Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptolocker variant - hit desktop, encrypted server files


  • Please log in to reply
3 replies to this topic

#1 fauxfaust

fauxfaust

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 29 January 2016 - 01:43 AM

Pretty nuts - appears to be a variant of: http://www.bleepingcomputer.com/virus-removal/torrentlocker-cryptolocker-ransomware-information

 

In the popup window it refers to information that's almost exactly the same as the examples given, however there are 0's instead of o's for the word Cryptolocker (read as: Crypt0L0cker).

 

Anything I can do to show logs etc? It unfortunately encrypted a lot of document zips that are used by a clinical database program to save patient records. I've got a day old backup and we can get a resend of the data for those...just wondering if there's anything I can do in the future to catch it.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:55 AM

Posted 29 January 2016 - 08:22 AM

There are many variants of crypto malware ransomware.

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?

Is there any notice (message) which says something like..."Your files are locked and encrypted with a unique RSA-1024 key!"?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:
HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, RECOVERY_KEY.txt
HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT, How_To_Recover_Files.txt
YOUR_FILES.HTML, YOUR_FILES.url, encryptor_raas_readme_liesmich.txt, Help_Decrypt.txt
DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, 
_secret_code.txt, About_Files.txt, Read.txt, ReadMe.txt, DECRYPT_ReadMe.TXT, DecryptAllFiles_.txt
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, SECRETIDHERE.KEY
IHAVEYOURSECRET.KEY, SECRET.KEY, HELP_DECYPRT_YOUR_FILES.HTML, help_decrypt_your_files.html
HELP_TO_SAVE_FILES.txt, RECOVERY_FILES.txt, RECOVERY_FILE.TXT, RECOVERY_FILE_[random].txt
Howto_RESTORE_FILES_.txt, Howto_Restore_FILES.txt, howto_recover_file_.txt, restore_files_.txt, 
how_recover+[random].txt, _how_recover_.txt, recover_file_[random].txt, recovery_file_[random].txt

Note: The [random] represents random characters which some ransom notes names may include.
Once we have identified the specific ransomware you are dealing with, I can direct you to the appropriate support topic for further assistance and possible decryption of encrypted files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 eznetso

eznetso

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Largo, FL
  • Local time:05:55 AM

Posted 30 January 2016 - 01:13 PM

Just saw our first case of the Crypt0L0cker as well (with the "0" instead of the "o") has there been any updates regarding this?  This is like chasing our tail here.  Protection is surely the best solution, but once someone has it, it's brutal.  I even had a client that had their backup drive plugged in (which I told them to never do again) and it locked both the system and the backup external.  



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:55 AM

Posted 30 January 2016 - 03:38 PM

I posted the information above to confirm the infection.

If you mean Crypt0L0cker, then that is just a newer version of TorrentLocker...see TorrentLocker changes it's name to Crypt0L0cker. They both will have the .encrypted extension appended to the end of the filename.

If that is the case, there are ongoing discussions in these topics where you can ask questions and seek further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users