Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Looking for some help dealing with a cryptolocker infected computer


  • This topic is locked This topic is locked
3 replies to this topic

#1 mikeloeven

mikeloeven

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 14 January 2016 - 04:25 PM

As the only IT guy in my family I was unfortunate enough to receive the IT equivalent of a nuclear bomb from my Aunt. She handed me a laptop and asked me to clean it she mentioned a virus however on booting i imediatly recognized the Your Files have been Encrypted message and shut the thing off. I have read that the various flavors of cryptolocker are extremely contagious jumping through usb drives and even network connections. basically I need to know how to safely transfer and upload scan logs from this laptop without risking infection to my tech computer. I need to identify which varient of the virus is active on the laptop and whether or not it is one of the versions that have a free decryption tool available.  

 

But essentially is disabling autoplay enough to protect from usb infection or do i need to use something stronger such as a frozen state driver 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:28 AM

Posted 14 January 2016 - 04:44 PM

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .encrypted, .locked, .crypto, _crypt, .crinf, .XRNT, .XTBL, .crypt, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?

Is there any notice (message) which says something like..."Your files are locked and encrypted with a unique RSA-1024 key!"?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:
HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt
HELP_RESTORE_FILES.txt, HELP_TO_SAVE_FILES.txt, RECOVERY_KEY.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT, How_To_Recover_Files.txt
DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, About_Files.txt, 
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, SECRETIDHERE.KEY
IHAVEYOURSECRET.KEY, SECRET.KEY, Help_Decrypt.txt, HELP_DECYPRT_YOUR_FILES.HTML
YOUR_FILES.HTML, DecryptAllFiles_<user name>.txt, encryptor_raas_readme_liesmich.txt
DecryptAllFiles_.txt, RECOVERY_FILES.txt, help_decrypt_your_files.html, YOUR_FILES.url
Howto_RESTORE_FILES_.txt, RECOVERY_FILE.TXT, RECOVERY_FILE_.txt, restore_files_.txt
howto_recover_file_.txt, how_recover+[random].txt, _how_recover_.txt, recover_file_[random].txt

Note: The [random] represents random characters which some ransom notes names may include.
Did you or your anti-virus find any malware? These are common locations malicious executables related to ransomware infections may be found:
%Temp%
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
C:\<random>\<random>.exe

Once we have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.

Please read section :step2: in How Malware Spreads - How your system gets infected which explains the most common methods Crypto malware and other forms of ransomware is typically spread and delivered.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mikeloeven

mikeloeven
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 14 January 2016 - 05:00 PM

All of the above however i have not run any virus scans as due to the aforementioned post i do not want to connect this thing to my network let alone plug any usb drive into the machine until i know how to prevent the infection from jumping to my own computer 

 

but as for the message it was Your files are locked and encrypted with a unique RSA-1024 key

documents pictures and videos on the infected laptop were .ecc and had the ransom text file next to them HELP_RECOVER_FILES.txt. right now my main concern is getting the diagnostic tools onto the laptop to identify the exact version and than safely getting the log files out without the usb drive getting infected

 

at this point all i know is its some flavor of ransom-ware but not the exact variant  


Edited by mikeloeven, 14 January 2016 - 05:09 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:28 AM

Posted 14 January 2016 - 05:22 PM

...videos on the infected laptop were .ecc and had the ransom text file next to them HELP_RECOVER_FILES.txt.

 

TeslaCrypt & Alpha Crypt ransomware is a Trojan that encrypts data using AES (Advanced Encryption Standard)...see here.

TeslaCrypt (Alpha Crypt) includes several known versions with various extensions for encrypted files to include: .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt as described described here.

Any files that are encrypted with the originsl TeslaCrypt will have the .ecc extension appended to the end of the filename and leave .html, .txt files (ransom notes) with names like HELP_RESTORE_FILES.txt. Any files that are encrypted with Alpha Crypt (TeslaCrypt renamed) will have the .ezz or .exx extension appended to the end of the filename and leave .html, .txt files (ransom notes) with names like HELP_TO_SAVE_FILES.txt, RECOVERY_FILES.txt.

Any files that are encrypted with the newer variant of TeslaCrypt will have the .xyz, .zzz, .aaa, .abc, .ccc or .vvv extension appended to the end of the filename. The .aaa/.abc/.ccc/.vvv variants leave .html, .txt, files (ransom notes) with names like Howto_RESTORE_FILES_.txt, RECOVERY_FILE_[random].txt, restore_files_[random].txt, recover_file_[random].txt, Howto_RESTORE_FILES_[random].txt, howto_recover_file_[random].txt, _how_recover_[random].txt, how_recover+[random].txt. TeslaCrypt 3.0 will have the .xxx or .ttt extension appended to the end of the filename.

A repository of all current knowledge regarding TeslaCrypt, Alpha Crypt and newer variants is provided by Grinler (aka Lawrence Abrams), in this topic: TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

Information about decrypting files affected by TeslaCrypt & Alpha Cryptransomware can be found here and in this topic: TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files encrypted by TeslaCrypt. Instructions how to recover the key for decryption are included in TeslaDecoder.zip.

There are an ongoing discussions in these topics where you can ask questions and seek further assistance.
[list][*]New TeslaCrypt version that uses the .EXX extension Support & Discussion
[*]New TeslaCrypt Ransomware sets its scope on video gamers

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussions, particularly the last if dealing with one of the newer variants. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users