single file. (Great guys ) So we used that on a excel document. I am attaching the both encrypted and the decrypted document. I hope it might be usefull. We have many files that need decryption.

 

 

https://www.dropbox.com/sh/v976x9kddqlk3tr/AACAEKudQsLwQ3WeN3yVyLyya?dl=0

 

 

PS. I have search many times on the forums and haven't found a solution to this particular locker. If there is please direct me to it.

 

 

 

Best Regards,


Edited by saitx, 25 March 2015 - 05:28 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 PM

Posted 25 March 2015 - 11:51 AM

A repository of all current knowledge regarding Cryptolocker is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoLocker Ransomware Information Guide and FAQ

There is also a lengthy ongoing discussion in this topic: Cryptolocker Hijack Program.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussions.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users