Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TorrentLocker changes it's name to Crypt0L0cker and bypasses U.S. computers


  • Please log in to reply
133 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:25 AM

Posted 28 April 2015 - 05:09 PM

small-header.jpg


A new ransomware called Crypt0L0cker (the OHs have been replaced with ZEROs) has been released that appears to be a new version of TorrentLocker. This ransomware was first sighted at the end of April in European and Asian countries and in Australia. Unlike TorrentLocker, for some reason this variant is Geo-Locked so that it will not install on US based computers. This ransomware is currently being distributed through emails that pretend to be traffic violations or other government notices. At this point it is unknown what encryption method is used and if its possible to recover encrypted files. The ransom amount is currently set for 2.2 Bitcoins.

At a brief glance, Crypt0L0cker uses the same communication methods as TorrentLocker. When first installed, Crypt0L0cker will connect to a Command & Control server and send the victim's unique identifier as well as the campaign ID. The Command & Control server will then send back the HTML ransom note and the name of the file it should be saved as. Currently the HTML ransom note is DECRYPT_INSTRUCTIONS.html and text version is DECRYPT_INSTRUCTIONS.txt. An example of the ransom note can be found below:
 

DECRYPT_INSTRUCTIONS.html.jpg
DECRYPT_INSTRUCTIONS.html


Crypt0L0cker will then begin to scan all hard drive letters and encrypt any files that do not match an exclude list. When a file is encrypted it will append the .encrypted extension to the file name. Unlike TorrentLocker, which had a hard coded extension list that it targeted, Crypt0L0cker has a hard coded list of extensions that it does not target. This allows it to encrypt any file type other than the select few that it deems would cause a problem with Windows. The lists of excluded file types are:
 
avi,wav,mp3,gif,ico,png,bmp,txt,html,inf,manifest,chm,ini,tmp,log,url,lnk,cmd,bat,scr,msi,sys,dll,exe
During this process, Crypt0L0cker will also delete all of your Shadow Volume Copies so that you are unable to recover your files from them.

When the encryption process is done, it will display the ransom notes, which were created in every folder on your computer. It will also configure Crypt0L0cker to start every time you login into Windows by adding a system.pif to your Startup folder and an autorun to the Windows Registry. These startups allow the malware to display the ransom note every time you login to Windows.

Like TorrentLocker, the ransom notes contain personal links to the Buy Decryption site where you can get instructions on how to make a payment. These links contain your personal ID and password so that you only have access to your own information. It is on this site that you will be told how many bitcoins you must pay, how long you have to pay it, and what bitcoin address you must send the payment to. Like TorrentLocker, the Crypt0L0cker's Buy Decryption site is broken up into Buy Decryption, Free Decrypt Single File, Frequently Asked Questions, and Support pages. This is essentially the exact same site as the TorrentLocker one.
 

decryption-site.jpg
Crypt0L0cker's Decryption Site


At this time there is no known way to decrypt your files for free. It is suggested that you restore your files from backup, and if that is not an option, attempt to use recovery software to recover your files. For those who want to discuss this infection, a dedicated Crypt0L0cker Support Topic has been created.

As new information is released, we will be sure to update this story.


Known Crypt0L0cker Scareware Files:
 
C:\ProgramData\iwymyzucasakodon\
C:\ProgramData\iwymyzucasakodon\00000000
C:\ProgramData\iwymyzucasakodon\01000000
C:\ProgramData\iwymyzucasakodon\02000000
C:\ProgramData\iwymyzucasakodon\03000000
C:\ProgramData\iwymyzucasakodon\04000000
C:\ProgramData\iwymyzucasakodon\05000000
C:\ProgramData\iwymyzucasakodon\06000000
%StartMenu%\Programs\Startup\system.pif
%WinDir%\<random>.exe
Known Crypt0L0cker Scareware Registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random> "C:\Windows\<random>.exe"


BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,595 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:01:25 AM

Posted 28 April 2015 - 05:58 PM

Why would it impersonates AdwCleaner (Registry key wise)? So weird.

Edited by Aura., 28 April 2015 - 05:58 PM.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:25 AM

Posted 28 April 2015 - 07:46 PM

It doesn't. That was a mistake.

#4 RobertHD

RobertHD

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in Oz
  • Local time:04:55 PM

Posted 29 April 2015 - 02:56 AM

Not another One!


