Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptolocker Virus


  • This topic is locked This topic is locked
3 replies to this topic

#1 jpwowee

jpwowee

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 PM

Posted 10 April 2015 - 10:10 AM

Dear All
 
Can anyone advise?
 
I have unfortunately been infected by a cryptolocker virus. I am on a PC using windows 7. I have McAfee installed and after conversation with McAfee them today over the phone, they have informed me that I can have them remove the virus and clean everything up but cannot help with the decryption of the files that have been infected. I see on the forum advising on the decryption subject. I have followed directions to decryption service of files but Fire Eye but no luck. Am I completely screwed on decrypting my jpgs and word docs etc? I have no back up!!
 
There is a lot of the advise on here about cryptolocker remvoal (but I am no PC wizard) that dates back 6 months or more and seems that the advise on here and other websites is now out of date.
 
Your help is appreciated 
 
Thank you
 
jpwowee

Edited by hamluis, 10 April 2015 - 10:50 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 PM

Posted 10 April 2015 - 10:16 AM

Hi jpwowee :)

The online service "Decrypt CryptoLocker", by FireEye and Fox IT can only be used to decrypt files that were encrypted by the original Cryptoware, CryptoLocker. This is possible because during the Operation Tovar that was used to shut down the GameOver ZeuS botnet, which was used to distribute CryptoLocker, they seized servers were the private keys used for encryption were uploaded to. After that, they set up the DecryptCryptolocker.com website that allows you to upload a CryptoLocker encrypted file and it'll test it against the 50,000 private keys they retrieved from the server to see if one matches your file private key. If it does, they'll send you a decrypter executable along with your private key. Therefore, files encrypted by any other Cryptoware other than CryptoLocker cannot be decrypted via this service. However, the Operation Tovar put an end to the distribution of CryptoLocker, hence the infection isn't active anymore. I feel that you've been infected with "PClock", which is a Cryptoware that is copying CryptoLocker in it's ransom note.

I suggest you to head over the PClock support thread to ask for assistance, since there's a chance that you have been infected with a variant allowing you to get your files decrypted without paying the ransom. You'll have to download the latest version of the Emsisoft Decrypter too. Here's the link:

http://www.bleepingcomputer.com/forums/t/561970/new-pclock-cryptolocker-ransomware-discovered/page-54#entry3675987

Support threads:Good luck :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 jpwowee

jpwowee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 PM

Posted 10 April 2015 - 10:42 AM

Aura

 

Thanks for the advise, very much appreciated, the EXE link over on the PClock forum provided by Fabian Wosar, comes up with the following when I run it.

 

"The decryption key for your system could not be found. There is unfortunately no way to decrypt your files. We instead suggest to restore your files from your latest back up."

 

I don't have a back up, Am I screwed?

 

Thanks

 

jpwowee :-)



#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:10 PM

Posted 10 April 2015 - 10:48 AM

Please...see following.

 

A repository of all current knowledge regarding CryptorBit and HowDecrypt is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptorBit and HowDecrypt Information Guide and FAQ

Reading that Guide will help you understand what CryptorBit and HowDecrypt Ransomware does and provide information for how to deal with it and possibly recover your data.
 
There is also a lengthy ongoing discussion in this topic: HowDecrypt or CryptorBit Encrypting Ransomware - $500 USD Ransom Topic. Since this infection is so widespread, rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

Thanks
The BC Staff

This topic is now closed.

 

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users