Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

About Cryptolocker


  • This topic is locked This topic is locked
7 replies to this topic

#1 3J Kernel

3J Kernel

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 02 April 2015 - 11:44 AM

Hi people:
We have a Youtube channel where we made a video about Cryptolocker and how to delete it and restore the encrypted files(with fireeye web,etc...).It was 5 months ago.
Now, we have received lots of mails and comments telling us that the video is useless for them because
Searching on the internet, we found this https://www.youtube.com/watch?v=1E8uQtVu5CE
and this youtuber uses smartsniff to check the connection with Cryptolocker,but the people who ask us, have cleaned their computers with an antivirus and Cryptolocker is not there.
Is possible to see old connections in a computer with smartsniff(to see the cryptolocker connection)?
Do you know other way to decrypt the files?Where can I find the keys?
Thanks a lot in advance.
Francisco.

Edited by Queen-Evie, 02 April 2015 - 12:23 PM.
moved from Am I Infected to General Security


BC AdBot (Login to Remove)

 


#2 speel

speel

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 02 April 2015 - 11:53 AM

To see the connections you can use CPort http://www.nirsoft.net/utils/cports.html 

 

My guess is they're infected with another cryptovirus which has totally different encryption keys.



#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 02 April 2015 - 12:11 PM

Hi 3J Kernel :)

First of all, we are talking about three different Cryptoware here: CryptoLocker, which is the original and the one you cover in your video, then CryptoWall and CryptoDefence, the ones covered in that other Youtuber's video.

As of right now, CryptoWall encrypted files cannot be decrypted and as for CryptoDefense encrypted files, they can be decrypted only in 50% of the cases if they were encrypted prior to April 1st 2014 (since there was a flaw in the first release, but the second release patched it). You can read more about these two in their support threads here:

CryptoWall - new variant of CryptoDefense
CryptoDefense - Newest cryptolocker variant - Details inside

Also the "DecryptCryptoLocker" website from FoxIT and FireEye will ONLY work with files encrypted with CryptoLocker since they have 50,000 private keys that were used by it for the encryption and not the other Cryptowares that were created after it.

Personally I fail to see how his technique could work since he would have to sniff the packets during the encryption to grab a packet with the private key used, and not after where nothing is left on the system but encrypted files and the "HELP_DECRYPT" files.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 3J Kernel

3J Kernel
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 02 April 2015 - 12:23 PM

Hi 3J Kernel :)

First of all, we are talking about three different Cryptoware here: CryptoLocker, which is the original and the one you cover in your video, then CryptoWall and CryptoDefence, the ones covered in that other Youtuber's video.

As of right now, CryptoWall encrypted files cannot be decrypted and as for CryptoDefense encrypted files, they can be decrypted only in 50% of the cases if they were encrypted prior to April 1st 2014 (since there was a flaw in the first release, but the second release patched it). You can read more about these two in their support threads here:

CryptoWall - new variant of CryptoDefense
CryptoDefense - Newest cryptolocker variant - Details inside

Also the "DecryptCryptoLocker" website from FoxIT and FireEye will ONLY work with files encrypted with CryptoLocker since they have 50,000 private keys that were used by it for the encryption and not the other Cryptowares that were created after it.

Personally I fail to see how his technique could work since he would have to sniff the packets during the encryption to grab a packet with the private key used, and not after where nothing is left on the system but encrypted files and the "HELP_DECRYPT" files.

Thank you.Then...if I upload a file in FireEye and appears the message: "This file is not encrypted..." is because is encrypted by other cryptovirus?or is it possible that FireEye has not  the Cryptolocker key of my file?


To see the connections you can use CPort http://www.nirsoft.net/utils/cports.html 

 

My guess is they're infected with another cryptovirus which has totally different encryption keys.

Can I see old connections in a computer with that tool?



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 02 April 2015 - 12:29 PM

If you upload an encrypted file on DecryptCryptolocker and it returns an error message, it's most likely:
  • Because the file is corrupted/damaged and the encryption can't be detected;
  • The file was encrypted using a different encryption method (therefore, it wasn't encrypted by CryptoLocker);
  • There's no private key matching the encryption of the file you uploaded;
And I can't tell I never tried it, but I can dig around and see if Windows keeps the old connections somewhere locally.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 3J Kernel

3J Kernel
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 02 April 2015 - 12:31 PM

If you upload an encrypted file on DecryptCryptolocker and it returns an error message, it's most likely:

  • Because the file is corrupted/damaged and the encryption can't be detected;
  • The file was encrypted using a different encryption method (therefore, it wasn't encrypted by CryptoLocker);
  • There's no private key matching the encryption of the file you uploaded;
And I can't tell I never tried it, but I can dig around and see if Windows keeps the old connections somewhere locally.

 

Thanks a lot,if you could I would be so grateful!!


Edited by 3J Kernel, 02 April 2015 - 12:34 PM.


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 02 April 2015 - 12:34 PM

No problem. Expect some Staff members to jump in this thread and give you more information, I'm merely introducing you :P

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 PM

Posted 02 April 2015 - 01:39 PM

A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0 & CryptoWall 3.0 is provided by Grinler (aka Lawrence Abrams), in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

There are also lengthy ongoing discussion in these topics:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussion.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users