Robert James Crawley Klopp


#5 rp88

rp88

  • Members
  • 2,761 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:25 AM

Posted 29 April 2015 - 12:07 PM

How is this one arriving on victims machines? By driveby exploits or pretending to be legitimate software to trick users into running it or in attachments on scam emails?
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:25 AM

Posted 29 April 2015 - 12:10 PM

This ransomware is currently being distributed through emails that pretend to be traffic violations or other government notices.



#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:25 AM

Posted 29 April 2015 - 01:36 PM

Note that there are scammers who have set up removal guides for this ransomware. All their guides will do is remove the infection. They do not actually decrypt your files. SO please do not purchase any programs suggested by them.

#8 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:25 AM

Posted 29 April 2015 - 01:37 PM

An example of the scam emails being used to distribute Crypt0L0cker is:

afp-ransomware.png



#9 ventora

ventora

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 05 May 2015 - 10:58 PM

my friend just got this Crypt0L0cker and the ramsom note was written in Thais.


Edited by ventora, 05 May 2015 - 11:01 PM.


#10 Myzreal

Myzreal

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 12 May 2015 - 04:21 PM

My father's computer was infected with this bleep today. I can provide files that might help someone figure out how to crack it - an encrypted version, the original and a failed attempt of the TorrentLocker cracking software at decoding it.



#11 sethicle

sethicle

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:05:25 PM

Posted 13 May 2015 - 02:39 AM

Thought I would share my experiences with this lovely Crypt0L0cker malware.

 

I have had the fun of removing 5 versions of the ransomware starting with Cryptolocker, Cryptowall, Torrentlocker and now the most reincarnation, Crypt0L0cker.

All of which except for 1 were domain connected computers with users running as Standard Users.

 

In my experience with all 4 different variants of the malware, the VSC's remained intact and were able to be used with ShadowExplorer if the user who initiated the download was a Standard User. Not an Administrator. the previous versions also worked fine once the encrypted file type was removed.

 

I am currently in the process of removing the malware files and restoring the affected files as we speak.

 

Also noting that if the user does not have write permissions on the network share the share's remain intact and unaffected.

 

Someone maybe be able to test this theory as I can't find the time to do this.

 

All infections came from the fake speeding ticket email from either the Australian Federal Police or NSW Office of State Revenue.

 

 

Regards,

 

Seth



#12 Myzreal

Myzreal

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 13 May 2015 - 03:31 AM

Is there any known way of decrypting the files encrypted by this newest Crypt0L0cker or retrieving a key out of the files?



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,595 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:01:25 AM

Posted 13 May 2015 - 05:17 AM

In my experience with all 4 different variants of the malware, the VSC's remained intact and were able to be used with ShadowExplorer if the user who initiated the download was a Standard User. Not an Administrator. the previous versions also worked fine once the encrypted file type was removed.


You need Admin Rights to delete the VSS copies, hence why.

Is there any known way of decrypting the files encrypted by this newest Crypt0L0cker or retrieving a key out of the files?


There's no way to decrypt the files encrypted for free right now. As soon as a method will be discovered, Grinler will update this thread with the information and most likely create a new thread promoting the decrypter so everyone can see it, and the infected users can use it.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:25 AM

Posted 13 May 2015 - 09:00 AM

In my experience with all 4 different variants of the malware, the VSC's remained intact and were able to be used with ShadowExplorer if the user who initiated the download was a Standard User. Not an Administrator. the previous versions also worked fine once the encrypted file type was removed.


You got lucky :) Depending on how they delete the shadows, you will be presented with a UAC prompt repeatedly and SVCs won't be deleted until you agree.

Other methods make it so that it deletes them without warning.

I suggest everyone try Shadow Explorer for these reasons as you can get lucky or something may go wrong and the SVCs are still available after encrypting.

Glad it worked out for you.

#15 Myzreal

Myzreal

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 13 May 2015 - 10:45 AM

The crypter informs that in several hours the price for decryption will double. How long do you guys think till a decryption method is accessible? I'm sorry if I'm sounding like I'm rushing someone but I just don't want my dad to pay the ransomers but I don't want him to lose the files either. Do you think it's better to pay them or wait for a method and how long could it take for such a method do appear? Like weeks, months, quarters?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users