Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptolocker encrypt my Home files


  • This topic is locked This topic is locked
3 replies to this topic

#1 mmjc23

mmjc23

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 22 December 2015 - 05:30 PM

Hello everyone
 
I'm an Italian Vb.net developer
Cryptolocker encrypt my Home files

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 22 December 2015 - 06:14 PM

Welcome to BC.

The original CryptoLocker Ransomware which first appeared in the beginning of September 2013...does not exist anymore and hasn't since June 2014. There are several copycat and fake ransomware variants which use the CryptoLocker name but those infections are not the same. Any references to CryptoLocker and retrieving keys for it will not work anymore.

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .encrypted, .crinf, .XRNT, .XTBL, .crypt, .pzdc, .good, .LOL!, .OMG!, .RDM, .EnCiPhErEd, {CRYPTENDBLACKDC}, .vault, .HA3, .toxcrypt, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:

HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, YOUR_FILES.HTML
HELP_RESTORE_FILES.txt, HELP_TO_SAVE_FILES.txt, RECOVERY_KEY.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.txt
How_To_Recover_Files.txt, ReadDecryptFilesHere.txt, Help_Decrypt.txt, About_Files.txt
RECOVERY_FILES.txt, DecryptAllFiles_<user name>.txt, encryptor_raas_readme_liesmich.txt
Howto_RESTORE_FILES_*****.txt, DecryptAllFiles_*******.txt (where * are 6-7 random characters)
RECOVERY_FILE_*****.txt, restore_files_*****.txt (where * are random characters)
howto_recover_file_*****.txt, _how_recover_*****.txt (where * are random characters)
how_recover+****.txt, recover_file_*****.txt, (where * are random characters)

Once you have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mmjc23

mmjc23
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 14 May 2018 - 04:57 PM

Welcome to BC.

The original CryptoLocker Ransomware which first appeared in the beginning of September 2013...does not exist anymore and hasn't since June 2014. There are several copycat and fake ransomware variants which use the CryptoLocker name but those infections are not the same. Any references to CryptoLocker and retrieving keys for it will not work anymore.

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .encrypted, .crinf, .XRNT, .XTBL, .crypt, .pzdc, .good, .LOL!, .OMG!, .RDM, .EnCiPhErEd, {CRYPTENDBLACKDC}, .vault, .HA3, .toxcrypt, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:

HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, YOUR_FILES.HTML
HELP_RESTORE_FILES.txt, HELP_TO_SAVE_FILES.txt, RECOVERY_KEY.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.txt
How_To_Recover_Files.txt, ReadDecryptFilesHere.txt, Help_Decrypt.txt, About_Files.txt
RECOVERY_FILES.txt, DecryptAllFiles_<user name>.txt, encryptor_raas_readme_liesmich.txt
Howto_RESTORE_FILES_*****.txt, DecryptAllFiles_*******.txt (where * are 6-7 random characters)
RECOVERY_FILE_*****.txt, restore_files_*****.txt (where * are random characters)
howto_recover_file_*****.txt, _how_recover_*****.txt (where * are random characters)
how_recover+****.txt, recover_file_*****.txt, (where * are random characters)

Once you have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.

Hello quietman7

 

I return on this forum and I saw your answer now....excuse me!!

I have not received any reply notification

My encrypted files have ".encrypted" file extension and this is my ransom note

===============================================================================
        !!! ABBIAMO CRIPTATO VOSTRI FILE CON IL VIRUS Crypt0L0cker !!!
===============================================================================


I vostri file importanti (compresi quelli sui dischi di rete, USB, ecc): foto,
video, documenti, ecc sono stati criptati con il nostro virus Crypt0L0cker.
L'unico modo per ripristinare i file è quello di pagare noi. In caso contrario,
i file verranno persi.

Utilizzare questo link per pagare per i file di recupero:
http://wzaxcyqroduouk5n.gate2tor.ch/i6d6lgdv.php?user_code=5p08sbr&user_pass=1714


-------------------------------------------------------------------------------
-------------------------------------------------------------------------------

[=]  Che cosa è successo ai miei file?

