Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got hit by CryptoLocker. Which variant?


  • Please log in to reply
31 replies to this topic

#1 Anonimas

Anonimas

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 06 October 2015 - 07:43 AM

So, I think that one of my USB drive got hit by a Cryptolocker variant. All files have these suffixes: 

id-7944255860_hairullah@inbox.lv

Maybe someone have seen this or had experience?

Thanks.

_______________

EDIT: Just found out that this is a variant of Crypaura.


Edited by Anonimas, 06 October 2015 - 11:33 AM.
Moved from MRL to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,087 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:12 PM

Posted 06 October 2015 - 08:23 PM


I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic:

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables related to ransomware infections may be found:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 JohnBarrow

JohnBarrow

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 07 October 2015 - 06:18 AM

Hello

I got hit by something similar,

Many files (txt, pdf, dwg, jpg, iso, msi, zip, rar, inf, xml, db, csv, avi, bak, cer, doc, swf, rtf) are encrypted and are ending with suffix .id-5998498120_hairullah@inbox.lv

I have submited a sample of an encrypted file to the link previous mentioned.

JohnBarrow



#4 Computer_Guy

Computer_Guy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 08 October 2015 - 07:04 AM

Hi

 

iSheriff saw the virus and prevented it from infecting my PC, i owe my life to them !!

 

my advice, get iSheriff

 

Jason.



#5 dxrone

dxrone

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 08 October 2015 - 08:53 AM

I have also been hit by this virus. I have managed to recover some files using Shadow Explorer. Is there any chance of unencrypting other files not restorable from Shadow Explorer (mapped drive)?



#6 dxrone

dxrone

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 08 October 2015 - 09:21 AM

I have also submitted an encrypted file for analysis as requested by quietman


Edited by dxrone, 08 October 2015 - 09:21 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,087 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:12 PM

Posted 08 October 2015 - 04:07 PM

Our crypto-malware experts are still investigating....they need someone to submit the dropper file.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Anonimas

Anonimas
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 09 October 2015 - 08:06 AM

Uploaded dropper file.



#9 cyber8607

cyber8607

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 09 October 2015 - 09:18 AM

Uploaded mine too .. 



#10 edsiew

edsiew

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 10 October 2015 - 04:05 PM

I just got hit by one which adds ".ccc" to all the encrypted files, and there was only ONE Korean webpage in the whole of Google who mention the same virus.

 

The text it adds to my computer is HOWTO_RESTORE_FILES.txt, and several variation of this name.

I have paid to get them decrypted, sadly...

 

The decryption works differently from the ways I read and watch on the net and youtube, all the .ccc files are decrypted and saved in their original name as new files. This doubles all the memory requirement in my hard disk. Thankfully I have a lot of disk space but wonder what would have happened if the hard disk ran out of memory during decryption.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,087 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:12 PM

Posted 10 October 2015 - 05:04 PM

I just got hit by one which adds ".ccc" to all the encrypted files...

You are most likely dealing with a newer variant of TeslaCrypt. Any files that are encrypted with this ransomware will have the .exx, .xyz, .zzz, .aaa, .abc or .ccc extension appended to the end of the filename. The .aaa/.abc variant drops files (ransom notes) with names like Recovery_File_*****.html, Recovery_File_*****.txt, restore_files_*****.html, restore_files_*****.txt files, (where ***** are random characters) and pretends to be CryptoWall 3.0.

A repository of all current knowledge regarding TeslaCrypt, Alpha Crypt and newer variants is provided by Grinler (aka Lawrence Abrams), in this topic: TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

There is an ongoing discussions in this topic where you can post any questions, comments or requests for assistance:


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 edsiew

edsiew

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 10 October 2015 - 08:14 PM

Yes, it was TeslaCrypt. that's what the name of the file is when caught by the Malware software.

But too late... I paid up, and the programmer had the cheek to enter into conversation with me when I left a message saying I paid and nothing happened.

 

 



#13 Flavius85

Flavius85

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 17 October 2015 - 01:29 AM

I have decrypt whit Kaspersky RakhniDecryptor

#14 Anonimas

Anonimas
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 17 October 2015 - 04:31 AM

I have decrypt whit Kaspersky RakhniDecryptor

How much time it lasted to decrypt files



#15 Flavius85

Flavius85

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 17 October 2015 - 05:00 AM

2 days




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users