Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypt0L0cker virus /


  • This topic is locked This topic is locked
3 replies to this topic

#1 fern321

fern321

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 22 October 2015 - 03:41 AM

To whom it may concern:
 
 
I've been targeted by ransomware It's giving me a countdown of 32 hrs to cough up one bitcoin. I've tried www.decryptcryptolocker.com, which doesn't work right now. files are envrypted with true Cryptolocker, I belive 
 
Not all files have been encrypted, I have looked into Shadow Explorer, Decryptolocker and the "Past Versions" tab of Properties and nothing is left.
 
 
my question are
-  Is there any chance of getting my files back, or are they irretrievable?
 - I used anti malware and 3 differetens system to delete all kind of damage. Is anythign else ?
 
I hope that someonecan help me.
 
Thnaks


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:25 AM

Posted 22 October 2015 - 06:50 AM

Crypt0L0cker is essentially a newer version of TorrentLocker...are you sure that is what you are dealing with?

If not, are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .CTBL, .CTB2, .XTBL, .encrypted, .vault, .HA3, .toxcrypt or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html, .txt, .png, .bmp, .url file.

These are some examples.
HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG
HELP_TO_DECRYPT_YOUR_FILES.bmp, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt
HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.bmp, RECOVERY_KEY.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.URL
HOW_TO_DECRYPT_FILES.txt, How_To_Recover_Files.txt, About_Files, encryptor_raas_readme_liesmich.txt
DecryptAllFiles_<user name>.txt, DecryptAllFiles_******.txt file (where * is 6-7 random characters)
RECOVERY_FILES.html, RECOVERY_FILES.txt, Recovery_File_*****.html, Recovery_File_*****.txt
restore_files_*****.html, restore_files_*****.txt, HOWTO_RESTORE_FILES*****.txt (where ***** are random characters)

Once you have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.

Another option is to download and run IDTool created by Nathan Scott (DecrypterFixer), a BleepingComuter Security Colleague. IDTool is a small utility that scans certain files, folders, registry keys and signatures of a system for evidence (known flags) of various crypto malware which helps identify what kind of ransomware infection you are dealing with. The tool will provide a list or text generated report of what was found and then provide the correct support links where you can receive assistance with that specific ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 fern321

fern321
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 22 October 2015 - 07:07 AM

Hi,

 

I am not sure what I am dealing with. Can you jep me ?

 

I got this test below as a .txt file  and yes all my doc, photo and excel files are with .encrypted extensions !

 

 

===============================================================================
          !!! Vi har krypterat dina filer med Crypt0L0cker virus  !!!
===============================================================================
 
 
Dina viktiga filer (inklusive de på nätverksdiskar, USB, etc): bilder, videor,
var dokument krypteras med vår Crypt0L0cker virus. Det enda sättet att få dina
filer tillbaka är att betala oss. Annars kommer dina filer att gå förlorade. 
 
Klicka här för att betala för filer återvinning:
 
 
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
 
[=] Vad har hänt med mina filer?
 
  Dina viktiga filer: bilder, video, var dokument krypteras med vår
  Crypt0L0cker virus. Detta virus använder mycket stark
  krypteringsalgoritm - RSA-2048. Brytning av RSA-2048 krypteringsalgoritm är
  omöjlig utan särskild krypteringsnyckel. 
 
 
[=] Hur kan jag få mina filer tillbaka?
 
  Dina filer är nu oanvändbara och oläslig, du kan verifiera det genom att
  försöka öppna dem. Det enda sättet att återställa dem till ett normalt
  tillstånd är att använda vår speciella dekryptering programvara. Du kan köpa
  denna dekryptering programvara på vår hemsida (http://cz27m6n752rpqokx.torarea.li/j8oist0.php?user_code=1gdneq0&user_pass=7869).
 
 
[=] Vad ska jag göra härnäst?
 
  och köpa dekryptering för din dator.
 
 
[=] Jag kan inte komma till din webbplats, vad ska jag göra?
 
  Vår webbplats ska vara tillgänglig från en av dessa länkar:
 
 
  Om av någon anledning dessa adresser är inte tillgängliga, följ stegen:
    1. Ladda ned och installera TOR-browser:
    2. Efter en lyckad installation, kör webbläsaren och vänta på initiering.
    3. Skriv i adressfältet:
    4. Tillgång till vår hemsida.
 
  Även du kan kontakta oss via e-post: decrypthelp@mail333.com
 
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
 
Login Credentials:
  User-Code: 1gdneq0
  User-Pass: 7869
 
===============================================================================   


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:25 AM

Posted 22 October 2015 - 07:25 AM


Any files that are encrypted with Crypt0L0cker (TorrentLocker) will have the .encrypted extension appended to the end of the filename.

A repository of all current knowledge regarding TorrentLocker is provided by Grinler (aka Lawrence Abrams), in this topic: TorrentLocker (fake CryptoLocker) Ransomware Information Guide and FAQ

Information about Crypt0L0cker can be found here: TorrentLocker changes it's name to Crypt0L0cker

There are ongoing discussions in these topics.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those support topic discussions. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users