Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypt0l0cker ransomware virus - please help


  • This topic is locked This topic is locked
1 reply to this topic

#1 alex_ncfc

alex_ncfc

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 13 June 2015 - 05:28 AM

A friend's business PC has become infected with the Crypt0l0cker ransomware virus. All of her user-files are now encrypted and as such, end with .encrypted extensions. 

 

I have tried to help but I am not familiar with this virus so had to do some reading up on it. Initially I was optimistic after seeing the website http://www.decryptcryptolocker.com/ but none of the submitted files worked on there in order to get a key, and I soon learnt that there are different, stronger versions of this virus, and that this is one of them. After further reading, it seems that there is absolutely no way (currently) to decrypt the files - is this correct? Also, I gather it would be extremely unlikely that paying the ransom would do anything to resolve the issue? I wouldn't have done this anyway, personally because the chances seem 99% that you wouldn't receive a decrypter and therefore would lose your files and your money.

 

I noticed that files in "Previous versions" (Windows 7) were fine, and started using Shadow Explorer to copy the snapshotted files from the VSS to an external USB hard drive. Is this the only course of action to take to even get close to getting files back? It's just that they are considering having an IT guy come out (and would therefore have to pay him) but if he's just going to do the same things I am going to do/been doing, then I may as well help them and save them some money. Also, how do I be sure that the virus is gone? Apparently, MalwareBytes detects crypt0l0cker, and after running it on the infected machine, it did detect a file I already thought was very suspicious:

 

C:\ProgramData\Updater\Updater.exe

 

This app is also constantly running in task manager, and if I end it, it instantly starts again. I have YET to use a tool like MalwareBytes to clean the system.

 

There is also a rogue startup entry, c:\Program Data\ilcilizhp.exe - this .exe file does not actually exist though. I am guessing this may have been the virus itself? (or the above updater.exe)

 

I suppose my main questions are:

 

How is it likely this virus got onto their machine? (BullGuard antivirus is always on and up-to-date)

Is the only way I can even potentially restore the files via the Volume Shadow Service and Shadow Explorer? i.e - is there no tool out there to decrypt files encrypted by crypt0l0cker?

How can I be certain the virus is removed from their machine? Which tools are best to use to scan?

 

Thanks very very much for any information.

 

Alex


Edited by alex_ncfc, 13 June 2015 - 05:29 AM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:42 PM

Posted 13 June 2015 - 06:02 AM

Information about Crypt0L0cker can be found here: TorrentLocker changes it's name to Crypt0L0cker

Crypt0L0cker typically deletes all Shadow Volume Copies so that you cannot restore your files via System Restore or using a program like Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do since it is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies since it is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies. At this time there is no fix tool. The only other alternative is to save your data as is and wait for possible updates...meaning, what seems like an impossibility at the moment (decryption of your data) there is always hope someday there may be a breakthrough or possible solution so save the encrypted data and wait until that time.

At this time there is no known way to decrypt your files for free. It is suggested that you restore your files from backup, and if that is not an option, attempt to use recovery software to recover your files.


There is an ongoing discussion in this topic: Crypt0L0cker Ransomware Support & Discussion

From the above topic...

Crypt0L0cker (Torrentlocker) Update
...im going to advise any victims that are considering to pay to get their files back to NOT do it until otherwise stated that the virus creator is actually able to decrypt files again. I recommend that no victims pay the infection to get their files back, but i know this is not always an option, but if you proceed to do this now, you run the risk of losing your files and your money...The choice is ultimately up to you, but as it stands it seems no victim is getting a working decrypter after payment at this time.


Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users