Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TorrentLocker changes it's name to Crypt0L0cker and bypasses U.S. computers


  • Please log in to reply
133 replies to this topic

#16 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:09 PM

Posted 13 May 2015 - 10:55 AM

Sadly we cannot put an estimation on that. Sometimes it takes days and for others it can takes weeks or months. Sadly you'll have to wait if you want to decrypt the files for free.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


BC AdBot (Login to Remove)

 


#17 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:09 PM

Posted 13 May 2015 - 06:26 PM

Crypt0L0cker (Torrentlocker) Update

 

As of today (05/13/15) i have had multiple clients contact me for help with their decryption software they paid for to fix their Crypt0L0cker (TorrentLocker) effected files. With everyone of these clients i have taken the key in the decrypter and manually attempted to decrypt the files with the key, as the software was failing. Upon doing this i quickly realized that the key sent is not able to decrypt the files. This means either that the infection exe is encrypting files wrong and the virus creator cant even decrypt your files, or the virus creator is sending a wrong/fake decryption key with the software.

 

Seeing as how its been more than a few clients now, im going to advise any victims that are considering to pay to get their files back to NOT do it until otherwise stated that the virus creator is actually able to decrypt files again.

 

I recommend that no victims pay the infection to get their files back, but i know this is not always an option, but if you proceed to do this now, you run the risk of losing your files and your money.

 

I have attempted to contact the virus creator on behave of all these victims, and the victims themselves have tried, to no avail and no answer. Yet the creator will answer if i pretend to be a victim that hasn't paid yet. 

 

The choice is ultimately up to you, but as it stands it seems no victim is getting a working decrypter after payment at this time.


Have you performed a routine backup today?

#18 edwfrancis

edwfrancis

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:05:09 AM

Posted 14 May 2015 - 09:28 PM

Thanks Lawrence Abrams, this was document that one of staff opended unknowinly and got sucked..

 

Hi ALL - Refer below link, related to this.

 

 http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/page-18?hl=%20edwfrancis  

 

We are a victim of this, paid ransom and still not able to decrypt the files.   PLEASE DO NOT PAY RANSON AS THE AUTHORS ARE NOT HELPFUL



#19 Myzreal

Myzreal

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 16 May 2015 - 05:25 AM

My dad informs me that the decryption software worked for him. If it helps I can provide the decrypter for reverse engineering, as I might attempt it myself if I find the time.



#20 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:09 PM

Posted 16 May 2015 - 10:24 AM

Reversing wont help, I have already looked into the decrypter. The key is what is important, and each decrypter has a key related to the victim.


Have you performed a routine backup today?

#21 jaleeshv

jaleeshv

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 18 May 2015 - 02:08 AM

Hi DerypterFixer,

 

I sent you an email this morning with one of the affected file and RSA key. I am unable to decrypt the file by using CryptoUnlockerGUI.exe software. Could you please assist me to decrypt the files.

thanks,



#22 funology

funology

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 21 May 2015 - 09:15 PM

Hi, thanks so much for the above info. It looks like our home computer looks has been affect with this virus, the AFP infringement notice is identical to the one we got. On 12/5/15

My wife and I were devasted at loosing all our photos of kids and family  etc for the last 8 years. Our back up was connected at the time and we didnt make any restore points etc. We resisted trying to pay the ransom.

 

I have found similar files to those below on my PC execpt the string 'iwymyzucasakodon'  is different .  I  entered the string into google and  found the details of  the virus on another malware site .( Hav'nt got the actual details on hand at the moment but I can post them if it helps )

 

C:\ProgramData\iwymyzucasakodon\
C
:\ProgramData\iwymyzucasakodon\00000000
C:\ProgramData\iwymyzucasakodon\01000000
C:\ProgramData\iwymyzucasakodon\02000000
C:\ProgramData\iwymyzucasakodon\03000000
C:\ProgramData\iwymyzucasakodon\04000000
C:\ProgramData\iwymyzucasakodon\05000000
C:\ProgramData\iwymyzucasakodon\06000000

 

Do these  hint  at any decyryption keys or  methods or provide positive ID of the virus program?

 

Please if anyone finds a way to decrypt these file let me.



#23 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:09 PM

Posted 21 May 2015 - 09:23 PM

Samples of any encrypted or malware files that you suspect were involved in causing the infection can be submitted here with a link to this topic: http://www.bleepingcomputer.com/submit-malware.php?channel=3
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#24 MDUB

MDUB

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:02:09 PM

Posted 24 May 2015 - 07:42 AM

Like many, my files were infected sometime in February by the strong encryption with RSA-2048 using CryptoWall 3.0. I removed the virus, but the encryption obviously remains on my files. I submitted a sample file using the link above, but am unsure of next steps (or perhaps even first steps if submitting a sample really isn't a step one). Any help would be appreciated.  I was following this thread very loosely (http://www.bleepingcomputer.com/forums/t/561970/new-pclock-cryptolocker-ransomware-discovered/page-68), but with 68 pages I'm unsure if I missed an important thing to try or not.



#25 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:09 PM

Posted 24 May 2015 - 07:54 AM

Welcome to BC MDUB

This topic is for Crypt0L0cker (TorrentLocker renamed). The link you provided is for PClock CryptoLocker.

If you were infected by CryptoWall 3.0...a repository of all current knowledge regarding CryptoWall, CryptoWall 2.0 & CryptoWall 3.0 is provided in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

There are also lengthy ongoing discussions in these topics where you can post any questions, comments or requests for assistance :
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#26 MDUB

MDUB

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:02:09 PM

Posted 24 May 2015 - 07:56 AM

Thanks so much Quietman7. I apologize the the newbie first post! :)



#27 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:09 PM

Posted 24 May 2015 - 07:59 AM

You're welcome and no need to apologize...with so many ransomware variants these days, it can be confusing for anyone.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#28 funology

funology

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 03 June 2015 - 07:35 AM

Hi Quietman7 , I have sent a file from C:\ProgramData\abekelataheficij folder which I suspected is part of the ransome ware as well a an encrypted file. I have the ransomeware carrier email and file on Iphone email , but I am hesitant to send it to my PC to upload it here .

 

Thanks for any help you can give!



#29 ilmagnifico22

ilmagnifico22

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 10 June 2015 - 10:19 AM

Hi everybody, one of my network's pc is affcted by crypt0l0cker ...

Are there any news about possibility to decrypt files?

 

Thanks!



#30 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:09 PM

Posted 10 June 2015 - 01:37 PM

At this time there is no known way to decrypt your files for free. It is suggested that you restore your files from backup, and if that is not an option, attempt to use recovery software to recover your files.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users