Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locker Ransomware Support and Help Topic


  • Please log in to reply
634 replies to this topic

#16 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,779 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:15 AM

Posted 25 May 2015 - 05:39 AM

Orgeston, Sts123 & xyttra I have merged your topics into this one since Nathan is already investigating. This will make it easier for you to get any updated information about this infection and provide samples of the encrypted and related malware files.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#17 gusteru18

gusteru18

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 25 May 2015 - 06:46 AM

Hi guys , i was looking for information and i found this topic, i have the same problem but seems mine is an older version, knows anyone how could i get this ?



#18 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,779 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:15 AM

Posted 25 May 2015 - 06:58 AM

...i have the same problem but seems mine is an older version, knows anyone how could i get this ?

Our experts are still investigating this infection.

I can tell you that Crypto malware and other forms of ransomware is typically spread and delivered through social engineering (trickery) and user interaction...opening a malicious email attachments (usually from an unknown or unsolicited source), clicking on a malicious link within an email or on a social networking site, and sometimes via exploit kits and drive-by downloads when visiting compromised web sites. Crypto malware can be disguised as fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or phony FedEx and UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) that will entice a user to read the email and open the attachment. Another method involves tricking unwitting users into opening Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment. Still another technique uses spam emails and social engineering to infect a system by enticing users to open an infected word document with embedded macro viruses and convince them to manually enable macros that allow the malicious code to run. Social engineering has become on of the most prolific tactics for distribution of malware, identity theft and fraud.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#19 atablash

atablash

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 25 May 2015 - 07:17 AM

Hello, I have exactly the same problem! I lost some important files. Any chance they would decrypt them when paid? Seems unlikely for them to really maintain a server.

 

Here are two files, encrypted and decrypted. It's a small text file. Hope it helps!

https://www.dropbox.com/s/ikcuuewsh6p832f/perldoc.txt?dl=0

https://www.dropbox.com/s/ndpavwn8h4xg0k7/perldoc.txt.encrypted?dl=0

(I'm 99% sure the files match but who knows)

 

EDIT: please post some more info if anyone found out something!

 

EDIT2: The version number of this program seems randomly generated. I have other number than you.


Edited by atablash, 25 May 2015 - 07:20 AM.


#20 Kuldaniss

Kuldaniss

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Timisoara, Romania
  • Local time:03:15 PM

Posted 25 May 2015 - 08:28 AM

Just wanted to reply that I have the exact same problem, on 2 of my PC. 

On one of them my brother ran some anti-malware software and removed the virus, but the files are still encrypted.  I haven't run anything on mine yet because I wasn't sure that was the right thing to do, but I would really hate it if I lost some of my files that have been encrypted. Is there a solution to this other than paying? If not, I guess I would have to settle with losing a lot of pictures and documents

 

Please help 

 

L.E: Should I use SpyHunter and remove the Virus at least, and then try to decrypt the files? I'm not really comfortable with it still being on my PC


Edited by Kuldaniss, 25 May 2015 - 08:35 AM.


#21 Kuldaniss

Kuldaniss

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Timisoara, Romania
  • Local time:03:15 PM

Posted 25 May 2015 - 09:12 AM


Hmm, thanks for that. What would you recommend then? CCleaner? Malwarebytes?
 
The reason I got SpyHunter was because I found it on a page recommending it to get rid of this Locker thing.

#22 Sintharius

Sintharius

    Bleepin' Sniper


  • Malware Study Hall Senior
  • 5,602 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:15 PM

Posted 25 May 2015 - 09:16 AM


If you need help cleaning your machine, follow the instructions in ==>This Guide<== starting at Step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
Member of the Bleeping Computer A.I.I. early response team!

#23 Kuldaniss

Kuldaniss

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Timisoara, Romania
  • Local time:03:15 PM

Posted 25 May 2015 - 09:21 AM

So I can go on with removing this Locker thing, and then wait to see if your experts come up with some way of recovering the encrypted files? 

