Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Identifying which variant of Cryptolocker/Torrentlocker (encrypted)

  • This topic is locked This topic is locked
2 replies to this topic

#1 chaslinux


  • Members
  • 4 posts
  • Local time:04:24 AM

Posted 24 April 2015 - 04:01 PM

I had someone bring a PC to me today that is infected with some variant of Cryptolocker. The expiry period has passed already. I've attached a picture of it. I had the good sense not to plug it into our network (I never do with any untrusted systems). The picture looks like normal Cryptolocker and there's an icon on the desktop that says Cryptolocker, but I was under the impression that the original Cryptolocker network was shut down and that the keys were publically available to combat the problem.
The person who brought it to me claimed they had a friend who was using their computer yesterday, but I suspect the infection was probably on their system for awhile (most of the screenshots of Cryptolocker I've seen have been at least 50+ hours). I noticed there's a VV72 number in the top left, is this a variation #.
Where to start next?
Since the system (Windows XP) is a Dell Inspiron 2400 that probably only has a 40GB HDD inside I was thinking I would just replace his hard drive, reinstall using his license on the new drive and we'd ditch his old drive. The person was okay with this idea since much of their work is attachments in their Hotmail/Outlook email. (thinking some of them might be infected). But I'm posting here for interest sake and willing to do some troubleshooting for the sake of giving back and furthering research.

Attached Files

Edited by Queen-Evie, 24 April 2015 - 04:08 PM.
moved from Malware Removal Logs to General Security

BC AdBot (Login to Remove)


#2 Aura


    Bleepin' Special Ops

  • Malware Response Team
  • 19,697 posts
  • Gender:Male
  • Local time:04:24 AM

Posted 24 April 2015 - 04:17 PM

Hi chaslinux :)

This system is infected with TeslaCrypt. There's currently a support thread on-going for TeslaCrypt where you can ask for assistance and seek answers to your question. I'll ask you to go post there since it's better to have all the information centralized instead of having hundreds of threads about the same issue. The thread can be found at the link below.

New TeslaCrypt Ransomware sets its scope on video gamers

For now, Lawrence Abrams (aka Grinler, the Founder and Owner of BleepingComputer) recommends to not pay the ransom and that "something" might be on it's way. So I would follow the thread and pay attention to it. See his post below:


Good luck :)

Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,093 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:24 AM

Posted 24 April 2015 - 04:22 PM

Any files that are encrypted with TeslaCrypt will have the .ecc extension added to the end of the filename. At this time there is no fix tool and no way to decrypt the files.

There is an ongoing discussion in this topic: New TeslaCrypt Ransomware sets its scope on video gamers

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users