Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypt0L0cker Support Topic


  • Please log in to reply
648 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:55 AM

Posted 27 April 2015 - 11:09 PM

There is a new ransomware out called Crypt0L0cker (the OHs are replaced with ZEROs). This ransomware appears to be a direct descendant of TorrentLocker, with the only known difference at this point being how it targets files for encryption. It is currently being distributed via email campaigns claiming to be government notices such as speeding violations. Once a user is infected the ransom will be set at approximately 2 bitcoins. This infection is targeting almost all countries other than the United States. Computers using an United States IP address will not become infected at this time.

In the past TorrentLocker would target only certain file types for encryption. Crypt0L0cker on the hand uses an exclude list that contains only a few file types. This exclude list is:
 
avi,wav,mp3,gif,ico,png,bmp,txt,html,inf,manifest,chm,ini,tmp,log,url,lnk,cmd,bat,scr,msi,sys,dll,exe
Known Command & Control Servers and associated IP addresses:

62.173.145.212 tidisow . ru
62.173.145.212 lepodick . ru

We will be using this topic to support this ransomware and to post new analysis as it comes in.

Screenshots:


DECRYPT_INSTRUCTIONS.html.jpg
DECRYPT_INSTRUCTIONS.HTML


DECRYPT_INSTRUCTIONS.txt.jpg
DECRYPT_INSTRUCTIONS.TXT


decryption-site.jpg
Decryption Site Buy Decryption Page


free-decryption.jpg
Decryption Site One Free Decryption Page


frequently-asked-questions.jpg
Decryption Site FAQ Page


dc-support-page.jpg
Decryption Site Support Page


afp-ransomware.png
Example of a scam mail distributing Crypt0L0cker



BC AdBot (Login to Remove)

 


m

#2 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:55 AM

Posted 28 April 2015 - 09:30 AM

Do you have a sample?


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#3 celalalt

celalalt

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 28 April 2015 - 09:36 AM

I managed to get this one on one of my laptops. Just for fun :devil:

It did install and it did encrypt everything on it.

I don't think it's targeted only to Asia and Australia. I'm from Europe and it worked.

Btw, I got it on purpose from malwr.com, which now seems to be down.



#4 celalalt

celalalt

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 28 April 2015 - 10:28 AM

Do you have a sample?


<Sample Removed>

From Grinler: I removed the sample so that others do not inadvertently download and infect themselves. If you wish to send someone a link to a sam ple, please do it via private message.

#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:55 AM

Posted 28 April 2015 - 10:41 AM

I don't think it's targeted only to Asia and Australia. I'm from Europe and it worked.


Which country are you from? I know it's not allowing requests from the US.

#6 celalalt

celalalt

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 28 April 2015 - 10:43 AM

 

Which country are you from? I know it's not allowing requests from the US.

 

Romania

 

Thanks for removing the link I posted earlier. I didn't take into consideration that people might download the file without knowing what they'll do :)

I've sent a private message to White Hat Mike.


Edited by celalalt, 28 April 2015 - 10:46 AM.


#7 robk810

robk810

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 28 April 2015 - 10:54 AM

I'm in Australia and had one of my customers get this. Went straight through Bitdefender. Have already raised a support incident with L1 support and it's being escalated to L2 within Bitdefender. Will post on any info I receive from them.

 

Have just had to recover a server from a backup from just before the infection happened and have had to manually restore my customers' data that they entered into today.

 

Rather nasty this one. It seemed to go after and encrypt PDF, xml, doc, docx, xls, xlsx type files to name a few. Alarmingly it encrypted shadow protect backup image files rendering the onsite backups useless. Lucky the backup data was being replicated offsite.



#8 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 28 April 2015 - 11:05 AM

robk810 -

 

Did it also truncate the backup image files?



#9 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:55 AM

Posted 28 April 2015 - 11:06 AM

Thanks for the samples.  Taking a look at it now...


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#10 robk810

robk810

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 28 April 2015 - 11:09 AM

You mean did it shorten the filename? If so, then no... it did not.

 

Example of a filename is as follows.

 

C_VOL-b001.spf.encrypted



#11 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:55 AM

Posted 28 April 2015 - 11:17 AM

Some quick initial info:

 

It does delete VSCs, it drops a binary file in the C:\WINDOWS directory, and another file in C:\ProgramData.  It looks like it disable IE's phishing filter, and it launches IE at the end of its prior activities.  It creates a registry key value under the "Run" key for the binary under the Windows directory, and it drops ransom notes in each directory where files have been encrypted.

 

Ransom notes named as such: DECRYPT_INSTRUCTIONS.txt and DECRYPT_INSTRUCTIONS.html

 

Also opens Notepad, I assume to display the ransom note.  I will run it and analyze more in-depth later on.

 

Makes connections to Russian IPs, and also uses various TOR gateways.  It connects to a known malicious domain (geolocation: Russia).  See below for IP / domain, do not browse to the domain for your own safety.  Added spaces between octets / domain name for added security.

 

62 . 173 . 145 . 212    -->   tidisow . ru


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#12 unkur

unkur

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 28 April 2015 - 11:22 AM

Hi, I'm Korean. I'm glad to open this topic. so, Crypt0l0cker (maybe not same 'Cryptolocker') had infected Korea online. it started 21 Apr (korea time).

I was infected. too. (but,  I already treated now.). my infected files are very important, so, I backup it separately.

If you need a 'infected file / original file' for analysis, I'll send it. (+ contains a 'DECRYPT_INSTRUCTIONS.TXT')

English writing is so difficult. sorry :)



#13 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:55 AM

Posted 28 April 2015 - 11:32 AM

FYI -- ransom notes are named / translated based on the geolocation of the affected system's IP address.

 

Example domains generated:

 

hxxp://cld7vqwcvn2bii67.onion/spmzmhl.php?user_code=28n94p0&user_pass=5851

hxxp://cld7vqwcvn2bii67.tor2web.blutmagie.de/spmzmhl.php?user_code=28n94p0&user_pass=5851

hxxp://cld7vqwcvn2bii67.tor4browser.org/spmzmhl.php?user_code=28n94p0&user_pass=5851

hxxp://cld7vqwcvn2bii67.torlocator.org/spmzmhl.php?user_code=28n94p0&user_pass=5851

 

Makes a POST to the malicious domain at this page:

 

hxxps://tidisow.ru/topic.php


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#14 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:55 AM

Posted 28 April 2015 - 11:43 AM

Adds ".encrypted" to the end of affected filenames.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#15 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:55 AM

Posted 28 April 2015 - 05:32 PM

Added a news story for Crypt0L0cker:

http://www.bleepingcomputer.com/forums/t/574686/torrentlocker-changes-its-name-to-crypt0l0cker-and-bypasses-us-computers/




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users