Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unkown infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 mistrals

mistrals

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Italy
  • Local time:10:53 PM

Posted 02 February 2016 - 03:34 AM

hi, 

i need help to identify the ransomware infected my friend.

file extension is .uzltzyc

 

https://www.sendspace.com/file/vba9mj

 

thanks in advance


Edited by hamluis, 02 February 2016 - 02:56 PM.
Moved from AII to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:53 PM

Posted 02 February 2016 - 05:50 PM

You are most likely dealing with a newer variant of CTB Locker (aka Critroni, Onion) ransomware. Any files that are encrypted with CTB Locker will have a 6-7 length extension consisting of random characters such as these .uogltic, .rtrsxox, .phszfud, etc. This extension is believed to be generated as a result of some type of algorithm involved at the time of the initial infection.

CTB Locker will leave files (ransom notes) with names like DecryptAllFiles.txt and DecryptAllFiles_<user name>.txt that contains ransom instructions but the newer variants do not always leave a ransom note if the malware fails to change the background like it typically does. An AllFilesAreLocked_<user name>.bmp image file may be left in the My Documents folder which contains further instructions on how to pay the ransom. The developers of CTB Locker provide instructions to download and use a TOR web site, then open an onion related url address such as...hxxp://zaxseiufetlkwpeu.onion/, hxxp://43qzvceo6ondd6wt.onion/...see here.

A repository of all current knowledge regarding CTB Locker (Critroni, Onion) is provided by Grinler (aka Lawrence Abrams), in this topic: CTB Locker and Critroni Ransomware Information Guide and FAQ

Unfortunately at this time there is no fix tool and decryption of CTB Locker...is impossible since there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. The only methods you have of restoring your files is from backup, file recovery tools, or from Shadow Volume Copies as explained in the FAQ: How to restore files encrypted by CTB Locker...but there is no guarantee that will work.

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. If that is not a viable option, the only other alternative is to save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a possible solution so save the encrypted data and wait until that time.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mistrals

mistrals
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Italy
  • Local time:10:53 PM

Posted 03 February 2016 - 03:42 AM

many thanks for the exaustive informations


Edited by mistrals, 03 February 2016 - 03:43 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:53 PM

Posted 03 February 2016 - 07:51 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users