  I vostri file importanti: foto, video, documenti, ecc sono stati
  crittografati con il nostro virus Crypt0L0cker. Questo virus utilizza molto
  forte algoritmo di crittografia - RSA-2048. Rottura di algoritmo di
  crittografia RSA-2048 è impossibile senza la speciale chiave di
  decrittazione.


[=] Come faccio a ripristinare i miei file?

  I file sono ora inutilizzabili e illeggibile, è possibile verificare che
  cercando di aprirli. L'unico modo per ripristinare la loro è quello di
  utilizzare il nostro software di decodifica. è possibile acquistare questo
  software di decodifica sul nostro
  sito web (http://wzaxcyqroduouk5n.gate2tor.ch/i6d6lgdv.php?user_code=5p08sbr&user_pass=1714).


[=] Cosa devo fare dopo?

  Si consiglia di visitare il
  nostro sito (http://wzaxcyqroduouk5n.gate2tor.ch/i6d6lgdv.php?user_code=5p08sbr&user_pass=1714)
  e acquistare decrittografia per il tuo PC.


[=] Non riesco ad accedere al tuo sito web, cosa devo fare?

  Il nostro sito web dovrebbe essere accessibile da uno di questi link::
  http://wzaxcyqroduouk5n.gate2tor.ch/i6d6lgdv.php?user_code=5p08sbr&user_pass=1714
http://wzaxcyqroduouk5n.onion.to/i6d6lgdv.php?user_code=5p08sbr&user_pass=1714
http://wzaxcyqroduouk5n.onion.link/i6d6lgdv.php?user_code=5p08sbr&user_pass=1714

  http://wzaxcyqroduouk5n.onion/i6d6lgdv.php?user_code=5p08sbr&user_pass=1714 (utilizzando il browser TOR)

  Se per qualsiasi motivo questi indirizzi non sono disponibili, si prega di
  seguire le istruzioni:
    1. Scaricare e installare TOR browser:
       http://www.torproject.org/projects/torbrowser.html.en
    2. Al termine dell'installazione, eseguire il browser e attendere
       l'inizializzazione.
    3. Digitare nella barra degli indirizzi:
       http://wzaxcyqroduouk5n.onion/i6d6lgdv.php?user_code=5p08sbr&user_pass=1714
    4. L'accesso al nostro sito.

  Inoltre è possibile contattarci via e-mail: decrypthelp@mail333.com

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------

Credenziali di Accesso:
  URL:       http://wzaxcyqroduouk5n.gate2tor.ch/i6d6lgdv.php
  User-Code: 5p08sbr
  User-Pass: 1714

===============================================================================

The strange thing is that "torrentUnlocker de-ransomware - decrypterfixer by Nathan Scott" seems be able to find the key and decrypt file for files where I have the original copy...but not for the others

Can you help me please?

 

Thank you in advance

Best Regards



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 14 May 2018 - 05:14 PM

Any files that are encrypted with Crypt0L0cker (TorrentLocker) will have the .encrypted, .enc or .bag extension appended to the end of the encrypted data filename and leaves files (ransom notes) named DECRYPT_INSTRUCTIONS.TXT, DECRYPT_INSTRUCTIONS.HTML, INSTRUCCIONES_DESCIFRADO.HTML, How_To_Recover_Files.txt, as explained here.

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to
ID Ransomware for assistance with identification and confirmation.

A repository of all current knowledge regarding Crypt0L0cker (TorrentLocker) is provided by Grinler (aka Lawrence Abrams), in the: Crypt0L0cker & TorrentLocker Information Guide and FAG

Unfortunately, there is no known method at this time to decrypt files encrypted by Crypt0L0cker without paying the ransom and obtaining the private RSA keys from the criminals. However, Dr.Web has been able to assist victims with decrypting files...see here.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users