 

Do I need to create a new topic if the problem is already described in this one, and is a common one today, as I noticed? Maybe posting the logs here will help more



#24 Sintharius

Sintharius

    Bleepin' Sniper


  • Malware Study Hall Senior
  • 5,602 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:15 PM

Posted 25 May 2015 - 09:24 AM

Hi there,

The logs used in the removal procedure are not allowed to be posted outside the aforementioned area - please follow the instructions :)

Your problem is described in this topic, but to get your computer cleaned will require another.
Member of the Bleeping Computer A.I.I. early response team!

#25 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:15 AM

Posted 25 May 2015 - 09:28 AM

It definitely seems to be RSA.

 

The file data.aa7 looks to contain an equation used to generate the RSA key...

 

<RSAKeyValue><Modulus>x1jgkSf/X/YCF2VSGXAjLC0cZlRUuRTs0xO+6pgtTEVZkEc9u/Khgt6TpoZs49Pd1fyelzLqMnIGDsuM6ugdPIcx2tLCLgDzgoqocB+LArr1vJqG2Cj1CTtwjR7pRggDmkIyoiJoiEDQ+/6VpSGDUuNEA7NeKEnQ7QfOW8AfPoQdXkTzzRoMsYghhcu6xNu4cMQX7DOOhxtuFmoFLt3Kzb9kjJ982oU3ITIPk0uc47Z6IFTdYgbEJjlZVJs6MvQd8EdF7GIO415RcPUyslDQDOEsfxEBnoaNzMt13KRV66bJDBur/s8tYX6KrCQpHPHd6a8WhqDM4FCMGA5tgB+I6Q==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#26 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:15 AM

Posted 25 May 2015 - 09:30 AM

data.aa8

3
53

data.aa0 contains a list of all encrypted files

 

data.aa6

13Zpt3oedE2vFEbno2dYd9KHaPQpD8ZFKs

 

data.aa9

5/28/2015 12:08:08 AM

Edited by White Hat Mike, 25 May 2015 - 09:31 AM.

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#27 GangXtaZz

GangXtaZz

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 PM

Posted 25 May 2015 - 09:35 AM

Yes, the same goes for mine. But it seems that the encryption is different for each file (i'm not any kind of expert so not sure about this, just guessing) since the key i obtained with TORRENTUNLOCKER used to decrypt one file didn't work for any of the other encrypted files.


Edited by GangXtaZz, 25 May 2015 - 09:36 AM.


#28 Kuldaniss

Kuldaniss

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Timisoara, Romania
  • Local time:03:15 PM

Posted 25 May 2015 - 09:35 AM

Hi there,

The logs used in the removal procedure are not allowed to be posted outside the aforementioned area - please follow the instructions :)

Your problem is described in this topic, but to get your computer cleaned will require another.

Ok I understand. I unistalled SpyHunter from my computer, but I did a scan with it earlier and fixed the issues which seems to have solved the Locker problem. I just noticed that after the restart, the Locker popup is no longer there, but the files are still encrypted. Would you recommend still using your guide , just to make sure everything is cleaned?

 

I'm glad that at least that Locker window is gone, hopefully someone finds a way to retrieve the files.

 

Thanks for the help by the way



#29 Sintharius

Sintharius

    Bleepin' Sniper


  • Malware Study Hall Senior
  • 5,602 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:15 PM

Posted 25 May 2015 - 09:41 AM

If you need to make sure that your machine is clean, then yes :)

You will want to keep the items from the infection since a solution might be found later that make use of those.

Edited by Alexstrasza, 25 May 2015 - 09:41 AM.

Member of the Bleeping Computer A.I.I. early response team!

#30 GangXtaZz

GangXtaZz

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 PM

Posted 25 May 2015 - 09:42 AM

After a reboot the Locker didn't show up again for me either, but i didn't try to remove it in any way, it just didn't open by itself i guess. And yes, the files are still encrypted and the Malware files are still located in Program Data. I think that with the proper technique we should be able to decrypt the files, since TORRENTUNLOCKER, which wasn't created for this unique kind of ransomware KINDA worked.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users